How to Configure Impersonation to Deploy the Solution [Office 365]¶
Tip
Refer to this article to learn how to set up Impersonation in case your company uses an MS Exchange On Premise mail server or to this article for Hybrid mail server deployment options
Note
All configuration activities described in this article are typical actions performed for an Impersonation service account via Admin Center secured by Microsoft. On RG Email Sidebar side, data processing privacy and security are guaranteed by the applicable Revenue Grid policies
Also see the following articles to learn more about MS Exchange Impersonation:
Enabling MS Exchange Impersonation for the end users consists of three Stages:
Stage I. Configure a Service Account and Apply it for RGES End Users [described in this article]
Stage II. Verify the Configuration [described in this article]
Stage III. Configure Exchange Impersonation in RG Email Sidebar Admin panel [described in a separate KB article]
Stage I: Configure a Service Account and Apply it for RGES End Users¶
MS Exchange Impersonation is compatible with Office 365 with Exchange Online. In order to set up Application Impersonation via Admin Center, perform the steps below.
Setup via Admin Center [main method]¶
1. Create a Service Account¶
First, you need to create a Service email account. It must to be a dedicated mailbox used only as an Impersonating service account for RG Email Sidebar, it should have no other functions. The Impersonating service account requires a dedicated MS Exchange / Office 365 mailbox license, a Basic plan; it does not require an extra RG Email Sidebar license.
Please register the Service Account with the name MasterImpersonation to make it easy to find later for testing or troubleshooting.
The detailed mail account creation steps, also described in this Microsoft article:
1.1. Log in to Admin Center at https://admin.exchange.microsoft.com/ with Admin credentials
1.2. Open Users > Active users in the navigation pane on the left, then click Add a user
>>> Click to see a screenshot <<<
1.3. Set up basics for the Service account:
- Set any First name and Last name
- Set the Display name: MasterImpersonation
- Set the Username: MasterImpersonation
- (Optional) select Automatically create a password if you want an auto-generated password
- (Optional) select Send password in email upon completion and enter a corporate email address you have access to in the field below to receive the auto-generated password
>>> Click to see a screenshot <<<
1.4. Select your Location and assign an O365 account license to the Service account
>>> Click to see a screenshot <<<
1.5. On the next Optional settings screen, leave the default User Role and then expand Profile info and specify some information to easily identify the account in the future, e.g. RG Master impersonation account
>>> Click to see a screenshot <<<
1.6. Review Service account data you entered and click Finish adding
>>> Click to see a screenshot <<<
1.7. Click Close in the final confirmation window
>>> Click to see a screenshot <<<
The new Service account will shortly become available for further configuration steps.
2. Create a Group that Includes All RGES End Users’ accounts¶
Depending on your Org’s configuration, you may use A) a Distribution group or B) a Mail-enabled security group list.
A. To create a Distribution group¶
2.A.1. Log in to your Org’s Admin Center with admin credentials. This works for Office 365 with Exchange Online
2.A.2. Select Groups > Active groups in the navigation pane on the left and then click Add a group in the right-hand pane
>>> Click to see a screenshot <<<
2.A.3. Select Distribution under Choose a group type and click Next
>>> Click to see a screenshot <<<
2.A.4. Set the group’s Name as RIDG, so it’s easy to find later, and optionally add a Description
>>> Click to see a screenshot <<<
2.A.5. Specify the group’s settings: set its Email address and configure membership rules according to your corporate policies. It should be a Closed group for which the Owner (the Admin) manages members joining and leaving
>>> Click to see a screenshot <<<
2.A.6. Review the group’s configuration and click Create a group
>>> Click to see a screenshot <<<
2.A.7. Close the dialog
>>> Click to see a screenshot <<<
2.A.8. Set the Service account MasterImpersonation that you created earlier as the group’s Owner:
-
In Admin Center, open Recipients > Groups In the navigation pane on the left
-
Click the tab Distribution list and select the group RIDG in the list, then open the tab Members and click View all and manage owners
>>> Click to see a screenshot <<<
- In the field Add group owners, select the account MasterImpersonation, then click Save changes at the bottom
>>> Click to see a screenshot <<<
2.A.9. Follow the below steps to add all RGES end users to the distribution group RIDG that you created. Also described in this Microsoft article
-
In Admin Center, open Recipients > Groups In the navigation pane on the left
-
Click the tab Distribution list and select the group RIDG in the list, then open the tab Members and click View all and manage members
>>> Click to see a screenshot <<<
- Add all RGES end users to the group using the field Add group owners, then click Save changes at the bottom to apply the changes
>>> Click to see a screenshot <<<
Alternatively, if you prefer using a Mail-enabled security group instead
B. To create a Mail-enabled security group instead¶
Tip
The mail-enabled security group of created this way can also be used for RG Email Sidebar mass deployment. Adding new users to this group later results in their automatic inclusion in Impersonation scope and RGES Add-In installation for their mail accounts. See this article for details
2.B.1. Log in to your Org’s Admin Center with admin credentials. This works for Office 365 with Exchange Online feature
2.B.2. Select Groups > Active groups in the navigation pane on the left and then click Add a group in the right-hand pane
>>> Click to see a screenshot <<<
2.B.3. Select Mail-enabled security under Choose a group type and click Next
>>> Click to see a screenshot <<<
2.B.4. Set the group’s Name as RISG, so it’s easy to find later, and optionally add a Description
>>> Click to see a screenshot <<<
2.B.5. Specify the group’s settings: set its Email address and then ensure that the Communication checkbox is unselected and the Approval checkbox is selected to ensure maximum security
>>> Click to see a screenshot <<<
2.B.6. Review the group’s configuration and click Create a group
>>> Click to see a screenshot <<<
2.B.7. Close the dialog
>>> Click to see a screenshot <<<
2.B.8. Set the Service account MasterImpersonation that you created earlier as the group’s Owner:
-
In Admin Center, open Recipients > Groups In the navigation pane on the left
-
Click the tab Mail-enabled security group and select the group RISG in the list, then open the tab Members and click View all and manage owners
>>> Click to see a screenshot <<<
- In the field Add group owners, select the account MasterImpersonation, then click Save changes at the bottom
>>> Click to see a screenshot <<<
2.B.9. Follow the below steps to add all RGES end users to the mail-enabled security group RISG that you created. Also described in this Microsoft article.
-
In Admin Center, open Recipients > Groups In the navigation pane on the left
-
Click the tab Mail-enabled security group and select the group RISG in the list, then open the tab Members and click View all and manage members
>>> Click to see a screenshot <<<
- Add all RGES end users to the group using the field Add group owners, then click Save changes at the bottom to apply the changes
>>> Click to see a screenshot <<<
3. Set the Users Group and Apply Impersonation¶
3.1. Run Windows PowerShell as Admin and connect to Exchange Online
In PowerShell, load the EXO V2 module by running the following command:
Import-Module ExchangeOnlineManagement
Note
If the required ExchangeOnlineManagement module does not exist then please follow this link to install the EXO V2 module first
The command that you need to run next uses the below syntax. The parameters in square brackets are optional, they depend on your server’s configuration.
<UPN> is your account in user principal name format (for example, >>> Click to see the parameters’ description <<<
[email protected]).
$ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>, where <Value> is IEConfig, WinHttpConfig, or AutoDetect. Then, use the PSSessionOption parameter with the value $ProxyOptions. For more information, see New-PSSessionOption.-ShowProgress $true is no longer required. To hide the progress bar, use this exact syntax: -ShowProgress:$false.
Connect-ExchangeOnline -UserPrincipalName <UPN> -ShowProgress $true [-ExchangeEnvironmentName <Value>] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]
This sample cmdlet connects to Exchange Online PowerShell in a Microsoft 365 / Microsoft 365 GCC organization:
Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowProgress $true
>>> Click to see a screenshot <<<
3.2. The next step depends on whether you configured A) Distribution group or B) a Mail-enabled security group list on Step 2:
For case A (Distribution group)¶
Run PowerShell as Admin and enter the following line in PowerShell:
$groupidentity = $(Get-DistributionGroup RIDG).DistinguishedName
>>> Click to see a screenshot <<<
Next, create a Scope of group members with the name RIusersScope by entering the following line:
New-ManagementScope -Name:"RIusersScope" -RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"
or
For case B (Mail-enabled security group)¶
Run PowerShell as Admin and enter the following line in PowerShell:
$groupidentity = $(Get-Group RISG).DistinguishedName
>>> Click to see a screenshot <<<
Next, create a Scope of group members with the name RIusersScope by entering the following line:
New-ManagementScope -Name:"RIusersScope" -RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"
3.3. After performing the case-specific step A) or B) above, return to Admin Center and open the Roles tab and then Admin Roles in the navigation pane on the left, then click the Add role group button at the top of the right-hand pane
>>> Click to see a screenshot <<<
3.4. In the Add role group dialog that appears, set the role groupβs Name as RIappImpersonation. After that, in the Write scope field select the RIusersScope group that you configured on Step 3.2.
Note
If you set the Default Write scope, Impersonation will be applied for all user accounts in the Org
>>> Click to see a screenshot <<<
3.5. Next, select ApplicationImpersonation under Roles:
>>> Click to see a screenshot <<<
3.6. Set the MasterImpersonation Service account created on earlier steps in the field Members under Assign admins to enable the account to work with mailboxes belonging to the group:
>>> Click to see a screenshot <<<
3.7. Finally, review the configuration and click the Add role group button at the bottom of the dialog to finish
>>> Click to see a screenshot <<<
Note
The above described main method is the recommended one. In case it does not work for any reason in your configuration, refer to the alternative methods provided in a separate article
Stage II: Verify the Configuration¶
Next, you need to test the configured Impersonating account using the official tool Microsoft Remote Connectivity Analyzer:
1. Open Microsoft Remote Connectivity Analyzer using the link https://testconnectivity.microsoft.com
2. Open the tab Office 365 in the navigation pane and select Service Account Access in the pane on the right
>>> Click to see a screenshot <<<
3. Fill in the details to connect to an end user account to test connectivity:
>>> Click to see a screenshot <<<
4. Target Mailbox email address: enter email address of any RGES user managed by the configured Impersonation account
5. Leave the default Authentication type: Modern Authentication (OAuth)
6. Click Sign In and sign in to the user account with its password via standard O365 OAuth dialog
Note
Security of tested account’s credentials entered in the dialog is guaranteed by Microsoft
7. If your configuration has a custom Exchange Web Services URL, select Specify Exchange Web Services URL and enter your corporate EWS URL. Or select the box Use Autodiscover to detect server settings to let the tool auto-determine the URL
8. Next, select Test predefined folder and leave the default value Inbox in the box below
9. Select Use Exchange Impersonation and under Impersonated user enter the same email address of a RGES user managed by the configured Impersonation account
10. In the field Impersonated user identified, leave the default value SmtpAddress
11. If that is required in your configuration, select Ignore Trust for SSL
12. Leave the default Service Selection: Office 365 (Default), select Ignore Trust for SSL
13. Read and confirm the βI understand and I must …β section; enter the CAPTCHA and click Verify to prove that you are not a robot
14. Finally, click Perform test at the bottom of the dialog and check the test results to see if the configured Impersonated account works
Stage III: Configure Impersonation in RG Email Sidebar Admin panel¶
Next, proceed to the steps provided in this article to configure the Sync Engine to operate via the Impersonation account.
Also see the article RG Email Sidebar mass deployment for Office 365 users.
We would love to hear from you