Exact Exchange Integration is Microsoft Exchange Web Services (EWS) based solutions that makes use of the Application Impersonation to enable one service account to impersonate multiple user accounts and manage their calendars by using the rights of the impersonated account.
In this article you can find information about assigning ApplicationImpersonation role to the service account in Exchange Online/Office 365 environment. This can be done either using Office 365 Admin Management Console or using Remote Windows PowerShell.
Note: Exchange Online is available as a standalone service, Hosted email, or you can get it as part of an Office 365 plan.
The best practice is to grant the ApplicationImpersonation role to a service account dedicated only to the Exact Exchange Integration application, rather than a ‘standard’ user account.
Service account rights and roles as well as password policy should follow recommendations described in the documentation about Exact Exchange Integrator installation , for the Exchange on-premise and Exchange hosted. Assumed here is that the service account is already created in Exchange Online and that password is set to be the same as the one that is used in Exact Synergy for the service account.
Assigning Application Impersonation from Office 365 Admin Management Console (when available in your O365 plan!)
To assign Application Impersonation from the Office 365 Admin Management Console do following:
From the Admin menu select
'Exchange'.
Than select
'Permissions' and under the
'Admins Roles' select to add new clicking on the
'+' sign and enter the Name and Description, e.g. ApplicationImpersonation.
Leave
'Default' as a scope to apply new role for the whole organization.
From the list of roles choose
'ApplicationImpersonation'.
Next step is to
select user(s) to whom this role will be assigned. In the example below user with the name 'serviceaccount' is selected.
Confirm this selection by
'save' and then allow some time for the system to apply this role.
Assigning Application Impersonation in Exchange Online (Office 365) by using Remote Windows PowerShell
You can use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization. To configure impersonation in Exchange Online this way, you need to be able to run a Windows PowerShell script against your Exchange Online environment.
In the following documents you can find more information about PowerShell setup and available cmdlets:
Use Windows PowerShell in Exchange Online
Reference to Available PowerShell Cmdlets in Exchange Online - check section ApplicationImpersonation cmdlets
You also need to have permission to run the New-ManagementRoleAssignment cmdlet. Note that tenancy administrators are normaly granted this permission by default.
If you have issue with the permission please check see the "Organization configuration" entry in the Feature Permissions in Exchange Online topic to see what permissions you need.
To run Windows PowerShell scripts against Exchange Online, you first need to establish a Remote Windows PowerShell Session to the Exchange Online environment.
Please ensure you have set up a Remote PowerShell session correctly via the instructions at Connect Windows PowerShell to the Service before running the cmdlets.
As mentioned earlier, to configure a service account to be able to impersonate a set of users, you need to grant the service account the ApplicationImpersonation role. This enables the service account to impersonate the specified user accounts and perform mailbox operations by using their rights.
Run the New-ManagementRoleAssignment cmdlet (as shown below) to grant the service account permission to impersonate all the users in the organization.
Note: The Name parameter specifies the name of the new role assignment. The Role parameter indicates that the ApplicationImpersonation role is assigned to the user specified by the User parameter.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount
More information:
Microsoft Exchange Web Services (EWS) Managed API–based solutions, such as Exact Exchange Integration solution, can use Application Impersonation to enable a service account to impersonate user account and perform operations by using the rights of the impersonated account.
This makes it possible for you to grant a single service account permission to impersonate a set of users so that it can connect to EWS and perform mailbox operations for those accounts. In this way, you can perform operations such as sending and retrieving email messages or creating tasks or appointments.
If you have solution based on EWS - After connecting to EWS by using the credentials of the service account that has been granted the ApplicationImpersonation role, you can impersonate an account by setting the ImpersonatedUserId property of the ExchangeService class to an instance of the ImpersonatedUserId class that represents the account you want to impersonate.
Getting Started with Windows PowerShell
Configure user passwords to never expire
Impersonation and EWS in Exchange