Configuring Application Impersonation

Document created by user.zL0FB6L9lN Expert on Nov 2, 2015Last modified by user.oxriBaJeN4 on Nov 23, 2017
Version 8Show Document
  • View in full screen mode

This guide describes how to configure application Impersonation in your environment, to allow us to access your mailboxes as a named user.

 

Application impersonation is used where a single account needs to access many mailboxes. It allows an application (e.g. Mimecast Synchronization Engine) to use a dedicated service account, to access multiple users’ mailboxes and access their respective data.

 

Exchange 2016 / 2013 / 2010

 

For Exchange 2016 / 2013 / 2010 the user selected as the master mailbox must be:

  • Mailbox enabled.
  • Have the Application Impersonation Management Role. To configure this permission:
    1. Open an Exchange Management Shell with a logon containing the Organization Management role. 
    2. Run the following command:

      New-ManagementRoleAssignment -Name:exchangeImpersonation -Role:ApplicationImpersonation -User:User1

      Where User1 is the user account selected to run the Mimecast Synchronization Engine or Sync & Recover service.
    3. Check the user is successfully added to the Management role by running the following command:

      Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers |
      Where { $_.EffectiveUserName -Eq "User1" }


      Where the same User1 and the same 'name' value (exchangeImpersonation) is used from Step 2.

 

Exchange 2007

 

For Exchange 2007 the user selected as the Master Mailbox, must be mailbox enabled and have the following permissions:

  • Exchange Web Services Impersonation permission over the Client Access Server(s) in the Exchange Organization,
  • The May Impersonate Extended Active Directory Right for all mailbox databases.

 

These permissions can be configured by:

  • Configuring the Exchange Web Services Impersonation permission on all Client Access servers.
  • Configuring the May Impersonate Extended Active Directory Right on all Mailbox databases.

 

Configuring the Exchange Web Services Impersonation Permission on all Client Access Servers

 

To configure the Exchange Web Services Impersonation permission on all Client Access servers in the Organization:

  1. Open an Exchange Management Shell with a logon containing the Organization Management role.
  2. Run this command:
    Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | 
    ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity 
    -extendedRight ms-Exch-EPI-Impersonation}
    Where User1 is the user account selected to run the Mimecast Synchronization Engine service, or Sync & Recover service.

    This will apply the permissions for your existing Client Access Servers, in the event where you need to add new Client Access Servers you will need to re-run this command to apply the permission to the newly added server.

     

Configuring the May Impersonate Extended Active Directory Right on all Mailbox Databases

 

To configure the May Impersonate Extended Active Directory Right on all Mailbox databases:

  1. Open an Exchange Management Shell with a logon containing the Organization Management role.
  2. Run this command:

    Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User User1 -ExtendedRights
    ms-Exch-EPI-May-Impersonate}

    Where User1 is the user account selected to run the Mimecast Synchronization Engine service, or Sync & Recover service.

    This will apply the permissions for your existing mailbox databases, in the event where you add new mailbox databases you will need to re-run this command to apply the permission to the newly added database.

     

Office 365

 

For Office 365 the user that is selected as the master mailbox needs have application Impersonation management role. This role can be configured by following these steps:

  1. Log on to the Office 365 Admin Center.
  2. Select Exchange from the admin list in the navigation bar on the left of the screen to launch the Exchange Admin Center.
  3. Select Permissions from the navigation bar on the left of the screen.
  4. While on the Admin Roles page select the '+' icon to add a new role.
  5. Enter a Name for the new role.
  6. In the Roles section select the '+' icon and add the ApplicationImpersonation role. Click OK.
  7. In the Members section select the '+' icon and add the user that you want to use as the Master Mailbox for the Synchronization Engine. Click Save. This completes the configuration.

 

Office 365 Hybrid Environments

 

In Office 365 hybrid environments the master mailbox will need impersonation rights to both the On-Premises and Office 365 hosted mailboxes. Consider using a mailbox hosted On-Premises for this to simplify the configuration and ensure that you apply the ApplicationImpersonation role in both the On-Premises environment and Office 365.

1 person found this helpful

Attachments

    Outcomes