Archibus Extension for Microsoft Exchange

Using Exchange Impersonation

Note: For information on not using impersonation, see Avoiding Impersonation with Microsoft Exchange and Summary of Mailbox and Impersonation Combinations.

Note: Setting up Exchange Impersonation via a service account is only required when authenticating to Exchange with basic authentication or NTLM authentication. The Archibus Extensions for Microsoft Exchange does not require a service account with impersonation rights when using OAuth2 authentication.

Exchange Impersonation is a mechanism that allows a single Windows Active Directory account to act on behalf of other users on a Microsoft Exchange mailbox, as if they were performing the action themselves.

To implement Exchange Impersonation:

  1. Add the Active Directory Account for the Service Account. See Creating the Service Account later in this topic.
  2. Apply permissions. See Applying Permissions later in this topic.

Note: Be aware that Exchange Impersonation works only via the Exchange Web Services API. This means that although the account is able to act on behalf of another user, it only works if it is done as an Exchange Web Service call; it does not work through Outlook, Outlook Web Access, or any other Exchange client.

User Accounts

The user has two accounts:

User Account Purpose Referred To As
Active Directory account gives the user permission to log on to the domain user's Active Directory Account (or AD Account)
Exchange Server Mailbox pick up email and change the calendar user's mailbox account

The AD account must have access rights to a corresponding mailbox account in order to receive mail, etc., but an AD account can exist without a corresponding mailbox account.

Service Account

Note: Creating a service account is not required when using OAuth authentication. Registering Archibus Web Central in Azure Active Directory grants the required impersonation rights.

The System Administrator creates an account that is referred to as the service account because it is used by the service to act on behalf of the user accounts. For example, you could name this account ewsproxy to help identify it as the service account. However, any valid user account can be used.

The System Administrator gives this service account Exchange Impersonation privileges for users. The service account will be assigned some permissions on both the service and the user accounts that allow the service account to act on behalf of the user accounts. The service account can then perform any action that users can perform on their mailboxes.

The service account does not need to have a mailbox account. Instead, it has only an Active Directory account.

Even if you have large, complex networks with multiple domains, one impersonation service account should be sufficient if the domains are configured on the same Exchange deployment. The application supports one impersonation account which needs access to the mailboxes of users of the Reservations application. They do not have to be on the same domain, but they must be part of the same Exchange "forest." The Exchange Client Access Server will route requests to the correct mailbox server containing the user's mailbox.

Adding the Active Directory Account for the Service Account

Adding the Active Directory account for the Service Account is equivalent to simply adding a normal user in the domain.

The steps are:

  1. The System Administrator logs on to the Active Directory server and adds an account with the user name of the Service Account.
  2. On the next page of the wizard, you are prompted for the password for this account. It's important to make this a strong password, and it's also recommended to set the 'Password never expires' flag. As this is intended to be a service account, changing the password will affect the service as well as the account.

Example PowerShell command to create the service account in Exchange Online

The service account can be an Active Directory account, without a mailbox: for example, archibus.svc@...

To create such an account on Exchange Online using PowerShell, enter the following command:

New-MailUser -Name "archibus.svc" -MicrosoftOnlineServicesID archibus.svc@alcm.onmicrosoft.com -Password (ConvertTo-SecureString -String 'dH#89opdk' -AsPlainText -Force)

Applying Exchange Impersonation Permissions on Exchange Server

Exchange Server enables fine-grained control of the application of permissions because it makes use of Role-Based Access Control (RBAC) to apply the permissions. Instead of applying the tokens to an account or a mailbox database, the System Administrator can define a scope to which the permission applies. This means that the administrator can get all the users in a group, for example, and set the permission for that group as a scope.

Exchange Server's Role-Based Access Control mechanism enables you as the System Administrator to define groups of users and assign those groups of users the ApplicationImpersonation role. Once that is done, any new users that are added to the group are automatically assigned the ApplicationImpersonation permission.

To set up permissions on Exchange Server: