cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Trouble with impersonation using custom write scopes

woelki
Iron Contributor

‎Jul 15 2019 11:23 AM

‎Jul 15 2019 11:23 AM

Trouble with impersonation using custom write scopes

Dear all,

 

in the tenant of a customer we have now configured the Exchange impersonation. In the past I have done this many times with OnPrem servers creating a new write scope based on an OU which never was a problem.

 

Now in O365 we are not able to base this on an OU so we have chosen the ExchCustomAttribute1 which we filled with a specific string. Unfortunately it does not work at all.  We tested it with the application outside of O365 and with the Remote Connectivity Analyzer (EWS section for service account access). Both fails.

 

Interestingly if I change the writescope to default it works immediately.

 

Is it possible that there are issues with the custom write scopes in Exchange Online?

Kind regards,

woelki

1,248 Views
0 Likes
6 Replies
Reply
6 Replies
Vasil Michev

‎Jul 15 2019 11:37 PM

‎Jul 15 2019 11:37 PM

Re: Trouble with impersonation using custom write scopes

I haven't had issues restricting impersonation via scopes in ExO, what are the exact steps you are following?

0 Likes
Reply
woelki

‎Jul 16 2019 01:09 AM - edited ‎Jul 16 2019 03:15 AM

‎Jul 16 2019 01:09 AM - edited ‎Jul 16 2019 03:15 AM

Re: Trouble with impersonation using custom write scopes

@Vasil Michev 

 

Creation of a service account "ExchImpersonation"

Tagging the accounts which should be impersonated with "MyString" in ExchCustomAttribute1


New-ManagementScope -Name "Sales" -RecipientRestrictionFilter {ExchCustomAttribute1 -Like "Sales*" }

 

New-ManagementRoleAssignment -Name "Sales_Impersonation" -Role "ApplicationImpersonation" -User "ExchImpersonation" -CustomConfigWriteScope "Sales"

 

That's it. May I have forgotten a further option for creating the management scope?

0 Likes
Reply
best response confirmed by woelki (Iron Contributor)
Vasil Michev

‎Jul 16 2019 09:55 AM

‎Jul 16 2019 09:55 AM

Solution

Re: Trouble with impersonation using custom write scopes

That's all you should need to configure, excluding the obvious mismatch between the "MyString" value you referenced in as being stamped, and the fact that the actual attribute name is "CustomAttribute1". So I'd say double-check your settings, and make sure the filer you are using for the scope actually matches the given users.

0 Likes
Reply
woelki

‎Jul 17 2019 01:07 AM

‎Jul 17 2019 01:07 AM

Re: Trouble with impersonation using custom write scopes

@Vasil Michev

 

The value of the attribute was indeed a mismatch here in the post, but the real issue was the naming of the custom attribute. I fetched the naming from "get-mailbox" and selected it from the output. So I have entered ExtensionCustomAttribute1 and the shell accepted it because the whole parameter is a string :(

 

I have now chosen "CustomAttribute1" and it seems to work.

0 Likes
Reply
Vasil Michev

‎Jul 17 2019 09:41 AM

‎Jul 17 2019 09:41 AM

Re: Trouble with impersonation using custom write scopes

Another victim to copy/paste :D

0 Likes
Reply
woelki

‎Jul 17 2019 11:21 PM

‎Jul 17 2019 11:21 PM

Re: Trouble with impersonation using custom write scopes

@Vasil Michev 

 

Yes, but to be honest the KB article about New-ManagementScope has not the proper examples.

Afterwards I found this one, which exactly names the possible filters.

 

https://docs.microsoft.com/en-us/powershell/exchange/exchange-server/recipient-filters/recipientfilt...

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by woelki (Iron Contributor)
Vasil Michev

‎Jul 16 2019 09:55 AM

‎Jul 16 2019 09:55 AM

Solution

Re: Trouble with impersonation using custom write scopes

That's all you should need to configure, excluding the obvious mismatch between the "MyString" value you referenced in as being stamped, and the fact that the actual attribute name is "CustomAttribute1". So I'd say double-check your settings, and make sure the filer you are using for the scope actually matches the given users.

View solution in original post

0 Likes
Reply