Impersonation in Exchange online

Question

Hi everyone,

I have many doubts about impersonation. Can someone help me in this? I want to know what is does, when it is required, is the impersonated account is a AD user or mailbox, the account which has impersonation rights is AD user or mailbox, how to check which user has impersonation rights, etc. Also, how is the impersonation different in online from on-premises Exchange?

Thanks & regards,

Talib Hussain

Answer 1

Hi Talib,

There is a separate Impersonation for only AD, however for exchange it's a role that can be used to give 'Exchange mailbox users' access on other users accounts.

'Exchange Mailbox user' = AD user + Exchange mailbox

The ApplicationImpersonation management role enables applications to impersonate users in an organization to perform tasks on behalf of the user. Like Blackberry Servers Sending emails etc.

Impersonation enables a caller, such as a service application, to impersonate a user account. The caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions associated with the caller’s account.

ApplicationImpersonation role
http://technet.microsoft.com/en-IN/library/dd776119(v=exchg.150).aspx

Exchange 2013 Configuring Impersonation For Applications
http://www.techieshelp.com/exchange-2013-configuring-impersonation-applications/

Configuring Impersonation For Applications Via Power Shell

We can also do the above Via Power shell, the commands are seen below:

New-ManagementRoleAssignment -Name:VeeamUserImpersonisation -Role:ApplicationImpersonation -User:Your_User_Account

To remove the permissions we run the following command:

Get-ManagementRoleAssignment | Where {$_.Role -eq “ApplicationImpersonation” -and $_.RoleAssigneeName -eq “Your_User_Account“} | Remove-ManagementRoleAssignment

List all users with ApplicationImpersonation role assignment:

Get-ManagementRoleAssignment | Where {$_.Role -eq 'ApplicationImpersonation'} | ft User 

How to: Configure impersonation:

http://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx

I don't see any major difference in implementation On-Premises Vs. Exchange Online.

---

Regards,

Satyajit

Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

Answer 2

Hi Satyajit,

Thanks for the answer, but I still have some doubts:

1. When is it required?

2. How to check which person has impersonation rights?

I have followed the steps give in the link but I can't reproduce the impersonation.

Answer 3

Well it's never *required*, it is just a good approach for certain situations. A prime example is an internal service app that needs to touch all of your user's mailboxes. Impersonation allows you to not have to separately authenticate as each user to connect to their mailbox. It's a very powerful right, so you have to be careful with which accounts you grant impersonation rights to. Most applications recommend creating a special account in Active Directory for the app itself and giving that account impersonation rights.

There's a good overview here, including when you would want to use it, and a comparison to other approaches:

http://msdn.microsoft.com/en-us/library/office/dn722377(v=exchg.150).aspx

The key things here are that 1) the app only has to authenticate as one account, and 2) the app acts as the user

For your second question, Satyajit already provided the answer under "List all users with ApplicationImpersonation role assignment". Those permissions are set in the Active Directory, so you have to look there to find users with that permission. That cmdlet should do the trick.

Answer 4

Thanks Jason