This guide explains why Pronestor Planner needs impersonation rights in Outlook, how Pronester Planner uses the impersonation rights in Outlook, and how you can log the service accounts actions for audit purposes.
Table of contents
- Why the exchange service account needs impersonation rights and how it uses the impersonation rights
- If you have concerns
Why the exchange service account needs impersonation rights and how it uses the impersonation rights
The exchange service account has imporsonation rights on every user and every meeting room.
If user "Allan" creates an appointment in Pronestor, Pronestor writes this appointment into user "Allan"s Outlook. To do that as if user "Allan" put it there themselves, Pronestor needs impersonation rights. The same happens when an appointment is changed. Without impersonation rights Pronestor cannot ensure that the data in Outlook and in Pronestor is the same.
The service account also uses the impersonation rights to read the users calendar to ensure that Pronestor is updated with any changes made in Outlook.
For example if user "Allan" reschedule an appointment in Outlook then the service account reads this information and updates "Allan"s calendar in Pronestor and the meeting rooms calendar in Pronestor. Without impersonation rights Pronestor cannot ensure that the data in Outlook and in Pronestor is the same.
Traffic via EWS is also limited to throttling limitation on EWS - and using application impersonation ensures that the requests from Pronestor aren't affected by this limitation.
If you have concerns
With Office365 mailbox auditing logging can be enabled. This allows full insight into the events/actions performed which can be used to audit for any suspect of abuse by the service account with applicationimpersonation.
Please see the KB from Microsoft on this topic here https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-SecurityCompliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=enUS&ad=US&fromAR=1