Requirement for Riva EWS connections that use impersonation: The Riva connection user must be assigned permissions that enable impersonation access into the "target" user mailboxes.
Office 365 supports both Exchange Application Impersonation and Delegate Full Access options, but they depend on which Office 365 edition the customer is subscribed to:
Enterprise Office 365 subscriptions support
There are two methods to assign the Exchange "ApplicationImpersonation" role:
Follow this procedure in the Office 365 Exchange Admin Console to assign the Exchange user mailbox (service account for the Riva connection) to an admin role that will grant the impersonation access permissions.
In the following example, Rivasvc@mycompany.com is the Riva Cloud EWS connection user.
To create and assign a role with ApplicationImpersonation:
Administrators can use Windows Powershell and connect to their Exchange Online subscription to issue PowerShell cmdlets to assign Application Impersonation role to the Riva connection user with a default scope of all user mailboxes except the admin user.
Using a more granular RBAC Management Scope
Full support using Windows Powershell to assign Exchange Impersonation using RBAC steps described previously in Configure Exchange Impersonation using Exchange Management Shell - Exchange 2013 and 2010. Some customers have reported difficulties with RBAC roles and Exchange Impersonation. Office 365 Enterprise also supports assigning Delegated Access using Powershell.
WARNING: During recent work with a Riva client and Office 365 support, we have been warned against using group membership as the basis for a Management Scope's RecipientRestrictionFilter property with Exchange Online/Office 365, because the MemberOfGroup attribute relies on distinguished names and Microsoft does not currently guarantee that a cloud-hosted organization's distinguished name will remain static. (For example, the forest may change, as in our case.) Microsoft recommends using custom attributes instead.
How to prevent similar issues in the future
The Microsoft Office 365 support engineer advised:
"As we discussed together about the issue related to the break of EWS synchronization, here is a summary of what we talked about:
Set-ManagementScope had the recipient filter scope set to RecipientFilter: MemberOfGroup -eq 'CN=Riva Sync Users,OU=mycompany.com,OU=Microsoft Exchange Hosted Organizations,DC=eurprd07,DC=prod,DC=outlook,DC=com'
There are two methods to assign these permissions:
Follow this procedure in the Office 365 Exchange Admin Console to assign the Delegate Full Access permissions from the user being synced by Riva to the Exchange user mailbox for the service account used in the Riva EWS connection.
In the following example, Richard Mao is the target mailbox and Aldo Zanoni is the Riva Cloud EWS connection user.
To assign Delegate Access Full Access permissions:
Administrators can use Windows Powershell and connect to their Exchange Online subscription to issue PowerShell cmdlets to assign permissions.
Apply permissions to a single user mailbox
When security policies dictate that full access permissions can be granted only to specific mailboxes, use the Add-MailboxPermission cmdlet. This is an Exchange permission that is restricted to mailboxes.
Apply permissions to all user mailboxes
When security policies dictate that full access permissions can be granted to all users, use the Get-Mailbox | Add-MailboxPermission cmdlet to bulk assign the permission to all target user mailboxes except the admin mailbox.