Controlling Impersonation access with Distribution Groups
With some additional configuration in Exchange, you can limit the access of a Service Account to only members of a distribution group, as opposed to an entire organizational unit.
In this guide we will set up a Service Account (firstname.lastname@example.org) and restrict access to impersonating members of a single Distribution Group (email@example.com) and that group only.
If you’ve not set up a Service Account or a Distribution Group yet, you should do that before going any further.
Step 1 - Set up permissions #
To start, provide the Service Account (in this example, firstname.lastname@example.org) the permission to impersonate members/rooms in a distribution group (email@example.com).
$DistGroupDN = $(Get-DistributionGroup firstname.lastname@example.org).DistinguishedName New-ManagementScope -Name CronofyImpersonationScope -RecipientRestrictionFilter "MemberOfGroup -eq '$DistGroupDN'" New-ManagementRoleAssignment -Name CronofyImpersonationAssignment -User email@example.com -Role ApplicationImpersonation -CustomRecipientWriteScope CronofyImpersonationScope
Step 2 - Test your configuration #
It’s a good idea after setting up the role, to test that access was correctly provisioned. The below will return a list of all members of the Distribution Group.
$DistGroupDN = $(Get-DistributionGroup firstname.lastname@example.org).DistinguishedName Get-Mailbox -Filter "MemberOfGroup -eq '$DistGroupDN'"
If Step 1 worked, all members of the distribution group to which the filter applies will be returned.
Step 3 - Check and enable the RoomList flag #
The next and last step neccesary is to set the RoomList flag on the DistributionGroup. The RoomList flag will set up Exchange’s room finder, which is what the Service Account will use to find rooms within Exchange.
Start by getting all mailboxes in a Distribution List.
Get-DistributionGroup email@example.com | Format-List RecipientTypeDetails
This command returns the room list Distribution Groups. Your results should look similar to below.
RecipientTypeDetails : RoomList
If the results returned do not show your distribution group, you need to set the RoomList flag manually for it.
Set-DistributionGroup firstname.lastname@example.org -RoomList
Now, your Service Account will be able to Impersonate members of a specific Disribution Group, and not the wider Organizational Unit.
Additional reading #
For further reading on the Powershell commands mentioned in this article, please see this documentation from Microsoft.
If you require any further assistance, feel free to contact us at email@example.com.