Exchange Impersonation allows setting up SAP Hybris Cloud for Customer server-side integration in a way where instead of connecting to user mailboxes using users' credentials, SAP Hybris Cloud for Customer server-side integration uses single Exchange Service Account to connect to all user mailboxes in the organization. While Exchange Impersonation requires some configuration steps on Exchange side (documented in detail in below document), it has following benefits:
- No need for every user to specify his credentials to Exchange Mailbox in SAP Hybris Cloud for Customer server-side integration. Credentials are set up once by Administrator
- No need to go back to SAP Hybris Cloud for Customer server-side integration and update Exchange password as soon as password change is made.
- Exchange connectivity is established and monitored by Administrator, removing that burden from end users.
Basically, there are 3 steps to do to enable Exchange Impersonation in SAP Hybris Cloud for Customer server-side integration:
- Configure Exchange Service Account
- Verify Your configuration
- Enable Impersonation configuration for SAP Hybris Cloud for Customer server-side integration
See below for detailed information about each step.
There are 2 ways to configure Microsoft Exchange impersonation:
- Using PowerShell Exchange Management cmdlets:
- Works in Exchange 2010-2016 AND Office 365
- Provides maximum level of control
- Using Exchange Admin Center Web UI
- Works in Exchange 2013-2016 AND Office 365
- Easiest to do, however configures impersonation for all users of organization only
Microsoft Exchange Server 2010/2013 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can use the
New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the
ApplicationImpersonation role to users in the organization.
When you assign the
ApplicationImpersonation role, use the following parameters of the
New-ManagementRoleAssignment cmdlet:
1) Name – The friendly name of the role assignment. Each time you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.
2) Role – The RBAC role to assign. When you set up Exchange Impersonation, you assign the ApplicationImpersonation role.
3) User – The impersonating identity.
4)
CustomRecipientScope – The scope of users that the impersonating user can impersonate. The impersonating user will only be allowed to impersonate other users within a specified scope. If no scope is specified, the user is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes using the New-ManagementScope cmdlet.
Prerequisites
The following prerequisites are required to configure Exchange Impersonation:
- Administrative credentials for the computer that is running Exchange 2010/2013 that has the Client Access server role installed.
- Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.
- Remote PowerShell installed on the computer from which you will run the commands.
Procedure
- Open the Exchange Management Shell.
- Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user. The following example shows how to configure Exchange Impersonation to Enable a service account to impersonate all other users in an organization.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount
For example: New-ManagementRoleAssignment –Name "impersonationrole" –Role:ApplicationImpersonation –User"User01"
- Open the Exchange Management Shell.
- Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.
New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter
The RecipientRestrictionFilter parameter of the
New-ManagementScope cmdlet defines the members of the scope. You can use properties of the
Identity object to create the filter.
The following example is a filter that restricts the result to a single user with the user name "user02":
New-ManagementScope -Name "ScopeUseruser02" -RecipientRestrictionFilter {Name –eq 'user02'}
This example creates a scope for any recipient where the value of the property City equals the string "Address01":
New-ManagementScope -Name "ScopeAddress01" -RecipientRestrictionFilter { City -eq 'Address01' }
The following example creates a scope for shared mailboxes with the Aliases "c4cshared*":
New-ManagementScope -Name "SharedScopeAlias" -RecipientRestrictionFilter {Alias -like 'c4cshared*'}
- Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all users in a scope.
New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName
For example:
New-ManagementRoleAssignment –Name"impersonationrolewa" –Role:ApplicationImpersonation –User "Alice" –CustomRecipientWriteScope"ScopeWoodinville"
- Login to the Office 365(or Exchange 2013) Exchange Admin Center.
- Select "Permissions" from the navigation tree.
- Click on "Admin Roles".
- Click the "+" Icon to add a new role.
- In the role group dialog box Provide a name for your Role Group (i.e. "Impersonation").
- Under Role click the "+" icon to add a Role.
- Select "Application Impersonation", click "add" and then click OK.