SOLVED
Home

Trouble with impersonation using custom write scopes

%3CLINGO-SUB%20id%3D%22lingo-sub-755295%22%20slang%3D%22en-US%22%3ETrouble%20with%20impersonation%20using%20custom%20write%20scopes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-755295%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20the%20tenant%20of%20a%20customer%20we%20have%20now%20configured%20the%20Exchange%20impersonation.%20In%20the%20past%20I%20have%20done%20this%20many%20times%20with%20OnPrem%20servers%20creating%20a%20new%20write%20scope%20based%20on%20an%20OU%20which%20never%20was%20a%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20in%20O365%20we%20are%20not%20able%20to%20base%20this%20on%20an%20OU%20so%20we%20have%20chosen%20the%20ExchCustomAttribute1%20which%20we%20filled%20with%20a%20specific%20string.%20Unfortunately%20it%20does%20not%20work%20at%20all.%26nbsp%3B%20We%20tested%20it%20with%20the%20application%20outside%20of%20O365%20and%20with%20the%20Remote%20Connectivity%20Analyzer%20(EWS%20section%20for%20service%20account%20access).%20Both%20fails.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInterestingly%20if%20I%20change%20the%20writescope%20to%20default%20it%20works%20immediately.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20that%20there%20are%20issues%20with%20the%20custom%20write%20scopes%20in%20Exchange%20Online%3F%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3C%2FP%3E%3CP%3Ewoelki%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-755295%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-756239%22%20slang%3D%22en-US%22%3ERe%3A%20Trouble%20with%20impersonation%20using%20custom%20write%20scopes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-756239%22%20slang%3D%22en-US%22%3E%3CP%3EI%20haven't%20had%20issues%20restricting%20impersonation%20via%20scopes%20in%20ExO%2C%20what%20are%20the%20exact%20steps%20you%20are%20following%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-756325%22%20slang%3D%22en-US%22%3ERe%3A%20Trouble%20with%20impersonation%20using%20custom%20write%20scopes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-756325%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECreation%20of%20a%20service%20account%20%22ExchImpersonation%22%3C%2FP%3E%3CP%3ETagging%20the%20accounts%20which%20should%20be%20impersonated%20with%20%22MyString%22%20in%20ExchCustomAttribute1%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22hljs-pscommand%22%3ENew-ManagementScope%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E-Name%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-string%22%3E%22Sales%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-parameter%22%3E-RecipientRestrictionFilter%3C%2FSPAN%3E%3CSPAN%3E%7BExchCustomAttribute1%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-nomarkup%22%3E-Like%3C%2FSPAN%3E%3CSPAN%20class%3D%22hljs-string%22%3E%22Sales*%22%3C%2FSPAN%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENew-ManagementRoleAssignment%20-Name%20%22Sales_Impersonation%22%20-Role%20%22ApplicationImpersonation%22%20-User%20%22ExchImpersonation%22%20-CustomConfigWriteScope%20%22Sales%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThat's%20it.%20May%20I%20have%20forgotten%20a%20further%20option%20for%20creating%20the%20management%20scope%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-757429%22%20slang%3D%22en-US%22%3ERe%3A%20Trouble%20with%20impersonation%20using%20custom%20write%20scopes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-757429%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20all%20you%20should%20need%20to%20configure%2C%20excluding%20the%20obvious%20mismatch%20between%20the%20%22MyString%22%20value%20you%20referenced%20in%20as%20being%20stamped%2C%20and%20the%20fact%20that%20the%20actual%20attribute%20name%20is%20%22%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ECustomAttribute1%3C%2FFONT%3E%22.%20So%20I'd%20say%20double-check%20your%20settings%2C%20and%20make%20sure%20the%20filer%20you%20are%20using%20for%20the%20scope%20actually%20matches%20the%20given%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-758503%22%20slang%3D%22en-US%22%3ERe%3A%20Trouble%20with%20impersonation%20using%20custom%20write%20scopes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-758503%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20value%20of%20the%20attribute%20was%20indeed%20a%20mismatch%20here%20in%20the%20post%2C%20but%20the%20real%20issue%20was%20the%20naming%20of%20the%20custom%20attribute.%20I%20fetched%20the%20naming%20from%20%22get-mailbox%22%20and%20selected%20it%20from%20the%20output.%20So%20I%20have%20entered%20ExtensionCustomAttribute1%20and%20the%20shell%20accepted%20it%20because%20the%20whole%20parameter%20is%20a%20string%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20now%20chosen%20%22CustomAttribute1%22%20and%20it%20seems%20to%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-760099%22%20slang%3D%22en-US%22%3ERe%3A%20Trouble%20with%20impersonation%20using%20custom%20write%20scopes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-760099%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20but%20to%20be%20honest%20the%20KB%20article%20about%20New-ManagementScope%20has%20not%20the%20proper%20examples.%3C%2FP%3E%3CP%3EAfterwards%20I%20found%20this%20one%2C%20which%20exactly%20names%20the%20possible%20filters.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fexchange%2Fexchange-server%2Frecipient-filters%2Frecipientfilter-properties%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fexchange%2Fexchange-server%2Frecipient-filters%2Frecipientfilter-properties%3Fview%3Dexchange-ps%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
woelki
Contributor

Dear all,

 

in the tenant of a customer we have now configured the Exchange impersonation. In the past I have done this many times with OnPrem servers creating a new write scope based on an OU which never was a problem.

 

Now in O365 we are not able to base this on an OU so we have chosen the ExchCustomAttribute1 which we filled with a specific string. Unfortunately it does not work at all.  We tested it with the application outside of O365 and with the Remote Connectivity Analyzer (EWS section for service account access). Both fails.

 

Interestingly if I change the writescope to default it works immediately.

 

Is it possible that there are issues with the custom write scopes in Exchange Online?

Kind regards,

woelki

6 Replies

I haven't had issues restricting impersonation via scopes in ExO, what are the exact steps you are following?

@Vasil Michev 

 

Creation of a service account "ExchImpersonation"

Tagging the accounts which should be impersonated with "MyString" in ExchCustomAttribute1


New-ManagementScope -Name "Sales" -RecipientRestrictionFilter {ExchCustomAttribute1 -Like "Sales*" }

 

New-ManagementRoleAssignment -Name "Sales_Impersonation" -Role "ApplicationImpersonation" -User "ExchImpersonation" -CustomConfigWriteScope "Sales"

 

That's it. May I have forgotten a further option for creating the management scope?

Solution

That's all you should need to configure, excluding the obvious mismatch between the "MyString" value you referenced in as being stamped, and the fact that the actual attribute name is "CustomAttribute1". So I'd say double-check your settings, and make sure the filer you are using for the scope actually matches the given users.

@Vasil Michev

 

The value of the attribute was indeed a mismatch here in the post, but the real issue was the naming of the custom attribute. I fetched the naming from "get-mailbox" and selected it from the output. So I have entered ExtensionCustomAttribute1 and the shell accepted it because the whole parameter is a string :(

 

I have now chosen "CustomAttribute1" and it seems to work.

Another victim to copy/paste :D

@Vasil Michev 

 

Yes, but to be honest the KB article about New-ManagementScope has not the proper examples.

Afterwards I found this one, which exactly names the possible filters.

 

https://docs.microsoft.com/en-us/powershell/exchange/exchange-server/recipient-filters/recipientfilt...

Related Conversations