none
Impersonation in Exchange online RRS feed

  • Question

  • Hi everyone,

    I have many doubts about impersonation. Can someone help me in this? I want to know what is does, when it is required, is the impersonated account is a AD user or mailbox, the account which has impersonation rights is AD user or mailbox, how to check which user has impersonation rights, etc. Also, how is the impersonation different in online from on-premises Exchange?

    Thanks & regards,

    Talib Hussain

    Friday, December 19, 2014 8:56 AM

Answers

  • Hi Talib,

    There is a separate Impersonation for only AD, however for exchange it's a role that can be used to give 'Exchange mailbox users' access on other users accounts.

    'Exchange Mailbox user' = AD user + Exchange mailbox

    The ApplicationImpersonation management role enables applications to impersonate users in an organization to perform tasks on behalf of the user. Like Blackberry Servers Sending emails etc.

    Impersonation enables a caller, such as a service application, to impersonate a user account. The caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions associated with the caller’s account.

    ApplicationImpersonation role
    http://technet.microsoft.com/en-IN/library/dd776119(v=exchg.150).aspx

    Exchange 2013 Configuring Impersonation For Applications
    http://www.techieshelp.com/exchange-2013-configuring-impersonation-applications/

    Configuring Impersonation For Applications Via Power Shell

    We can also do the above Via Power shell, the commands are seen below:

    New-ManagementRoleAssignment -Name:VeeamUserImpersonisation -Role:ApplicationImpersonation -User:Your_User_Account
    


    To remove the permissions we run the following command:

    Get-ManagementRoleAssignment | Where {$_.Role -eq “ApplicationImpersonation” -and $_.RoleAssigneeName -eq “Your_User_Account“} | Remove-ManagementRoleAssignment

    List all users with ApplicationImpersonation role assignment:

    Get-ManagementRoleAssignment | Where {$_.Role -eq 'ApplicationImpersonation'} | ft User 

    How to: Configure impersonation:

    http://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx

    I don't see any major difference in implementation On-Premises Vs. Exchange Online.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, December 19, 2014 10:30 AM
  • Well it's never *required*, it is just a good approach for certain situations. A prime example is an internal service app that needs to touch all of your user's mailboxes. Impersonation allows you to not have to separately authenticate as each user to connect to their mailbox. It's a very powerful right, so you have to be careful with which accounts you grant impersonation rights to. Most applications recommend creating a special account in Active Directory for the app itself and giving that account impersonation rights.

    There's a good overview here, including when you would want to use it, and a comparison to other approaches:

    http://msdn.microsoft.com/en-us/library/office/dn722377(v=exchg.150).aspx

    The key things here are that 1) the app only has to authenticate as one account, and 2) the app acts as the user

    For your second question, Satyajit already provided the answer under "List all users with ApplicationImpersonation role assignment". Those permissions are set in the Active Directory, so you have to look there to find users with that permission. That cmdlet should do the trick.

    Friday, December 19, 2014 2:11 PM
    Moderator

All replies

  • Hi Talib,

    There is a separate Impersonation for only AD, however for exchange it's a role that can be used to give 'Exchange mailbox users' access on other users accounts.

    'Exchange Mailbox user' = AD user + Exchange mailbox

    The ApplicationImpersonation management role enables applications to impersonate users in an organization to perform tasks on behalf of the user. Like Blackberry Servers Sending emails etc.

    Impersonation enables a caller, such as a service application, to impersonate a user account. The caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions associated with the caller’s account.

    ApplicationImpersonation role
    http://technet.microsoft.com/en-IN/library/dd776119(v=exchg.150).aspx

    Exchange 2013 Configuring Impersonation For Applications
    http://www.techieshelp.com/exchange-2013-configuring-impersonation-applications/

    Configuring Impersonation For Applications Via Power Shell

    We can also do the above Via Power shell, the commands are seen below:

    New-ManagementRoleAssignment -Name:VeeamUserImpersonisation -Role:ApplicationImpersonation -User:Your_User_Account
    


    To remove the permissions we run the following command:

    Get-ManagementRoleAssignment | Where {$_.Role -eq “ApplicationImpersonation” -and $_.RoleAssigneeName -eq “Your_User_Account“} | Remove-ManagementRoleAssignment

    List all users with ApplicationImpersonation role assignment:

    Get-ManagementRoleAssignment | Where {$_.Role -eq 'ApplicationImpersonation'} | ft User 

    How to: Configure impersonation:

    http://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx

    I don't see any major difference in implementation On-Premises Vs. Exchange Online.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, December 19, 2014 10:30 AM
  • Hi Satyajit,

    Thanks for the answer, but I still have some doubts:

    1. When is it required?

    2. How to check which person has impersonation rights?

    I have followed the steps give in the link but I can't reproduce the impersonation.

    • Edited by talib2608 Monday, December 22, 2014 2:58 PM
    Friday, December 19, 2014 1:18 PM
  • Well it's never *required*, it is just a good approach for certain situations. A prime example is an internal service app that needs to touch all of your user's mailboxes. Impersonation allows you to not have to separately authenticate as each user to connect to their mailbox. It's a very powerful right, so you have to be careful with which accounts you grant impersonation rights to. Most applications recommend creating a special account in Active Directory for the app itself and giving that account impersonation rights.

    There's a good overview here, including when you would want to use it, and a comparison to other approaches:

    http://msdn.microsoft.com/en-us/library/office/dn722377(v=exchg.150).aspx

    The key things here are that 1) the app only has to authenticate as one account, and 2) the app acts as the user

    For your second question, Satyajit already provided the answer under "List all users with ApplicationImpersonation role assignment". Those permissions are set in the Active Directory, so you have to look there to find users with that permission. That cmdlet should do the trick.

    Friday, December 19, 2014 2:11 PM
    Moderator
  • Thanks Jason
    Monday, December 22, 2014 2:57 PM