Configure room Impersonation for Office 365 service accounts

When connecting your O365 service account to Robin, we need to make sure the connected service account has the ability to create, edit, and delete meetings. Robin will use these permissions to do things like end meetings early via the room display, or remove abandoned events automatically.

Impersonation allows the service account to manage events on behalf of your office's room resource calendars, regardless of who originally created the event, and gives you auditable logs for reference.

Via Microsoft's Exchange Impersonation vs. Delegate Access:

Exchange Impersonation is used in scenarios in which a single account needs to access many accounts. Line-of-business applications that work with mail typically use Exchange Impersonation.

Wondering why we don't use account delegation instead?

Assign the ApplicationImpersonation role

If you do not need to apply specific rules for the service account, you can also complete this step via Office 365's Exchange admin portal by assigning ApplicationImpersonation to the service account under "Permissions".

For those familiar with Exchange, the shell commands below should closely match the process for Exchange 2010+.

Heads up!

Robin recommends limiting the scope of access based on your team's security needs.  Before assigning your service account the ApplicationImpersonation role, take a moment to update which accounts Robin can impersonate. At a minimum, we recommend including all room resource accounts you plan on managing with Robin.

If you need more specific groups, this article shows how to configure Exchange Impersonation and limit access to custom set of users or account types. 

The easy way: No management scope

The service account will have access to all calendars, regardless of type.

1
In Exchange Online Powershell, run the command:

New-ManagementRoleAssignment –Role:ApplicationImpersonation –User:YOURSERVICEACCOUNTUSERNAMEHERE

Remember to replace the "User" in the command to match your service account.

The advanced way: Limited management scope

With a limited scope, the service account has access to room and equipment calendars only.

1
In the Exchange management shell, run the command:

New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}

This creates a new management scope for only rooms/equipment to act as a filter for the impersonation.

2
And then when assigning the impersonation to the service account:

New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "ResourceMailboxes"

References

Did this article help?