This method will grand the service account impersonation rights restricted only to resources (room and equipment mailboxes) by applying a "management scope/write scope."
- Connect to your Exchange Online PowerShell vial Windows PowerShell, for more information on how to connect to Exchange Online PowerShell, please refer to the below documents from Microsoft:
Connect to Exchange Online PowerShell
Connect to Exchange Online PowerShell using multi-factor authentication
Typically the below command can be used to connect to Office 365 PowerShell, please open PowerShell as an administrator.
## On the "Execution Policy Change" question type "Y" and press "Enter".
Set-ExecutionPolicy RemoteSigned
## This will prompt a pop-up asking for credentials.
## Enter the username and password for your Office 365 admin account and click "Ok".
$UserCredential = Get-Credential
## Create session
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
## Import session
Import-PSSession $Session
- Create a management scope that will be used in the next step to restrict the impersonation right. The below command will limit the scope to resources (room and equipment mailboxes):
New-ManagementScope -Name "ResourceMailboxes" -RecipientRestrictionFilter { RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox" -or PrimarySmtpAddress -eq "service-account@domain.com"}
- Grant the service account Impersonation rights using the management scope created in prior step
New-ManagementRoleAssignment -Name "ResourceImpersonation" -Role ApplicationImpersonation -User service-account@domain.com -CustomRecipientWriteScope "ResourceMailboxes"
- Check that the Impersonation rights has been directly assigned to the service account.
Get-ManagementRoleAssignment -Role "ApplicationImpersonation" -GetEffectiveUsers