An Impersonation role is assigned to a service account when a service application needs access to multiple mailboxes and acts as the mailbox owner.
The Email Notification Service (ENS) must have a service account configured and an impersonation role assigned to the service account. With impersonation, the configured service account for ENS has the permission to access every mailbox in the database. When the ENS uses impersonation to send a message, the message appears to be sent from the mailbox owner.
You can configure impersonation roles for all users either by using the PowerShell command or the Exchange Admin Center (EAC).
To configure the impersonation role for a specific user or specific groups of users, refer https://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx
When creating the service account in Active Directory, the 'Password never expires' option must be enabled to avoid communication failure between ENS and Exchange due to password expiry.
Configure using PowerShell
To configure impersonation for all users using PowerShell:
- Open the Exchange Management Shell.
- Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user.
The following example shows how to configure impersonation to enable a service account to impersonate all other users in an organization.
New-ManagementRoleAssignment –name: ENSApplicationimpersonation –Role: ApplicationImpersonation –User:<ServiceAccount>
Configure using Exchange Admin Center (EAC)
To configure impersonation for all users using EAC:
- Open the EAC and navigate to Permissions > admin roles.
- Select the " +" icon to add a role.
- Enter the details.
Settings Descriptions Name Enter the name for the role. Description Enter the description for the role. Write Scope Select Default from the drop-down menu. Roles Add ApplicationImpersonation as the role. Members Add the user for whom you want to create the impersonation role.
- Save the settings.
Configuring impersonation using EAC is available only on Exchange 2013 and Office 365.