Controlling Impersonation access with Distribution Groups

With some additional configuration in Exchange, you can limit the access of a Service Account to only members of a distribution group, as opposed to an entire organizational unit.

In this guide we will set up a Service Account (serviceaccount@example.com) and restrict access to impersonating members of a single Distribution Group (distgroup@example.com) and that group only.

If you’ve not set up a Service Account or a Distribution Group yet, you should do that before going any further.

Step 1 - Set up permissions #

To start, provide the Service Account (in this example, serviceaccount@example.com) the permission to impersonate members/rooms in a distribution group (distgroup@example.com).

$DistGroupDN = $(Get-DistributionGroup distgroup@example.com).DistinguishedName New-ManagementScope -Name CronofyImpersonationScope -RecipientRestrictionFilter "MemberOfGroup -eq '$DistGroupDN'"
New-ManagementRoleAssignment -Name CronofyImpersonationAssignment -User serviceaccount@example.com -Role ApplicationImpersonation -CustomRecipientWriteScope CronofyImpersonationScope

Step 2 - Test your configuration #

It’s a good idea after setting up the role, to test that access was correctly provisioned. The below will return a list of all members of the Distribution Group.

$DistGroupDN = $(Get-DistributionGroup distgroup@example.com).DistinguishedName
Get-Mailbox -Filter "MemberOfGroup -eq '$DistGroupDN'"

If Step 1 worked, all members of the distribution group to which the filter applies will be returned.

Step 3 - Check and enable the RoomList flag #

The next and last step neccesary is to set the RoomList flag on the DistributionGroup. The RoomList flag will set up Exchange’s room finder, which is what the Service Account will use to find rooms within Exchange.

Start by getting all mailboxes in a Distribution List.

Get-DistributionGroup distgroup@example.com | Format-List RecipientTypeDetails

This command returns the room list Distribution Groups. Your results should look similar to below.

RecipientTypeDetails : RoomList

If the results returned do not show your distribution group, you need to set the RoomList flag manually for it.

Set-DistributionGroup distgroup@example.com -RoomList

Now, your Service Account will be able to Impersonate members of a specific Disribution Group, and not the wider Organizational Unit.

Additional reading #

For further reading on the Powershell commands mentioned in this article, please see this documentation from Microsoft.

If you require any further assistance, feel free to contact us at support@cronofy.com.