Settings permissions for Exchange

Setting Exchange Permissions

Below you'll find a description on how to give a service account application impersonation permission within Exchange 2010/2013/Office365.

Note - please ensure  that you set the password for the Service account never to expire. If that isn't possible, then it is the responsibility of the customer to ensure that the password is always updated in Exchange and in Pronestor before it expires.

Please note: Setting of permissions on Exchange can have some latency before the permissions are set and available. Please allow up to 30 min. for Exchange to have the permissions committed.

Setting Application Impersonation 

Exchange 2013

Exchange 2010


New-ManagementRoleAssignment -Name PronestorServiceGroup -Role applicationImpersonation -User

Exchange 2007


  1. Go to web portal - with administrator permissions
  2. Create a new user (ex. "service")
  3. Go to Exchange Admin Center
  4. Choose Permissions in left menu
  5. Choose "Admin Roles"
  6. Create a new "Role Group"
    1. Name : Pronestor Service Group
    2. Roles : add "ApplicationImpersonation"
    3. Members : add the "service"-user from above


For Pronestor Display only, does not work with Planner. Limiting Application Impersonation

For Pronestor Display - the scope of Application Impersonation can be limited to the rooms only, which from a security point of view is recommended.

New-ManagementScope -Name "RoomsForPronestorDisplaysOnly" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox"}

This will create a dedicated role group in Office 365 covering the rooms relevant for Pronestor.

And then when assigning the impersonation to the service account:

New-ManagementRoleAssignment –Name "ResourceImpersonation" –Role ApplicationImpersonation –User "YOURSERVICEACCOUNTUSERNAMEHERE" –CustomRecipientWriteScope "RoomsForPronestorDisplaysOnly"


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


  • Avatar

    Setting Throttling Policy (NOT required per default)

    Use Exchange Management Shell
    Create new policy
    Ex. New-ThrottlingPolicy -Name nothrottlepolicy
    Set throttling on ews
    Ex. Set-ThrottlingPolicy nothrottlepolicy -ewsmaxconcurrency $null
    Set-ThrottlingPolicy nothrottlepolicy -ewsmaxsubscriptions $null
    Associate service account to policy 
    Ex. Set-ThrottlingPolicyAssociation -Identity -ThrottlingPolicy nothrottlepolicy
    An association can be listed and verified with:
    Ex. Get-ThrottlingPolicyAssociation

    It should show a throttlingpolicyid = nothrottle


    For more information on throttling - please see the following KB from Microsoft - click here

  • Avatar

    How to set application impersonation on a group for users/resources

Powered by Zendesk