Reduce the scope of the impersonation role to a group of users

By default, the impersonation role allows the Promodag account to access the contents of all mailboxes in the organization. If you wish to limit this right to a group of mailboxes you can do so by following the additional steps described below.

Create a Management Scope to determine which mailboxes can be accessed by Promodag Reports:

Read the Microsoft documentation to see how to create the list of users/mailboxes that can be scanned by Promodag Reports.
For example, run this command if you only want to limit the management scope to Room/Equipment Mailboxes:
New-ManagementScope -Name "PromodagMailboxScope" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}

Assign the Management Scope to the impersonation role

Retrieve the name of the impersonation Role Assignment based on the role group previously created using this command:

Get-RoleGroup -Identity "Promodag Reports Role Group" | fl Name, RoleAssignments

If the name of the custom role group is 'Promodag Reports Role Group', then you will obtain 'ApplicationImpersonation-Promodag Reports Role Group'.

Associate the Management Scope and the impersonation Role Assignment using this command:

Set-ManagementRoleAssignment -Identity "ApplicationImpersonation-Promodag Reports Role Group"-CustomRecipientWriteScope "PromodagMailboxScope"

Check the application of the Management Scope using the command:
Get-ManagementRoleAssignment -Identity "ApplicationImpersonation-Promodag Reports Role Group" | FL Name, CustomRecipientWriteScope

08 Feb 2021

Configuration

About the author

Promodag

Our flagship reporting tool, Promodag Reports, is an innovative and constantly improving email reporting product that brings together all the key elements from Office 365, hybrid and on-premise Exchange messaging environments.