Configure room Impersonation for Microsoft 365 service accounts


These instructions apply to accounts created before September 12, 2023. If you're new to Robin, follow the steps in this guide.

When connecting your Microsoft 365 service account to Robin, we need to make sure the connected service account has the ability to create, edit, and delete meetings. Robin will use these permissions to do things like end meetings early via the room display, or remove abandoned events automatically.

Impersonation allows the service account to manage events on behalf of your office's room resource calendars, regardless of who originally created the event, and gives you auditable logs for reference.

Via Microsoft's Exchange Impersonation vs. Delegate Access:

Exchange Impersonation is used in scenarios in which a single account needs to access many accounts. Line-of-business applications that work with mail typically use Exchange Impersonation.

Wondering why we don't use account delegation instead?

Assign the ApplicationImpersonation role

If you do not need to apply specific rules for the service account, you can also complete this step via Microsoft 365's Exchange admin portal by assigning ApplicationImpersonation to the service account under "Permissions". You can follow the steps in the video below on how to assign ApplicationImpersonation.

For those familiar with Exchange, the shell commands below should closely match the process for Exchange 2010+.

Heads up!

Robin recommends limiting the scope of access based on your team's security needs.  Before assigning your service account the ApplicationImpersonation role, take a moment to update which accounts Robin can impersonate. At a minimum, we recommend including all room resource accounts you plan on managing with Robin.

If you need more specific groups, this article shows how to configure Exchange Impersonation and limit access to custom set of users or account types. 

The easy way: No management scope

The service account will have access to all calendars, regardless of type.

In Exchange Online Powershell or Azure Cloud Shell run the command:
New-ManagementRoleAssignment –Role:ApplicationImpersonation –User:YOURSERVICEACCOUNTUSERNAMEHERE

Remember to replace the "User" in the command to match your service account.

The advanced way: Limited management scope

With a limited scope, the service account has access to room and equipment calendars only.

In the Exchange management shell, run the command:
New-ManagementScope -Name "RobinResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}

This creates a new management scope for only rooms/equipment to act as a filter for the impersonation.

Extra limited options

Only interested in allowing access to rooms? Just remove the EquipmentMailbox filter from the above command:

New-ManagementScope -Name "RobinResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}

If you need more control, you can create a dedicated Role Group in Microsoft 365 that contains the mailboxes you want Robin to manage. Then assign the service account a management scope for mailboxes inside that group. This allows you to hand-select mailbox access one by one.

And then when assigning the impersonation to the service account:
New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "RobinResourceMailboxes"


Did this article help?