Riva CRM Integration - Documentation and Knowledge Base

Prepare Office 365 Exchange Permissions for Riva Connections

Article ID: 1114
Last updated: 08 Jun, 2021
Note for Riva Cloud: Create an Office 365 OAuth connection before performing the procedures described in this article.

Requirement for Riva EWS connections that use impersonation: The Riva connection user must be assigned permissions that enable impersonation access into the syncing user mailboxes.

Office 365 supports both Exchange Application Impersonation and Delegate Full Access options, but they depend on which Office 365 edition the customer is subscribed to:

Contents:

Assign the Exchange ApplicationImpersonation Permission

Enterprise Office 365 subscriptions support

  • assigning the Exchange ApplicationImpersonation role to a single user and
  • defining a scope (list of users) that the permission can be used against. If all users are going to be syncing with Riva, the scope will be all user mailboxes.

There are two methods to assign the Exchange "ApplicationImpersonation" role:

Assign the Exchange ApplicationImpersonation Role in the online Exchange Admin Console. (Recommended.)

Follow this procedure in the Office 365 Exchange Admin Console to assign the Exchange user mailbox (service account for the Riva connection) to an admin role that will grant the impersonation access permissions.

To create and assign a role with ApplicationImpersonation:

  1. Log in to Office 365 as an Admin user. You should be working in a blue and white minimalist theme.

  2. On the menu bar, select Admin; and on the drop-down, select Exchange.

  3. In the left column navigation pane, select permissions. Under admin roles, on the tool bar, select the + icon.

  4. In the Role Group window, provide a name and optionally supply a description, select the ApplicationImpersonation role, and add the Riva connection user to the Members list.

  5. Select another role, and then select the role that was just created, and confirm that the description information looks correct.

Assign the Exchange ApplicationImpersonation role by using Powershell

Administrators can use Windows Powershell and connect to their Exchange Online subscription to issue PowerShell cmdlets to assign Application Impersonation role to the Riva connection user with a default scope of all user mailboxes except the admin user.

  1. Connect to Exchange Online by using remote PowerShell. For instructions, go to this Microsoft webpage: Connect to Exchange Online using remote PowerShell.

  2. Enter the following command to execute the cmdlet to assign the ApplicationImpersonation role.

    Create a new PowerShell session with Office 365:

    $cred = Get-Credential
    $proxy = New-PSSessionOption –ProxyAccessType IEConfig
    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection -SessionOption $proxy
    Import-PsSession $session

    Allow configuring Microsoft Office 365 settings:
     
    Enable-OrganizationCustomization

    Allow impersonation in Microsoft Office 365:
     
    New-ManagementRoleAssignment -Role ApplicationImpersonation -User rivasync@mycompany.com
     

    Optional steps 1 and 2: Create a new management scope and assign one or more management roles to the management scope.

    (Step 1) Create the scope:
     
    New-ManagementScope -Name "<ManagementScopeName>" -RecipientRestrictionFilter "<ScopeRecipientFilter>"
     
    (Step 2) Assign the management role(s):
     
    New-ManagementRoleAssignment [-Name "<Unique Name>"] -SecurityGroup "<Role Group Name>" -Role "<Role Name>" [-RecipientRelativeWriteScope <MyGAL | MyDistributionGroups | Organization | Self>] [-CustomRecipientWriteScope "<Role Scope Name>]

    Finally, close the PowerShell session:
     
    Exit-pssession
    Remove-pssession $session
     

Assign Delegate Full Access Permissions

There are two methods to assign these permissions:

Assign Delegate Full Access Permissions in the Exchange Admin Console. (Recommended.)

Follow this procedure in the Office 365 Exchange Admin Console to assign the Delegate Full Access permissions from the user being synced by Riva to the Exchange user mailbox for the service account used in the Riva EWS connection.

In the following example, Richard Mao is the target mailbox and Aldo Zanoni is the Riva Cloud EWS connection user.

To assign Delegate Access Full Access permissions:

  1. Log in to Office 365 as an Admin user. You should be working in a blue and white minimalist theme.

  2. On the menu bar, select Admin; and on the drop-down, select Exchange.

  3. In the left column navigation pane, select recipients.

  4. In the list of mailboxes, select the Riva target user mailbox that will grant delegate access, and select the pencil icon at the top of the mailbox list.

  5. In the User mailbox window, select mailbox delegation.

  6. In the Full Access section, above DISPLAY NAME, select +.

  7. In the Select Full Access window, select the mailbox to grant access to (the Riva connection user), select add ->,and select ok.

  8. In the User mailbox window, select Save.

  9. For each target user that the Riva will sync data for, repeat steps 4–8.

Use Powershell to Grant Delegate Full Access Permissions

Administrators can use Windows Powershell and connect to their Exchange Online subscription to issue PowerShell cmdlets to assign permissions.

Apply permissions to a single user mailbox

When security policies dictate that full access permissions can be granted only to specific mailboxes, use the Add-MailboxPermission cmdlet. This is an Exchange permission that is restricted to mailboxes.

  1. Connect to Exchange Online by using remote PowerShell. For instructions, go to this Microsoft webpage: Connect to Exchange Online using remote PowerShell.

  2. Enter the following command to execute the cmdlet to assign the permission and disable the AutoMapping feature.

    Add-MailboxPermission -Identity "targetmailbox" -User "Riva Connection User" -AccessRights FullAccess -AutoMapping $false

    Add-MailboxPermission -Identity “isample” -User “rivasvc@example.com” -AccessRights FullAccess -AutoMapping $false


    To confirm which permissions are assigned to a mailbox:
     
    Get-MailboxPermission -Identity "targetmailbox" | Format-List

    Get-MailboxPermission -Identity “isample” | Format-List
     

Apply permissions to all user mailboxes

When security policies dictate that full access permissions can be granted to all users, use the Get-Mailbox | Add-MailboxPermission cmdlet to bulk assign the permission to all target user mailboxes except the admin mailbox.

  1. Connect to Exchange Online by using remote PowerShell. For instructions, go to this Microsoft webpage: Connect to Exchange Online using remote PowerShell.

  2. Enter the following command to execute the cmdlet to assign the permission and disable the AutoMapping feature.
     

    Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User <user, role group or security group> -AccessRights fullaccess -InheritanceType all -AutoMapping $false

    Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User rivasvc@example.com -AccessRights fullaccess -InheritanceType all -AutoMapping $false
     

Using a more granular RBAC Management Scope (Use with caution)

Some customers have reported difficulties with RBAC roles and Exchange Impersonation.

Full support using Windows Powershell to assign Exchange Impersonation using RBAC steps are described in Configure Exchange Impersonation using Exchange Management Shell - Exchange 2013 and 2010. Office 365 Enterprise also supports assigning Delegated Access using Powershell.

References:

  1. "Connect Windows Powershell to the Service": http://technet.microsoft.com/en-CA/library/jj984289%28v=exchg.150%29.aspx.
  2. "Allow someone else to manage your mail and calendar": http://www.utexas.edu/its/help/office365/2340.
  3. "Reference to available PowerShell Cmdlets in Exchange Online": http://technet.microsoft.com/en-us/library/jj200780%28v=exchg.150%29.aspx.
  4. "Built-in RBAC roles for Exchange Online": https://support.office.com/en-ie/article/Permissions-in-Office-365-da585eea-f576-4f55-a1e0-87090b6aaa9d.
  5. "WinRM client cannot process the request" error when you connect to Exchange Online through remote Windows PowerShell - https://support.microsoft.com/en-us/kb/2905339.
  6. Office 365 Technical Support: Call 1-866-865-9408.

This article was:   Helpful | Not helpful
Report an issue
Article ID: 1114
Last updated: 08 Jun, 2021
Revision: 14
Views: 16392
Comments: 0
Also read

Also listed in