Admins: How do I set up an Exchange Service Account?

Creating an Exchange Service Account using Impersonation

Overview:

In order to manage aspects of your users calendar, an account can be created that can act on behalf of your users and thereby simplify their experience. This Service Account is used by the software to access your users exchange information and allows Cirrus Insight to act on their behalf. After setting up this account, you can then grant it the rights to act upon each user's data and thereby automate much of the routine account configuration and setup for your Cirrus Insight users.

The following information is provided to assist in setting up the Exchange Service Account. Cirrus Insight has developed a successful process for creating and connecting an Exchange Service account as detailed below. If your specific environment has unique issues or requirements, you may need to consult with an Exchange expert for additional help. Cirrus Insight can recommend a firm with this type of experience if needed. Note that Multi-Factor Authentication will prevent the service account from connecting and must be disabled for this account.

Prerequisites:

  • Make sure you have whitelisted our servers using this article Whitelisting Cirrus Insight Servers.
  • You will also need to know the EWS URL for your exchange server. Information needed to define this Configure up your EWS URL

 

Step 1: Create the Service Account

Open the Exchange Admin Center and click on ‘recipients’ in the navigation panel. You should see something similar to the screenshot below.

Click the + and select the ‘User mailbox’ option to create the new service account. The service account MUST have a mailbox.

Select the ‘New user’ option and complete the form below.

Once the form is completed click the ‘Save’ button and we’re on to Step 2.

 

Step 2: Configure Impersonation

 

Open the Exchange Admin Center and select the ‘permissions’ node as shown in the screenshot below.

Click the + to add a new Role Group. Enter a value for Name and Description. Leave the ‘Write scope’ value set to ‘Default’.

Click the + under ‘Roles’ and add ‘ApplicationImpersonation’ as shown below. Click ‘OK’ once it has been added to the list.

Click the + under ‘Members’ and add the service account you created in Step 1. Click ‘OK’ once it has been added to the list. Note that unless "all users" or the service account are added to the manged group, the configuration will fail. This is true even if the Service Account is the owner of the group. This is because when you add a service account, it tests its ability to impersonate by testing against itself.

When new Cirrus Insight users are added, your Exchange administrators will need to add the new users to this group. The standard method to manage this is using power shell. Your Exchange administrator will need to create and maintain any necessary scripts.

After completing the form click the ‘Save’ button and the new Role Group should be added to your list.

 

IT - Powershell Setup

Grant delegated access to the service account for each user

  1. Define your list of users in a .csv file (For Example, Initiallist.csv)
  2. Grant delegated access to users calendar and/or tasks by looping through the user list in Powershell with these commands.
    1. Add-MailboxFolderPermission -identity delegated.user.001:\Calendar -user Cirrus Insight.Service.Account@company.com -accessrights Editor
    2. Add-MailboxFolderPermission -identity delegated.user.001:\Tasks -user Cirrus Insight.Service.Account@company.com -accessrights Editor

 

Ongoing Use

  1.  For users who will need access to Cirrus Insight, be sure to add the Powershell Command to IT Onboarding Checklist
  2. If your IT Staff wants to automate the powershell commands for on-boarding new users, they can develop a scheduled task to automate group/permission management.  Use the same “add” commands as above.  Additional commands to remove users are provided below.
    1. Remove-MailboxFolderPermission -identity delegated.user.001:\Calendar -user Cirrus Insight.Service.Account@company.com
    2. Remove-MailboxFolderPermission -identity delegated.user.001:\Tasks -user Cirrus Insight.Service.Account@company.com