How to create a service account on MS Exchange 2013 and above

Pre-Requisites

1. Ensure Exchange Web Services (EWS) are enabled on an SSL connection. NB: in IIS Manager, on the settings SSL settings of the EWS website, the require SSL tick box should be checked and the Client certificate radio button should be set to Ignore

– Ensure that your Exchange server has a signed SSL certificate from an approved certificate authority.

– Ensure that inbound connections are allowed on any firewall on port 433 to your Exchange server (you can restrict IP access IP ranges listed on this article )

2. Enable Exchange Autodiscover service

3. Enable basic authentication on Exchange server and Autodiscover service.

Create a Service Account

1. Create an Exchange user with a mailbox that will act as the service account. In this case, we will create a service account called ServiceAccount. If creating the account in EAC, ensure that “Require password change on next logon” is unticked.

“After creating the mailbox check that the password is set to “Never Expire” and “Require password change on next logon” is unticked in Active Directory”. Once this is done proceed to Step 2.

2. Using Exchange Management Shell, Enable the Active Directory extended permission for ms-Exch-EPI-Impersonation on all Client Access servers.Replace <EnterExchangeSyncServiceAccountEmailAddress> with the name of your own service account and ensure that the < and > symbols are removed or you’ll get an error that says “The ‘<‘ is reserved for future use.

Get-ExchangeServer | where {$_IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity <EnterExchangeSyncServiceAccountEmailAddress> | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

In this instance since we created a mailbox called Service Account the command would look like this:

Get-ExchangeServer | where {$_IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ServiceAccount | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

3. Enable the Active Directory extended rights for ms-Exch-EPI-May-Impersonate to provide the service account impersonate rights over mailboxes. Replace <EnterExchangeSyncServiceAccountEmailAddress> with the name of your own service account and ensure that the < and > symbols are removed

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User <EnterExchangeSyncServiceAccountAddress> -ExtendedRights ms-Exch-EPI-May-Impersonate}

In this instance since we created a mailbox called Service Account the command would look like this:

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User ServiceAccount -ExtendedRights ms-Exch-EPI-May-Impersonate}

4. Configure your service account to impersonate the group of users you wish to connect to timetoreply by creating a management scope that defines the filter grouping the Exchange users.

e.g. If you wanted to create a Management scope called “Time To Reply Team” and all relevant mailboxes had the Department filterable property set as ‘InsideSales’ replace <RecipientFilter> with Department -eq ‘InsideSales’ and replace <DefineExchangeSyncScopeName> with “Time To Reply Team”.

New-ManagementScope -Name:<DefineExchangeSyncScopeName> -RecipientRestrictionFilter:{<RecipientFilter>}

In this instance the command would look like this:

New-ManagementScope -Name “Time To Reply Team” -RecipientRestrictionFilter {Department -eq “Inside Sales”}

Note that the colons are not required.

5. Create a management role assignment that restricts the service account to impersonate only the users you defined in the management scope above.

New-ManagementRoleAssignment -Name:<DefineExchangeSyncRoleAssignmentName> -Role:ApplicationImpersonation -User:<EnterExchangeSyncServiceAccountAddress> -CustomRecipientWriteScope:<DefineExchangeSyncScopeName>

In this instance the command would look like this:

New-ManagementRoleAssignment -Name: “Service Account Management Role”  -Role:ApplicationImpersonation -User: ServiceAccount -CustomRecipientWriteScope: “Time To Reply Team”

Note: if you receive a pipeline error message, wait a few minutes and reenter the command to let your server process the requests.

Testing your Service Account

Once you have created your service account, you can test the connectivity and the scope at https://testconnectivity.microsoft.com/

Once you have created a service account you can use our MS Exchange Bulk Add option to add multiple MS Exchange mailboxes to timetoreply in just a few clicks.

To add multiple mailboxes to timetoreply using our MS Exchange Bulk Add option follow these steps:

  1. Login to your timetoreply accounts: https://portal.timetoreply.com/
  2. Navigate to TOOLS > Agents/Mailboxes (https://portal.timetoreply.com/entities/agents)
  3. Click on Bulk Add
  4. Then choose the MS Exchange option and click “Bulk link agents”
  5. Enter your service account user email address and password, enter your MS Exchange server version (this is optional), then manually type each mailbox that you want to link to timetoreply or bulk upload a csv with a list of mailboxes that you want to link to timetoreply.
  6. Click “Add” to complete the process.