Configuring Application Impersonation

Document created by user.zL0FB6L9lN Expert on Nov 2, 2015Last modified by user.oxriBaJeN4 on Jul 13, 2017
Version 3Show Document
  • View in full screen mode

This guide describes how to configure Application Impersonation in your environment to allow MImecast to access your mailboxes as a named user.

 

Walkthrough

 

Application impersonation is used in situations where a single account needs to access many mailboxes. It allows an application (e.g. Mimecast Synchronization Engine) to use a dedicated service account to access multiple users’ mailboxes and access their respective data.

 

Exchange 2016 / 2013 / 2010

 

For Exchange 2016 / 2013 / 2010 the user selected as the Master Mailbox, must be mailbox enabled and have the Application Impersonation Management Role. This permission can be configured by following these steps:

  1. Open an Exchange Management Shell as an Exchange Organization Administrator
  2. Run this command:
    New-ManagementRoleAssignment -Name:exchangeImpersonation -Role:ApplicationImpersonation -User:User1
    Where User1 is the user account selected to run the Mimecast Synchronization Engine service.

 

Exchange 2007

 

For Exchange 2007 the user selected as the Master Mailbox, must be mailbox enabled and have the following permissions:

  • Exchange Web Services Impersonation permission over the Client Access Server(s) in the Exchange Organization,
  • The May Impersonate Extended Active Directory Right for all mailbox databases.

 

These permissions can be configured by:

  • Configuring the Exchange Web Services Impersonation permission on all Client Access servers.
  • Configuring the May Impersonate Extended Active Directory Right on all Mailbox databases.

 

Configuring the Exchange Web Services Impersonation Permission on all Client Access Servers

 

To configure the Exchange Web Services Impersonation permission on all Client Access servers in the Organization:

  1. Open an Exchange Management Shell as an Exchange Organization Administrator
  2. Run this command:
    Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
    Where User1 is the user account selected to run the Mimecast Synchronization Engine service.

    This will apply the permissions for your existing Client Access Servers, in the event where you need to add new Client Access Servers you will need to re-run this command to apply the permission to the newly added server.

Configuring the May Impersonate Extended Active Directory Right on all Mailbox Databases

 

To configure the May Impersonate Extended Active Directory Right on all Mailbox databases:

  1. Open an Exchange Management Shell as an Exchange Organization Administrator
  2. Run this command:
    Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User User1 -ExtendedRights ms-Exch-EPI-May-Impersonate}
    Where User1 is the user account selected to run the Mimecast Synchronization Engine service.

    This will apply the permissions for your existing mailbox databases, in the event where you add new mailbox databases you will need to re-run this command to apply the permission to the newly added database.

Office 365

 

For Office 365 the user that is selected as the Master mailbox needs have Application Impersonation Management Role. This role can be configured by following these steps:

  1. Login to the Office 365 Admin Center.
  2. Select Exchange from the Admin list in the navigation bar on the left of the screen to launch the Exchange Admin Center.
  3. Select Permissions from the navigation bar on the left of the screen.
  4. While on the admin roles page select the '+' icon to add a new role.
  5. Enter a Name for the new role.
  6. In the Roles section select the '+' icon and add the ApplicationImpersonation role. Click OK.
  7. In the Members section select the '+' icon and add the user that you want to use as the Master Mailbox for the Synchronization Engine. Click Save. This completes the configuration.

 

Office 365 Hybrid Environments

 

In Office 365 Hybrid environments the Master Mailbox will need impersonation rights to both the on-premises and Office 365 hosted mailboxes. Consider using a mailbox hosted on-premises for this to simplify the configuration and ensure that you apply the ApplicationImpersonation role in both the on-premises environment and Office 365.

Attachments

    Outcomes