How to reduce the scope of the impersonation role to a group of users

By default, the impersonation role allows the Promodag account to access the contents of all mailboxes in the organization. If you wish to limit this right to a group of mailboxes you can do so by following the additional steps described below.
  • Create a Management Scope to determine which mailboxes can be accessed by Promodag Reports:
Read the Microsoft documentation to see how to create the list of users/mailboxes that can be scanned by Promodag Reports.
For example, run this command if you only want to limit the management scope to Room/Equipment Mailboxes:
New-ManagementScope -Name "PromodagMailboxScope" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}
 
  • Assign the Management Scope to the impersonation role
Retrieve the name of the impersonation Role Assignment based on the role group previously created using this command:
Get-RoleGroup -Identity "Promodag Reports Role Group" | fl Name, RoleAssignments

If the name of the custom role group is 'Promodag Reports Role Group', then you will obtain 'ApplicationImpersonation-Promodag Reports Role Group'.

Associate the Management Scope and the impersonation Role Assignment using this command:
Set-ManagementRoleAssignment -Identity "ApplicationImpersonation-Promodag Reports Role Group"-CustomRecipientWriteScope "PromodagMailboxScope"
 
Check the application of the Management Scope using the command:
Get-ManagementRoleAssignment -Identity "ApplicationImpersonation-Promodag Reports Role Group" | FL Name, CustomRecipientWriteScope

Add Feedback