Creating an Exchange Service Account using Impersonation
In order to manage aspects of your users calendar, an account can be created that can act on behalf of your users and thereby simplify their experience. This Service Account is used by the software to access your users exchange information and allows ZynBit to act on their behalf. After setting up this account, you can then grant it the rights to act upon each user’s data and thereby automate much of the routine account configuration and setup for your ZynBit users.
The following information is provided to assist in setting up the Exchange Service Account. ZynBit has developed a successful process for creating and connecting an Exchange Service account as detailed below. If your specific environment has unique issues or requirements, you may need to consult with an Exchange expert for additional help. ZynBit can recommend a firm with this type of experience if needed. Note that Multi-Factor Authentication will prevent the service account from connecting and must be disabled for this account.
- Make sure you have whitelisted our servers using this article Whitelisting ZynBit Servers.
- You will also need to know the EWS URL for your exchange server. Information needed to define this Configure up your EWS URL
Step 1: Create the Service Account
Open the Exchange Admin Center and click on ‘recipients’ in the navigation panel. You should see something similar to the screenshot below.
Click the + and select the ‘User mailbox’ option to create the new service account. The service account MUST have a mailbox.
Select the ‘New user’ option and complete the form below.
Once the form is completed click the ‘Save’ button and we’re on to Step 2.
Step 2: Configure Impersonation
Open the Exchange Admin Center and select the ‘permissions’ node as show in the screenshot below.
Click the + to add a new Role Group. Enter a value for Name and Description. Leave the ‘Write scope’ value set to ‘Default’.
Click the + under ‘Roles’ and add ‘ApplicationImpersonation’ as shown below. Click ‘OK’ once it has been added to the list.
Click the + under ‘Members’ and add the service account you created in Step 1. Click ‘OK’ once it has been added to the list. Note that unless “all users” or the service account are added to the manged group, the configuration will fail. This is true even if the Service Account is the owner of the group. This is because when you add a service account, it tests its ability to impersonate by testing against itself.
When new ZynBit users are added, your Exchange administrators will need to add the new users to this group. The standard method to manage this is using power shell. Your Exchange administrator will need to create and maintain any necessary scripts.
After completing the form click the ‘Save’ button and the new Role Group should be added to your list.