Exchange Web Services - Impersonation

<< Display table of contents >>

Navigation:  Start > Install & Config > Configure scans and logga > Exchange Scans > Prepare Exchange scans >

Exchange Web Services - Impersonation

PowerShell allows you to recall administrative information, such as the structure and permissions of objects, from Exchange, via mailboxes and public folders. The Exchange Web Service allows you to access their content.

 

Substitution rules can currently only be recalled from the Exchange Web Service.

 

Warning

Before you decide to recall and view mailbox folders, you should ensure that this adheres to your company data security policy. You may be able to view sensitive information by only viewing folder structures.

 

Access to the Exchange Web Service always happen in context with the mailbox user. This requires that the scan account (service account) has the right to impersonate.

 

Please note that impersonation only works on active Active Directory accounts.

 

Examples for the configuration of impersonations via Power Shell can be found here:

 

Exchange 2010 (en): https://msdn.microsoft.com/en-us/library/office/bb204095(v=exchg.140).aspx

Exchange 2013, online und Office 365 (de): https://msdn.microsoft.com/de-de/library/office/dn722376(v=exchg.150).aspx

 

Alternatively to the process described by Microsoft you can use the GUI of the Exchange Admin Center:

 

7.5 Exchange Impersonierung

 

You can define a new Administrator role (Group) in the Exchange Admin Center. Assign  "ApplicationImpersonation" to the new role.

Alternatively, you can also assign "ApplicationImpersonation" to the built-in role "Discovery Management".

Add the service account as a member of the appropriate role.

 

Summary: The scan account must be assigned a management role, including the explicit impersonation right.