Skip to Content
Technical Articles

How to configure SAP Cloud for Customer Exchange Impersonation

Overview

Exchange Impersonation allows setting up SAP Hybris Cloud for Customer server-side integration in a way where instead of connecting to user mailboxes using users’ credentials, SAP Hybris Cloud for Customer server-side integration uses single Exchange Service Account to connect to all user mailboxes in the organization. While Exchange Impersonation requires some configuration steps on Exchange side (documented in detail in below document), it has following benefits:

  • No need for every user to specify his credentials to Exchange Mailbox in SAP Hybris Cloud for Customer server-side integration. Credentials are set up once by Administrator
  • No need to go back to SAP Hybris Cloud for Customer server-side integration and update Exchange password as soon as password change is made.
  • Exchange connectivity is established and monitored by Administrator, removing that burden from end users.


Basically, there are 3 steps to do to enable Exchange Impersonation in SAP Hybris Cloud for Customer server-side integration:

    1. Configure Exchange Service Account
    2. Verify Your configuration
    3. Enable Impersonation configuration for SAP Hybris Cloud for Customer server-side integration


See below for detailed information about each step.

Configure Exchange Service Account


There are 2 ways to configure Microsoft Exchange impersonation:

  • Using PowerShell Exchange Management cmdlets:
    • Works in Exchange 2010-2016 AND Office 365
    • Provides maximum level of control

 

  • Using Exchange Admin Center Web UI
    • Works in Exchange 2013-2016 AND Office 365
    • Easiest to do, however configures impersonation for all users of organization only

Configuring impersonation permissions in Exchange 2010/2013


Microsoft Exchange Server 2010/2013 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization.
When you assign the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet:
1) Name – The friendly name of the role assignment. Each time you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.
2) Role – The RBAC role to assign. When you set up Exchange Impersonation, you assign the ApplicationImpersonation role.
3) User – The impersonating identity.
4) CustomRecipientScope – The scope of users that the impersonating user can impersonate. The impersonating user will only be allowed to impersonate other users within a specified scope. If no scope is specified, the user is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes using the New-ManagementScope cmdlet.

Prerequisites

The following prerequisites are required to configure Exchange Impersonation:

  • Administrative credentials for the computer that is running Exchange 2010/2013 that has the Client Access server role installed.
  • Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.
  • Remote PowerShell installed on the computer from which you will run the commands.




Procedure

To configure Exchange Impersonation for all users in an organization

  1. Open the Exchange Management Shell.
  2. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate to the specified user. The following example shows how to configure Exchange Impersonation to Enable a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount

 


For example: New-ManagementRoleAssignment –Name “impersonationrole” –Role:ApplicationImpersonation –User”User01″

To configure Exchange Impersonation for specific users, groups of users or shared mailboxes

  1. Open the Exchange Management Shell.
  2. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.

New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter
The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use properties of the Identity object to create the filter.

The following example is a filter that restricts the result to a single user with the user name “user02”:

New-ManagementScope -Name “ScopeUseruser02” -RecipientRestrictionFilter {Name –eq ‘user02’}


This example creates a scope for any recipient where the value of the property City equals the string “Address01”:
New-ManagementScope -Name “ScopeAddress01” -RecipientRestrictionFilter { City -eq ‘Address01’ }

The following example creates a scope for shared mailboxes with the Aliases “c4cshared*”:
New-ManagementScope -Name “SharedScopeAlias” -RecipientRestrictionFilter {Alias -like ‘c4cshared*’}

  1. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure Exchange Impersonation to enable a service account to impersonate all users in a scope.

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName
For example:
New-ManagementRoleAssignment –Name”impersonationrolewa” –Role:ApplicationImpersonation –User “Alice” –CustomRecipientWriteScope”ScopeWoodinville”

Configuring impersonation permissions in Office 365(Exchange 2013)

  1. Login to the Office 365(or Exchange 2013) Exchange Admin Center.
  2. Select “Permissions” from the navigation tree.

  1. Click on “Admin Roles”.

  1. Click the “+” Icon to add a new role.
  2. In the role group dialog box Provide a name for your Role Group (i.e. “Impersonation”).
  3. Under Role click the “+” icon to add a Role.
  4. Select “Application Impersonation”, click “add” and then click OK.

 

 

  1. Under Members click the “+” icon to add a new member to the RoleGroup.
  2. Select your admin account that will have impersonation rights, click “add”, and then click OK.

 

Click Save.


Note: This sets impersonation for all users in organization (write scope:Default). If you need Impersonation for specific users, groups of users or shared mailboxes, you should first use New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned

Verify Your Configuration

To verify your configuration, use Microsoft Remote Connectivity Analyzer (https://testconnectivity.microsoft.com/ ):

 

1) Navigate to https://testconnectivity.microsoft.com/

 

2) Select Service Account Access (Developers), click “Next”   

 

3.Fill-in details for connecting to service account:

    a) Target Mailbox address – address assigned to service account

b)Service Account user name – enter in domain\user name or user@domain format

c) Service Account password – enter the password assigned to service account on step 1,                  enter  same password into Confirm password section

d) If you know your Exchange Web Services URL you click on “Specify Exchange Web                        Services URL“, otherwise use default setting which will try to discover EWS URL automatically

e) In “Test predefined folder” leave default value (“Inbox”)

f) Click “Use Exchange Impersonation” and provide email address of impersonated user you             are testing.

g) If needed, check “Ignore Trust for SSL“.

h) Review and check on “I understand…” section, and provide CAPTCHA to verify it’s not a robot          check

4) Click “Perform Test”

5) Review test results, and make sure test is successful

 

Configure impersonation

In SAP Hybris Cloud for Customer server-side integration Groupware setting you shall do following steps:

  1. Create new Organization, which will host all users sharing same Exchange Impersonation configuration
    1. If your company uses different Microsoft Exchange deployments, you might need to create several SAP Hybris Cloud for Customer server-side integration Organizations for each group of users residing on specific server.
  2. Define organization’s mailbox configuration as “Exchange Impersonated”
  3. Enter service account credentials and test that SAP Hybris Cloud for Customer server-side integration can connect to your Exchange server using these credentials.
  4. Provision users to the Organization. For each user in list:
    1. Provision new user to the organization
    2. Define user email address for Exchange Sync
    3. (Optionally) Verify that Exchange Connectivity works for the user
  5. Let users know that they can start using SAP Hybris Cloud for Customer server-side integration right away.
Be the first to leave a comment
You must be Logged on to comment or reply to a post.