This article applies to:
Exchange 2010, Exchange 2013, Exchange 2016, Exchange 2019, Exchange Online

In this article I will demonstrate how to configure application impersonation for an application service account by using PowerShell. This is typically used to give external applications access to your mailboxes.

For example, you have an application that needs access to room mailboxes in order to read room calendar information and display it on room reservation displays.

“The old way” of doing things would be to give an application account full access to room mailboxes. However, this is not efficient as you have to repeat the process every time a new room is added.

Therefore we will use Application Impersonation instead.

The solution to this problem has 2 steps:

  1. We need to limit access only to room mailboxes.  We do that by defining a custom Exchange management scope which will include only room mailboxes. An advantage of this approach is that this is query based and will also automatically include new room mailboxes that will be added in the future. Thanks to that you will not have to do manual permission updates on every new room.
  2. Give the “Application Impersonation” permission to the application service account over that custom scope we created in step 1.
Copy to Clipboard

This procedure can also be performed in the Exchange Administrative Center (EAC) however in PowerShell you have more posiblities in terms of defining scope selection criteria.

Based on your specific needs, you can use different criteria to define management scopes: mailbox type, AD organizational units,  AD sites, Exchange Databases or Servers, etc.

For more examples have a look at the Microsoft Docs under New-ManagementScope

Dejan Foro