New-Managementroleassignment Exchange 2013 Email


  • Exchange 2010+
  • Admin access to Exchange
  • Under 5 minutes

This is a common issue

If you're having trouble connecting to Exchange calendars in Robin or getting "Cannot find calendar" errors, 90% of the time it's because your service account does not have impersonation rights for room calendars yet. This guide walks you through how to fix it fast.

Once you're done, you can test the results quickly using a connectivity tool from Microsoft via this guide.

We need to make sure the connected service account has the ability to create, edit, and delete meetings. Robin will use these permissions to do things like end meetings early via the room display, or remove abandoned events automatically.

Exchange Impersonation allows the service account to manage events on behalf of your office's room resource calendars, regardless of who originally created the event, and gives you auditable logs for reference.

Via Microsoft's Exchange Impersonation vs. Delegate Access:

Exchange Impersonation is used in scenarios in which a single account needs to access many accounts. Line-of-business applications that work with mail typically use Exchange Impersonation.

Wondering why we don't use account delegation instead?

Assign the ApplicationImpersonation role

This applies to Exchange 2010, 2013 and 2016. Exchange 2007 handles Impersonation a little differently. This MSDN article will help you run the equivalents.

Heads up!

Robin recommends limiting the scope of access based on your team's security needs.  Before assigning your service account the ApplicationImpersonation role, take a moment to update which accounts Robin can impersonate. At a minimum, we recommend including all room resource accounts you plan on managing with Robin.

If you need more specific groups, this article shows how to configure Exchange Impersonation and limit access to custom set of users or account types. 

The easy way: No management scope

The service account will have access to all calendars, regardless of type.

In the Exchange management shell, run the command:
New-ManagementRoleAssignment –Role:ApplicationImpersonation –User:YOURSERVICEACCOUNTUSERNAMEHERE

Remember to replace the "User" in the command to match your service account.

The advanced way: Limited management scope

With a limited scope, the service account has access to room and equipment calendars only.

In the Exchange management shell, run the command:
New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}

This creates a new management scope for only rooms/equipment to act as a filter for the impersonation.

And then when assigning the impersonation to the service account:
New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "ResourceMailboxes"

Extra References

Next up

With impersonation permissions in order, you're ready to connect the service account to Robin.

If you created a server or database filter or list-based configuration scope and want to use it with a role assignment, you need to include the scope in the command used to assign the role to a USG by using the CustomConfigWriteScope parameter.

Before you can add a scope to a role assignment, you need to create one. For more information, see Create a regular or exclusive scope.

Use the following syntax to assign a role to a USG with a configuration scope.

This example assigns the Exchange Servers role to the MailboxAdmins USG and applies the Mailbox Servers scope.

The preceding example shows how to add a role assignment with a server configuration scope. The syntax to add a database configuration scope is the same. You specify the name of a database scope instead of a server scope.

For detailed syntax and parameter information, see New-ManagementRoleAssignment.

New-ManagementRoleAssignment -Name <assignment name> -SecurityGroup <USG> -Role <role name> -CustomConfigWriteScope <role scope name>
New-ManagementRoleAssignment -Name "Exchange Servers_MailboxAdmins" -SecurityGroup MailboxAdmins -Role "Exchange Servers" -CustomConfigWriteScope "Mailbox Servers"

One thought on “New-Managementroleassignment Exchange 2013 Email

Leave a Reply

Your email address will not be published. Required fields are marked *