internet screen security protection
Photo by Pixabay on


There are many vendors (like voice mail providers) these days who need EWS Impersonation access on mailboxes. In general you will grant access on whole organization but All applications don’t need access on every mailbox and it would be good to provide access on only required mailboxes.

Here you can leverage scoped EWS Impersonation, where you will grant impersonation access to service account on only few mailboxes and reduce attack surface. This same approach can be used on Exchange Server and Exchange Online.

Steps :

  • First create a Service account which will be granted impersonation access.
  • Create a security group and add mailboxes as it’s member, on which access need to be provided.
  • Create a management scope, Connect Exchange Online Shell and then run similar command. Only replace highlighted distinguished name with your DL.
New-ManagementScope -Name AppImpersonation -RecipientRestrictionFilter {MemberOfGroup -eq ‘CN=DL,,OU=Microsoft Exchange Hosted Organizations,DC=APCPR01A900,DC=PROD,DC=OUTLOOK,DC=COM’}
  • This scope named AppImpersonation will be available for selection during Role Group Creation.
  • Open and navigate to permissions > admin roles and click on + icon.
  • Fill info as shown in screenshot and type friendly name in ‘Name’ Field and select ‘AppImpersonation’ in ‘Write scope’ then select ‘ApplicationImpersonation’ in Role. and add service account in ‘Member’\da.jpg


  • Download EWSEditor from codeplex.
  • Fill information like below and click Ok.
  • If a new window opens like below then you have successfully accessed mailbox using impersonation.
  • if you receive error then verify if you followed all steps correctly.

Thanks for reading !