Configure impersonation roles for Exchange service accounts

Requires

  • Exchange 2010+
  • Admin access to Exchange
  • Under 5 minutes

This is a common issue

If you're having trouble connecting to Exchange calendars in Robin or getting "Cannot find calendar" errors, 90% of the time it's because your service account does not have impersonation rights for room calendars yet. This guide walks you through how to fix it fast.

Once you're done, you can test the results quickly using a connectivity tool from Microsoft via this guide.

We need to make sure the connected service account has the ability to create, edit, and delete meetings. Robin will use these permissions to do things like end meetings early via the room display, or remove abandoned events automatically.

Exchange Impersonation allows the service account to manage events on behalf of your office's room resource calendars, regardless of who originally created the event, and gives you auditable logs for reference.

Via Microsoft's Exchange Impersonation vs. Delegate Access:

Exchange Impersonation is used in scenarios in which a single account needs to access many accounts. Line-of-business applications that work with mail typically use Exchange Impersonation.

Wondering why we don't use account delegation instead?

Assign the ApplicationImpersonation role

This applies to Exchange 2010, 2013 and 2016. Exchange 2007 handles Impersonation a little differently. This MSDN article will help you run the equivalents.

Heads up!

Robin recommends limiting the scope of access based on your team's security needs.  Before assigning your service account the ApplicationImpersonation role, take a moment to update which accounts Robin can impersonate. At a minimum, we recommend including all room resource accounts you plan on managing with Robin.

If you need more specific groups, this article shows how to configure Exchange Impersonation and limit access to custom set of users or account types. 

The easy way: No management scope

The service account will have access to all calendars, regardless of type.

1
In the Exchange management shell, run the command:
New-ManagementRoleAssignment –Role:ApplicationImpersonation –User:YOURSERVICEACCOUNTUSERNAMEHERE

Remember to replace the "User" in the command to match your service account.

The advanced way: Limited management scope

With a limited scope, the service account has access to room and equipment calendars only.

1
In the Exchange management shell, run the command:
New-ManagementScope -Name "RobinResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}

This creates a new management scope for only rooms/equipment to act as a filter for the impersonation.

Extra limited options

Only interested in allowing access to rooms? Just remove the EquipmentMailbox filter from the above command:

New-ManagementScope -Name "RobinResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}

If you need more control, you can create a dedicated Role Group in Exchange that contains the mailboxes you want Robin to manage. Then assign the service account a management scope for mailboxes inside that group. This allows you to hand-select mailbox access one by one.

2
And then when assigning the impersonation to the service account:
New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "RobinResourceMailboxes"

Extra References

 

Next up

With impersonation permissions in order, you're ready to connect the service account to Robin.

Articles in this section

Was this article helpful?
11 out of 18 found this helpful
Share