How to Configure an Exchange and Office 365 Service ...



How to Configure an Exchange and Office 365 Service Account with Application Impersonation RoleThis Document covers Microsoft Exchange Server 2010, 2013, 2016 and Office 365. Standalone (does don’t cover Hybrid modes or third party cloud hosted email filtering) Permission required to complete this is covered at the end of this document.First we need to discuss scope or in this case the variable –CustomRecipientScope. This defines the scope of users or accounts that can impersonate by the account being granted impersonation. This would be the service account with Application Impersonation Role. If no scope is assigned specifically, the account is granted impersonation to all users in the organization. To create a custom recipient scopes need to utilize the New-ManagementScope PowerShell command.Items to Created and/or assignedA Service account userA Security (mail enabled) or Distribution GroupResource Rooms and/or Mailboxes to be accessedCustom Recipient ScopeManagement Role GroupService account userOn-premise Service account user needs to an Active directory user with a mailbox on exchangeOffice 365 Service account user need to have a mailbox and be licensed with a minimum of ExchangeSecurity or Distribution GroupWe recommend a Security group (mail enabled) but Distribution Group works just as well. In this group assign the service account and Resource Rooms and/or Mailboxes to be accessed.Create Custom Recipient ScopeIn order to configure a new management scope following is required:Administrator rights to the Exchange server or Office 365.Administrator rights granting the ability to create and assign roles and scopes.Administrator rights for on-premise Active DirectoryScope can only be created via PowerShell, please see below how to connect to Office 365Scope CommandsMust create a Security group and Assign all appropriate Mailboxes and/or Resource Rooms to the Group that service account will access.Connect via PowerShell to your Office 365 or Exchange (Exchange Management Shell)Run the following commands to setup the New Scope (please note this is an example of the use of the New-ManagementScope cmd. To see more in depth please go to Microsoft TechNet)First Command is to set a variable for the security groupOn-premise Active Directory Security Group you would use:$DG = Get-Group -Identity “Put your Security Group Name here"Office365 and Distribution Groups use:$DG = Get-DistributionGroup -Identity “Put your Security Group Name here"The Second Command is to create the scope and assign the security group to the new scope.New-ManagementScope "Put the Name of New Scope here" -RecipientRestrictionFilter "MemberOfGroup -eq '$($DG.DistinguishedName)'" Configure to Application Impersonation Role – PowerShell / Exchange Management ShellThe following role parameters can be configured using the New-RoleGroup cmdlet. Name – This is the friendly name of the role assignment. Any time a role is assigned it is added to the RBAC role list. To verify role assignments use the Get- RoleGroup cmdlet. Role – This is the actual role that is assigned. For example, when setting up impersonation for an account you will assign the role of ApplicationImpersonation.Members – This is the account name that will be assigned the new role. Continuing the example above this would be the service account.CustomRecipientScope – This defines the scope of users or accounts that can be impersonated by the account being granted impersonation. In the example previous mentioned, this would be the service account. If no scope is assigned specifically, the account is granted impersonation to all users in the organization. Configure impersonation for specific users or groupsConnect to Exchange Management Shell or Office365 via PowerShellRun the New-RoleGroup cmdlet to add the specified account for impersonation to the specified scope. Here is the PowerShell command:New-RoleGroup –name GroupName –Role ApplicationImpersonation –Members serviceaccount –CustomRecipientWriteScope scopeName Configure to Application Impersonation Role – Office 365 and Exchange 2016 Web InterfaceThe steps between Office 365 and Exchange 2016 are not much different. Exchange 2016 starts at on Exchange Admin page. Login to your admin interface of Office 365. On left Navigation pane go to Admin Centers and Click ExchangeIn Exchange Admin Center, left navigation panel click Permissions.Click the + to create a new group. Give it name that you will recognize like CrestronFusion. A description and you will be using default scope (This defines the scope of users or accounts that can be impersonated by the account being granted impersonation. If no scope is assigned specifically, the account is granted impersonation to all users in the organization. To create custom recipient scopes use the New-ManagementScope cmdlet).Under Roles click the + and add ApplicationImpersonation. Under Members Click the + and add your Service Account User. Save.TestingHow to test to make sure the new service account can open up Mailboxes and Rooms. ?Here are some tools that we use:The Microsoft Remote Connectivity Analyzer Under Microsoft Exchange Web Services Connectivity Tests, select Synchronization, Notification, Availability, and Automatic RepliesEWS Editor ?-- This application was built so that developers could have source code demonstrating how to use Exchange Web Services. There is a little extra learning curve to get used to EWG Editor, but it is well worth the effort and it just takes a few seconds to copy it onto a server. Connecting to Office 365 - PowerShellYou will need these two applications install to properly connect to Office 365 via PowerShell(Links valid at the time of writing)Microsoft Online Services Sign-In Assistant: Active Directory Module for Windows PowerShell: In PowerShell run command: Install-Module MSOnlineAfter Installing those two Application, Launch PowerShell with Run As Administrator. To get connected we will need to modify the policy via the command: Set-ExecutionPolicy UnrestrictedWe will want to just log in once so run the cmd$LiveCred = Get-CredentialEnter Administrative access login to the pop-up window.Need to Import MSOnline ModuleImport-Module MsOnlineThen we will connect via the command: Connect-MsolService –Credential $LiveCredDefine our session to connect to the Exchange portion of Office 365:$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $LiveCred -Authentication Basic –AllowRedirectionFinally, Import our session to the PowerShell: Import-PSSession $SessionOptional Scope - PowerShellBelow is how to setup the scope to use a filter instead of a group. The filter can use multiple properties of mailboxes. This particular example is how to filter by all Resource rooms. All resource rooms would be added to the scope.New-ManagementScope " Put the Name of New Scope here " -RecipientRestrictionFilter "RecipientTypeDetails -eq 'Roommailbox'" Another example filtering by City field: New-ManagementScope " Put the Name of New Scope here " -RecipientRestrictionFilter "City -eq 'Plano'" Exchange PermissionsThe Account access required to complete this for Exchange Server 2010, 2013, 2016 the user account will need the Organization Management Role.Office 365 PermissionsThe Account access required to complete this for Office 365 is an Exchange Administrator Role or Global Administrator. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download