Set up a Microsoft® Exchange Service Account to Communicate with TIEIT

Please follow the steps below to learn how to create an Exchange service account with impersonation rights for the mailbox and calendar for each TIEIT user. 

These instructions will go over how to create a service account with permissions to access specific users' calendars and mailboxes in your organization.

1. Create an Exchange user with a mailbox that will act as a service account.

This account will be used to configure Exchange impersonation for the service account.

The new account can be created in the Exchange admin center interface.

Note: Make sure "Require password change on next logon" is not checked off or using the Exchange Management Shell to create a new account.

New-Mailbox -UserPrincipalName tieit@your_domain -Alias
TIEIT AI -Name tieit -OrganizationalUnit Users -TIEIT -LastName Service Account -DisplayName "TIEIT Service
Account"

Replace "your_domain" with the domain of your organization. You will be prompted to enter a password.

The name and email address can be anything of your choice.

2. Add the user account to the Application Impersonation role as a member.

After creating the user, click on the Permissions option and click on the + button to create a New Role Group.

Type in a name for the New Role Group (e.g. TIEIT Sync Role Group). 

Click on the + button below Roles.

Select ApplicationImpersonation.

Click on the + button under Members.

Select the account that was created in Step 1, click Okay and then Save.

3. Now we will need to enable the new service account impersonation to all Exchange servers.

Enable extended permissions for ms-Exch-EPI-Impersonation on
all Client Access servers.


Get-ExchangeServer | where {$_IsClientAccessServer -eq
$TRUE} | ForEach-Object {Add-ADPermission -Identify
$_.distinguishedname -User (Get-User -Identity
tieit@your_domain | select-object).identity -extendedRight
ms-Exch-EPI-Impersonation}

The following command will allow for the service account extended rights for ms-Exch-EPI-May-Impersonate to impersonate all accounts on the exchange server. Note: In the following step, we will be adding a filter to limit the users to the service account to sync with TIEIT.

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -
Identity $_.distinguishedname -User tieit@your_domain -
ExtendedRights ms-Exch-EPI-May-Impersonate}

In the above shell commands, replace "tieit@your_domain" with the service account you created in step 1.

4. Now we will continue to use the Exchange Management Shell to configure the service account to limit the group of users who will sync with TIEIT.

Create a new management scope

New-ManagementScope -Name:TIEITScope -
RecipientRestrictionFilter:{Department -eq "Sales" }

Now we will restrict the service account to impersonate only the users defined in the management scope. This can be done from shell command or from the admin center. Command to do it from the shell is provided below.

New-ManagementRoleAssignment -Name:TIEITRoleAssignment -
Role:ApplicationImpersonation -User:tieit@your_domain -
CustomRecipientWriteScope:TIEITScope

The filter -RecipientRestrictionFilter: can be customized depending on how users are organized. Click here for more details.

The scope name in the above code be customized -Name:TIEITScope

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us