Skip to main content

Reduce the scope of the impersonation role to a group of users

By default, the impersonation role allows the Promodag account to access the contents of all mailboxes in the organization. If you wish to limit this right to a group of mailboxes you can do so by following the additional steps described below.
  • Create a Management Scope to determine which mailboxes can be accessed by Promodag Reports:
Read the Microsoft documentation to see how to create the list of users/mailboxes that can be scanned by Promodag Reports.
For example, run this command if you only want to limit the management scope to Room/Equipment Mailboxes:
New-ManagementScope -Name "PromodagMailboxScope" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}
  • Assign the Management Scope to the impersonation role
Retrieve the name of the impersonation Role Assignment based on the role group previously created using this command:
Get-RoleGroup -Identity "Promodag Reports Role Group" | fl Name, RoleAssignments

If the name of the custom role group is 'Promodag Reports Role Group', then you will obtain 'ApplicationImpersonation-Promodag Reports Role Group'.

Associate the Management Scope and the impersonation Role Assignment using this command:
Set-ManagementRoleAssignment -Identity "ApplicationImpersonation-Promodag Reports Role Group"-CustomRecipientWriteScope "PromodagMailboxScope"
Check the application of the Management Scope using the command:
Get-ManagementRoleAssignment -Identity "ApplicationImpersonation-Promodag Reports Role Group" | FL Name, CustomRecipientWriteScope

About the author


Our flagship reporting tool, Promodag Reports, is an innovative and constantly improving email reporting product that brings together all the key elements from Office 365, hybrid and on-premise Exchange messaging environments.

Try Promodag Reports Free for 45 Days

Cookie Notice

Find out more about how this website uses cookies to enhance your browsing experience.