Restricting acess via Impersonation and Distribution Groups
It is possible to provide a service account with the access to impersonate multiple members within a distribution group. This allows you to restrict the access of a service account to just members within a distribution group, as opposed to an entire organizational unit.
To start, provide the service account (in this example, firstname.lastname@example.org) the permission to impersonate members of a distribution group (email@example.com).
$DistGroupDN = $(Get-DistributionGroup firstname.lastname@example.org).DistinguishedName New-ManagementScope -Name CronofyImpersonationScope -RecipientRestrictionFilter "MemberOfGroup -eq '$DistGroupDN'" New-ManagementRoleAssignment -Name CronofyImpersonationAssignment -User email@example.com -Role ApplicationImpersonation -CustomRecipientWriteScope CronofyImpersonationScope
It’s a good idea after setting up the role, to test that access was correctly provisioned.
$DistGroupDN = $(Get-DistributionGroup firstname.lastname@example.org).DistinguishedName Get-Mailbox -Filter "MemberOfGroup -eq '$DistGroupDN'"
The above command will return all members of the distribution group to which the filter applies.
The next and last step neccesary is to set the RoomList flag on the DistributionGroup. The RoomList flag will set up Exchange’s room finder, which is what the service account will use to find rooms within Exchange.
Start this by getting all mailboxes in a Distribution List.
Get-DistributionGroup ConferenceRoomList@example.com | Format-List RecipientTypeDetails
This command returns the room list distribution groups. Your results should look similar to below.
RecipientTypeDetails : RoomList
If the results returned do not show your distribution group ,you need to set the RoomList flag manually for it.
Set-DistributionGroup ConferenceRoomList@example.com -RoomList
Now, your service account will be able to find rooms on your exchange server. If you require any further help, feel free to contact us at email@example.com.