Configuring Impersonation rights in Exchange 2010

Recently, the IT team decided to try out a third party add-on that supports Exchange Online with Outlook client. In order to configure this add-on on the server, one of the requirement was to configure a service account to impersonate the users in a Distribution Group. This post provides the steps to achieve the same.

Starting from Exchange 2010, the permission model being used is called Role Based Access Control (RBAC) which allows fine-grained as well as easy control over the level of permissions to be assigned for users or administrators. Impersonation leverages RBAC and in this post, we discuss the ApplicationImpersonation management role associated with impersonation.

First, we will have to define a management scope (say, “TestImpersonationScope“)to filter out the users of the distribution group (say, “Admin Group“):


New-ManagementScope -Name:TestImpersonationScope -RecipientRestrictionFilter: {MemberOfGroup -eq “Admin Group”}

You can use the below command to get more info on the created management scope:

Get-ManagementScope “TestImpersonationScope” | fl

Now, run the below command to allow the service account (say, “testuser“) to impersonate all the members of the created scope:

New-ManagementRoleAssignment –Name:”Admin Group Impersonation Role” –Role:ApplicationImpersonation –User:testuser –CustomRecipientWriteScope:TestImpersonationScope

You can also configure impersonation for all users in an organization.

Reference : https://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx
http://blogs.msdn.com/b/dhruvkh/archive/2011/10/19/impersonation-in-the-times-of-rbac.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s