Restricting acess via Impersonation and Distribution Groups

It is possible to provide a service account with the access to impersonate multiple members within a distribution group. This allows you to restrict the access of a service account to just members within a distribution group, as opposed to an entire organizational unit.

To start, provide the service account (in this example, the permission to impersonate members of a distribution group (

$DistGroupDN = $(Get-DistributionGroup New-ManagementScope -Name CronofyImpersonationScope -RecipientRestrictionFilter "MemberOfGroup -eq '$DistGroupDN'"
New-ManagementRoleAssignment -Name CronofyImpersonationAssignment -User -Role ApplicationImpersonation -CustomRecipientWriteScope CronofyImpersonationScope

It’s a good idea after setting up the role, to test that access was correctly provisioned.

$DistGroupDN = $(Get-DistributionGroup
Get-Mailbox -Filter "MemberOfGroup -eq '$DistGroupDN'"

The above command will return all members of the distribution group to which the filter applies.

The next and last step neccesary is to set the RoomList flag on the DistributionGroup. The RoomList flag will set up Exchange’s room finder, which is what the service account will use to find rooms within Exchange.

Start this by getting all mailboxes in a Distribution List.

Get-DistributionGroup | Format-List RecipientTypeDetails

This command returns the room list distribution groups. Your results should look similar to below.

RecipientTypeDetails : RoomList

If the results returned do not show your distribution group ,you need to set the RoomList flag manually for it.

Set-DistributionGroup -RoomList

Now, your service account will be able to find rooms on your exchange server. If you require any further help, feel free to contact us at