This article applies to:
Exchange 2010, Exchange 2013, Exchange 2016, Exchange 2019, Exchange Online
In this article I will demonstrate how to configure application impersonation for an application service account by using PowerShell. This is typically used to give external applications access to your mailboxes.
For example, you have an application that needs access to room mailboxes in order to read room calendar information and display it on room reservation displays.
“The old way” of doing things would be to give an application account full access to room mailboxes. However, this is not efficient as you have to repeat the process every time a new room is added.
Therefore we will use Application Impersonation instead.
The solution to this problem has 2 steps:
- We need to limit access only to room mailboxes. We do that by defining a custom Exchange management scope which will include only room mailboxes. An advantage of this approach is that this is query based and will also automatically include new room mailboxes that will be added in the future. Thanks to that you will not have to do manual permission updates on every new room.
- Give the “Application Impersonation” permission to the application service account over that custom scope we created in step 1.
This procedure can also be performed in the Exchange Administrative Center (EAC) however in PowerShell you have more posiblities in terms of defining scope selection criteria.
Based on your specific needs, you can use different criteria to define management scopes: mailbox type, AD organizational units, AD sites, Exchange Databases or Servers, etc.
For more examples have a look at the Microsoft Docs under New-ManagementScope
He lives in Zurich, Switzerland and is a dedicated specialist, with 30 years of professional work experience in IT.
Before starting Exchangemaster GmbH he worked as a system engineer and project manager with customers of all sizes and across many industries: From small ISV startups and a NGO humanitarian organizations up to largest international corporations like Stryker, Swisscom, British Telecom and Nyrstar.
He spent his entire career delivering Microsoft based infrastructure solutions with main focus on Active Directory and Exchange. During those years, he collected a valuable work experience on 8 Exchange generations (2019, 2016, 2013, 2010, 2007, 2003, 2000 and 5.5) and has delivered services to a user base of more than 3.2 million mailboxes in on-premise, hybrid and Office 365 deployments.
Beside working on customer projects, he is a regular speaker and expert at Microsoft conferences and user groups. As a Microsoft Certified Trainer he also teaches Microsoft Official Curriculum courses to technical professionals around Europe.
For his work he has received numerous awards.
In 2005 he was the first member to be elected into the MCP Hall of Fame by Windows IT Pro Magazine readers choice (as 1 of 6 worldwide).
From 2005-2017, Dejan has been awarded by Microsoft Corporation with the yearly Microsoft Most Valuable Professional award in area of Exchange for 12 years in a row (one of approximately 100 worldwide and, at the time, the only 1 such in Switzerland).
- FAQ 000180 – How to set Microsoft Teams Room Device to use internal NTP server - December 15, 2021
- FAQ 000178 – How to change the sender and reply E-mail address in Microsoft Bookings - January 11, 2021
- FAQ 000175 – How to use Windows performance monitor to troubleshoot inbound SMTP mail flow in Exchange - July 10, 2019
Leave A Comment