How to create an Microsoft 365 service account for Condeco
- Login to Microsoft 365 Admin center with your Microsoft 365 admin account.
- Click Add user from User management.
- Complete the form for your service account and create a password.
- The Service Account will need at least an ‘E1 license’
- Click Add to create the service account.
Apply impersonation rights
Impersonation is mandatory for Exchange Sync. It is used by the Microsoft 365 service account to create bookings in room calendars.
We recommend using Management Scope restricting the service account impersonation access for the required rooms only. Read more about Management Scope and controlling access to calendars
Impersonation rights can be applied with the following PowerShell script:
New-ManagementRoleAssignment -name: <Impersonation Name> -Role:ApplicationImpersonation -User: <service account smtp address>
Learn more about configuring impersonation rights here:
Permissions granted to the service account
During the Exchange Sync setup process, you will authorize the following permissions to the service account:
|Calendars.ReadWrite.All||Read and write calendars in all mailboxes.||Application||Required to read and update events of calendars without a signed-in user.|
|EWS.AccessAsUser.All||Access mailboxes as the signed-in user via Exchange Web Services||Delegated||Required by the service account configured with the impersonation rights, to allow it access to mailboxes on behalf of users.
Note: This permission is only available to the service account once “Authorize via service account” is clicked during the Microsoft 365 Sync setup process.
|User.Read||Sign in and read users profile.||Delegated||Required to allow AAD user to login.|