WARNING: 

The instructions described here using the ApplicationImpersonation role will no longer be supported by Microsoft in Exchange Online as of March 1, 2025, and can only be used for on-premises Exchange Server. 



---


1. General

By utilizing impersonation, a service account can gain access to Microsoft Exchange calendars. This allows the service account to impersonate various room mailbox accounts, enabling it to read or add calendar entries as needed.



2. Scope  

To restrict impersonation to specific accounts, a management scope must be created.


The service account can only perform impersonation on the mailboxes included in the scope. As a result, sklera has limited access to your mailboxes. 



3. Procedure using PowerShell

In the following example, a distribution group is created that includes all mailboxes that the sklera CMS should have access to. Subsequently, a management scope is created that references the distinguished name of the distribution group using -RecipientRestrictionFilter "MemberOfGroup".


Info: The mailbox that will later be specified in the sklera Room Manager when linking the calendar (Field: Valid SMTP Address) must also be a member of the distribution group (necessary for querying the room lists).


3.1 Connect to Exchange using PowerShell


3.2 Create distribution group

New-Distributiongroup -name "sklera-allowedRooms" -Displayname "sklera-allowedRooms" -Type "Distribution"


3.3 Add members (accounts of the room mailboxes + account with valid SMTP address) to distribution goup

Add-DistributionGroupMember -Identity "sklera-allowedRooms" -Member "Room1"
Add-DistributionGroupMember -Identity "sklera-allowedRooms" -Member "Room2"
Add-DistributionGroupMember -Identity "sklera-allowedRooms" -Member "svc-sklera"


3.4 Store the distinguished name (DN) of the previously created distribution group in a variable

$DistGroupDN = $(Get-DistributionGroup sklera-allowedRooms@yourcompany.onmicrosoft.com).DistinguishedName


3.5 Create scope and set recipient restriction filter to the previously created distribution group

New-ManagementScope -Name sklera-ImpersonationScope -RecipientRestrictionFilter "MemberOfGroup -eq '$DistGroupDN'"


3.6 Assign the "ApplicationImpersonation" role and the scope "sklera-ImpersonationScope" to the service account

New-ManagementRoleAssignment -Name:sklera-Impersonation -Role:ApplicationImpersonation -CustomRecipientWriteScope sklera-ImpersonationScope -User:svc-sklera



4. Additional External Links