Somebytes SoftwareSomebytes Software Development

Impersonation with EWS

How to work with impersonation using ExMixedFolders or EEAttachments?

If you are using password policy in which the user have to change the password on each month, you may need to use impersonation with EWS.

With impersonation one user gets the ability to act as another user. With this you can create one user as a service user for ExMixedFolders who can access data from others. This user can be removed from the password policy.

To add the rights to the service user you can follow these steps:

for Microsoft 365, Exchange Online:

For Exchange Online, the assignment of the ApplicationImpersonation role will no longer work from May 2024. Microsoft wants to retire this option. In order to still be able to access multiple mailboxes, ExMixedFolders or EEAttachments must now be configured as an app in Azure.

Exchange 2010 - 2019

or Exchange Online until February 2025)

Option 1 (Exchange Admin Center):

ApplicationImpersonation Organisation Management

Create a new user, which we use in ExMixedFolders or EEAttachments in order to connect to others Mailboxes. ( e.g. EWSService )

Add that user to the group "Organization Management". Members of this group have access to other users mailboxes if they are added to the "ApplicationImpersonation" rule as we see in the next picture.


In Exchange Admin Center you find Permissions=>Administrative Roles a rule named "ApplicationImpersonation" which gives you the opportunity to impersonate users.

Go these steps in order to add this function:

1. Create a new administrative rule group.

2. Enter name and add "ApplicationImpersonation" as a rule.

3. Add our serviceuser ( EWSService ) which will have access to other users Mailboxes by ExMixedFolders.

You can do this action by "Active Directory Users and Computers" as well.

Active Directory Benutzer & Computer

Option 2 (Exchange Management Console):

Every user on witch's data the service user wants to have access should grouped together on an scope. You can do it on the power shell by "New-ManagemantScope" command.

New-ManagementScope -name:ImpGroup1 -RecipientRestrictionFilter:"Name -eq 'testuser1' -or Name -eq 'testuser2'"

Every scope has to assigned to a ManagemetRole. You can do that with "New-ManagementAssignment".

New-ManagementRoleAssignment -Name:ImpRuleAss1 -Role:ApplicationImpersonation -User:'suser@somebytes.local' -CustomRecipientWriteScope:ImpGroup1

ExMixedFolders can create this script for you. In order to do this, you should have at minuimum one Serviceconnection with Impersonation on and one Synctask with one inserted user you want to impersonate. After ExMixedFolders has this information, you can get the script by rightclick on the Serverconnectionspane and choose "Commands to configure Impersonation". You can enter these scipt, after it's reviewed, into your Exchange Management Console.

Exchange 2007:

The service user needs to get the right ms-Exch-EPI-Impersonation by powershell. Every user to which's data the service user wants to have access you should give ms-exch-epi-may-impersonate.

Everything you need to know about it, you can read directly on the corresponding Microsoft page about EWS API: