FAQ / Server Products

I am getting impersonation errors from Exchange Web Services EWS integration. What can I do?
Impersonation enables a caller, such as a service application, to impersonate a user account. The caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions associated with the caller’s account.




To configure impersonation for all users in an organization

Open the Exchange Management Shell. From the Start menu, choose All Programs > Microsoft Exchange Server 2013.

Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user. The following example shows how to configure impersonation to enable a service account to impersonate all other users in an organization.
Windows PowerShell

New-ManagementRoleAssignment –name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount






To configure impersonation for specific users or groups of users

Open the Exchange Management Shell. From the Start menu, choose All Programs > Microsoft Exchange Server 2013.

Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.
Windows PowerShell

New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use the properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."

Name –eq "john"

Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure a service account to impersonate all users in a scope.

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName

There are also the following guides: