Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

Configuring an impersonation account

By Abi Davies
  • Last updated
⌘ K
Search this article
Print this article

Who is this article for?

Administrators who want to learn to configure an impersonation account.

No elevated permissions are required.

This guide outlines how to configure an impersonation account for use with the EnterpriseMail email tracking service.

1. Configure an impersonation account to user mailboxes

Create a user account specifically for use with the email tracking service. This account must be granted ApplicationImpersonation permission on all EnterpriseMail user mailboxes. Either set the account password to never expire, or ensure you have procedures in place to prevent password expiration from disrupting service.

2. Option 1: Grant access to impersonate all users

Use the following procedure to give the service account permission to impersonate any user. This applies to both Exchange on-premises and Exchange Online (Office 365).

  1. Open the Exchange Admin Center (available via the Admin application in Office 365).
  2. Select Permissions, then click Add.

Considerations:

  • Write scope: Select Default. This determines which mailboxes the permission applies to. Default includes all mailboxes within the scope.
  • Roles: Select ApplicationImpersonation. This grants permission to impersonate mailboxes within the write scope.
  • Members: Specify the name of your service account (EnterpriseSolutionsEmailTracking) that will connect to mailboxes and perform updates.

3. Option 2: Grant access to impersonate limited users

Granting impersonation access to a limited set of Exchange users requires creating a Management Scope that identifies the users the impersonation applies to.

This example shows how to create a Management Scope bound to a group. Note the following limitations:

  • Management scopes bound to a group do not support nested groups.
  • Group scopes use the full distinguished name, which Microsoft may change without notice in Office 365.

For a full explanation of Exchange Management Scopes, refer to Understanding management role scope filters.

3.1. Create the management scope (Exchange on-premises)

  1. Launch the Exchange Management Shell.

  2. Get the distinguished name of the distribution group:

    $Group = Get-Group "EnterpriseSolutionsEmailTrackingUsers"
$Group.DistinguishedName

  3. Create the new management scope:

    New-ManagementScope –Name "EnterpriseMailServiceAccount" –RecipientRestrictionFilter {MemberofGroup -eq "your-distinguished-group-value-here"}

  4. Test the scope by listing all users included:

    $myMS = (Get-ManagementScope | Where-Object Name -eq "EnterpriseMailServiceAccount")
Get-Recipient -RecipientPreviewFilter $myMS.RecipientFilter

3.2. Grant impersonation using management scope

  1. Return to the Exchange Admin Center.
  2. Select Permissions Admin Roles Add new role group.

New role group settings:

  • Write scope: Select the new management scope (EnterpriseMailServiceAccount).
  • Roles: Select ApplicationImpersonation.
  • Members: Specify the name of your service account (EnterpriseSolutionsEmailTracking).

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page