Aug
9
2013

Enabling impersonation in Exchange 2010

There are a bajillion blogs about this, but there’s also alot of wishy-washy stuff around it. So I figured it might be worthwhile condensing it all down to what you really want to know.

The scenario is this:

You have an application (in this case Dynamics CRM), which connects to EWS and wants to use a service user to interact with mailboxes. In 2007 you’d have to grant rights; but that is, frankly awful to manage and security is so-so. In 2010/2013; all you have to do is create a scope, and assign impersonation privileges to you user for that scope.

Easy peasy!

  1. New-ManagementScope -Name “CRM Mailboxes” -RecipientRestrictionFilter { RecipientType -eq ‘UserMailbox’ } -RecipientRoot “iloveexchange.com/CompanyOU/Users/CRM Users”
  2. New-ManagementRoleAssignment –Name:CRM –Role:ApplicationImpersonation –User:”CRM_Email_Router” –CustomRecipientWriteScope:”CRM Mailboxes”

Done and done.

As a footnote here, you can of course change the recepient type filter (read the whole shabang here: http://technet.microsoft.com/en-us/library/bb738157(v=exchg.150).aspx), you can add a server filter (-Serverfilter) to apply the filter only to certain servers. Etc.

But the usage for this particular setup is, for 90% of you, pretty simple and doesn’t have to be complex at all.

Bajillion is a real word btw; look it up.

2 Comments + Add Comment

  • I really like your writing style, great info , regards for posting : D.

  • Mike, LOL, that’s quite interesting and funny. It does make life a lot eaiser when you don’t have to worry about IE at all. I usually check site statistics (via Google Analytics or something similar) to make sure I didn’t leave too many people out.The last company I worked at had a real estate audience. At the time about 12% were still using IE7. We decided that we would only support IE8+. If there’s enough demand/complaint, then we’d try to get it to work on 7. IE8, FF, and Chrome were still a headache then.

Leave a comment

*