OUTBOX: Creating EWS Service Accounts in Office 365

I’ve been asked this several times and the question usually goes something like this…

Hey Matt, I’m trying to follow the instructions on MSDN for setting up ApplicationImpersonation in Exchange 2010 for my service account in Exchange Online in Office 365 but New-ManagementRoleAssignment isn’t available – what gives?

…To be honest, I haven’t looked too deep into why that particular cmdlet doesn’t work in Office 365.  The reason I haven’t looked too deep into this is that regardless of the availability of this cmdlet, I prefer to recommend a different, more RBAC-centric approach.

Using New-RoleGroup instead, you can still assign the permissions in one line but instead of simply creating an assignment you define and name a role group.  This makes management and identification of the accounts and permissions tied to your solution a lot easier.  Take a look at the following command…

New-RoleGroup -Name "Contoso Service Accounts" -Roles ApplicationImpersonation –Members ContosoServiceAccountName

First, this cmdlet creates a role group with an identifiable name, “Contoso Service Accounts”.  Then the second portion assigns roles to that group which in this case only includes ApplicationImpersonation but could include more.  Lastly, an account is added as a member of the RoleGroup to give it all the permissions associated with it.  This would be helpful in the case where you need multiple service accounts to handle your application load – you simply add/remove service accounts as members to this group as needed for quick provisioning.  This also makes it easy for administrators to understand which accounts are related to your product and what they can do.

Comments

  • Anonymous
    September 22, 2011
    Excellent.

  • Anonymous
    September 26, 2011
    The reason that New-ManagementRoleAssignment isn't available is because the account that you're using is not a member of the Organization Management role management group. It is basically a permissions issue.

  • Anonymous
    September 26, 2011
    Nice

  • Anonymous
    September 26, 2011
    @Pheylan - Thanks for the tip.  Again, I didn't look into this in too much detail before writing the post because I think that creating a specific RoleGroup for your application is the better solution.  However out of curiosity I did look at my Office 365 account and my tenant admin is part of the "Organization Management" role group.