Requirement for Riva EWS connections that use impersonation: The Riva connection user must be assigned permissions that enable impersonation access into the syncing user mailboxes.
Microsoft 365 supports both Exchange Application Impersonation and Delegate Full Access options, but they depend on which Microsoft 365 edition the customer is subscribed to:
Contents:
Assign the Exchange ApplicationImpersonation Permission
Enterprise Microsoft 365 subscriptions support
- assigning the Exchange ApplicationImpersonation role to a single user and
- defining a scope (list of users) that the permission can be used against. If all users are going to be syncing with Riva, the scope will be all user mailboxes.
There are two methods to assign the Exchange "ApplicationImpersonation" role:
Assign the Exchange ApplicationImpersonation Role in the online Exchange Admin Console. (Recommended.)
Follow this procedure in the Microsoft 365 Exchange Admin Console to assign the Exchange user mailbox (service account for the Riva connection) to an admin role that will grant the impersonation access permissions.
To create and assign a role with ApplicationImpersonation:
-
Log in to Microsoft 365 as an Admin user.
-
On the menu bar, select Roles; and in the drop-down, select Admin Roles.
-
In the right pane, select Add role group.
-
In the Add Role Group window, provide a name and optionally supply a description. Select Next.
-
In the Search box, enter ApplicationImpersonation, and select the ApplicationImpersonation role. Select Next, and add the Riva connection user to the Members list.
-
On the next screen, review the role that was just created, confirm that the description information looks correct, and select Add role group.
-
On the next screen, verify that the role group has been added successfully. Select Done.
Assign the Exchange ApplicationImpersonation role by using Powershell
Administrators can use Windows Powershell and connect to their Exchange Online subscription to issue PowerShell cmdlets to assign Application Impersonation role to the Riva connection user with a default scope of all user mailboxes except the admin user.
-
Connect to Exchange Online by using remote PowerShell. For instructions, go to this Microsoft webpage: Connect to Exchange Online using remote PowerShell.
-
Enter the following command to execute the cmdlet to assign the ApplicationImpersonation role.
Create a new PowerShell session with Microsoft 365:
$cred = Get-Credential
$proxy = New-PSSessionOption –ProxyAccessType IEConfig
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection -SessionOption $proxy
Import-PsSession $session
Allow configuring Microsoft 365 settings:
Enable-OrganizationCustomization
Allow impersonation in Microsoft 365:
New-ManagementRoleAssignment -Role ApplicationImpersonation -User rivasync@mycompany.com
Optional steps 1 and 2: Limit impersonation access to specific mailboxes. Here we create a new management scope that is filtered to a subset of mailboxes, then apply the management scope to the impersonation role.
(Step 1) Create the scope:
New-ManagementScope -Name "<ManagementScopeName>" -RecipientRestrictionFilter "<ScopeRecipientFilter>"
(Step 2) Assign the management role(s):
New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role Group Name>" -Role "<Role Name>" [-RecipientRelativeWriteScope <MyGAL | MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope "<Role Scope Name>]
Finally, close the PowerShell session:
Exit-pssession
Remove-pssession $session
Assign Delegate Full Access Permissions
There are two methods to assign these permissions:
Assign Delegate Full Access Permissions in the Exchange Admin Console. (Recommended.)
Follow this procedure in the Microsoft 365 Exchange Admin Console to assign the Delegate Full Access permissions from the user being synced by Riva to the Exchange user mailbox for the service account used in the Riva EWS connection.
To assign Delegate Access Full Access permissions:
-
Log in to Microsoft 365 as an Admin user.
-
On the menu bar, select Mailboxes. Select the Riva target user mailbox that will grant delegate access, then select Mailbox delegation.
-
On the right pane that appears, under Read and manage (Full Access), select Edit.
-
Select Add members. In the list of mailboxes, select the mailbox to grant access to (the Riva connection user), and select Save; on the next pane that appears, click Confirm.
-
A message will appear indicating that the mailbox permissions are being added.
-
For each target user that the Riva will sync data for, repeat steps 2-5.
Use Powershell to Grant Delegate Full Access Permissions
Administrators can use Windows Powershell and connect to their Exchange Online subscription to issue PowerShell cmdlets to assign permissions.
Apply permissions to a single user mailbox
When security policies dictate that full access permissions can be granted only to specific mailboxes, use the Add-MailboxPermission cmdlet. This is an Exchange permission that is restricted to mailboxes.
-
Connect to Exchange Online by using remote PowerShell. For instructions, go to this Microsoft webpage: Connect to Exchange Online using remote PowerShell.
-
Enter the following command to execute the cmdlet to assign the permission and disable the AutoMapping feature.
Add-MailboxPermission -Identity "targetmailbox" -User "Riva Connection User" -AccessRights FullAccess -AutoMapping $false
Add-MailboxPermission -Identity “isample” -User “rivasvc@example.com” -AccessRights FullAccess -AutoMapping $false
To confirm which permissions are assigned to a mailbox:
Get-MailboxPermission -Identity "targetmailbox" | Format-List
Get-MailboxPermission -Identity “isample” | Format-List
Apply permissions to all user mailboxes
When security policies dictate that full access permissions can be granted to all users, use the Get-Mailbox | Add-MailboxPermission cmdlet to bulk assign the permission to all target user mailboxes except the admin mailbox.
-
Connect to Exchange Online by using remote PowerShell. For instructions, go to this Microsoft webpage: Connect to Exchange Online using remote PowerShell.
-
Enter the following command to execute the cmdlet to assign the permission and disable the AutoMapping feature.
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User <user, role group or security group> -AccessRights fullaccess -InheritanceType all -AutoMapping $false
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User rivasvc@example.com -AccessRights fullaccess -InheritanceType all -AutoMapping $false
Using a more granular RBAC Management Scope (Use with caution)
Some customers have reported difficulties with RBAC roles and Exchange Impersonation.
Full support using Windows Powershell to assign Exchange Impersonation using RBAC steps are described in Configure Exchange Impersonation using Exchange Management Shell - Exchange 2013 and 2010. Microsoft 365 Enterprise also supports assigning Delegated Access using Powershell.
References:
- "Connect Windows Powershell to the Service": http://technet.microsoft.com/en-CA/library/jj984289%28v=exchg.150%29.aspx.
- "Allow someone else to manage your mail and calendar": http://www.utexas.edu/its/help/office365/2340.
- "Reference to available PowerShell Cmdlets in Exchange Online": http://technet.microsoft.com/en-us/library/jj200780%28v=exchg.150%29.aspx.
- "Built-in RBAC roles for Exchange Online": https://support.office.com/en-ie/article/Permissions-in-Office-365-da585eea-f576-4f55-a1e0-87090b6aaa9d.
- "WinRM client cannot process the request" error when you connect to Exchange Online through remote Windows PowerShell - https://support.microsoft.com/en-us/kb/2905339.
- Microsoft 365 Technical Support: Call 1-866-865-9408.
