Jul 15 2019 11:23 AM
Dear all,
in the tenant of a customer we have now configured the Exchange impersonation. In the past I have done this many times with OnPrem servers creating a new write scope based on an OU which never was a problem.
Now in O365 we are not able to base this on an OU so we have chosen the ExchCustomAttribute1 which we filled with a specific string. Unfortunately it does not work at all. We tested it with the application outside of O365 and with the Remote Connectivity Analyzer (EWS section for service account access). Both fails.
Interestingly if I change the writescope to default it works immediately.
Is it possible that there are issues with the custom write scopes in Exchange Online?
Kind regards,
woelki
Jul 15 2019 11:37 PM
I haven't had issues restricting impersonation via scopes in ExO, what are the exact steps you are following?
Jul 16 2019 01:09 AM - edited Jul 16 2019 03:15 AM
Creation of a service account "ExchImpersonation"
Tagging the accounts which should be impersonated with "MyString" in ExchCustomAttribute1
New-ManagementScope -Name "Sales" -RecipientRestrictionFilter {ExchCustomAttribute1 -Like "Sales*" }
New-ManagementRoleAssignment -Name "Sales_Impersonation" -Role "ApplicationImpersonation" -User "ExchImpersonation" -CustomConfigWriteScope "Sales"
That's it. May I have forgotten a further option for creating the management scope?
Jul 16 2019 09:55 AM
SolutionThat's all you should need to configure, excluding the obvious mismatch between the "MyString" value you referenced in as being stamped, and the fact that the actual attribute name is "CustomAttribute1". So I'd say double-check your settings, and make sure the filer you are using for the scope actually matches the given users.
Jul 17 2019 01:07 AM
The value of the attribute was indeed a mismatch here in the post, but the real issue was the naming of the custom attribute. I fetched the naming from "get-mailbox" and selected it from the output. So I have entered ExtensionCustomAttribute1 and the shell accepted it because the whole parameter is a string :(
I have now chosen "CustomAttribute1" and it seems to work.
Jul 17 2019 09:41 AM
Another victim to copy/paste :D
Jul 17 2019 11:21 PM
Yes, but to be honest the KB article about New-ManagementScope has not the proper examples.
Afterwards I found this one, which exactly names the possible filters.