Configuring permissions for the Komiko service account

This article explains the configuration of a service account to allow the Komiko service access to multiple mailboxes.

Microsoft Exchange or Office 365

Microsoft Exchange (and the Exchange backed email service provided by Office 365) offers three distinct methods of setting up permissions for a service provider to access a user’s mailbox.

  1. Delegate access on a folder by folder basis
  2. Delegate access at the mailbox level
  3. Impersonation

The pluses and minuses of each of these methods and how to set them up are described below and in the online references provided.

Delegate access on a folder by folder basis

Exchange permissions can be set on each individual folder in a user’s mailbox.  In the case of allowing another user access these permissions are exposed through the Outlook client to allow functions like delegate access to a user’s calendar by an assistant while limiting access to other folders (e.g. Inbox).  These same permissions can also be set by an exchange admin via UI or script.

The advantage of this method is that permissions can be set to the bare minimum required by the application.  In Komiko’s case, this means read access to each email and calendar folder (e.g. Inbox, Sent Items, Calendar, Contacts, etc.).

The challenge with this method is that it’s very error prone during setup and fragile post setup.  Fragile because if a user creates a new folder it will not have the appropriate permission for the application to read the data.  Example:  John is using Komiko to automatically update CRM from his email and calendar.  At some point after initial setup he creates a folder ‘XYZ’ and sets a rule to move all messages from *@xyz.com to this folder.   Komiko will not have permission to read this folder and will now miss all email that is routed to this folder by that rule.  Assuming xyz.com is a customer this would be undesirable behavior as now messages from XYZ would not be posted to CRM.

The only way to overcome this challenge is create an administrative script that runs on a periodic basis to monitor the target mailboxes for new folders and set the appropriate permissions automatically.  Komiko would backfill any data as soon as access is granted.  The users still might notice this data being missing from CRM depending on how frequently the script runs.

There are also scalability limitations for this method (see below Impersonation).

Setup instructions for this method found here.

Delegate access at the mailbox level

Exchange also offers the opportunity to grant an account complete delegate access to a mailbox.

The advantage of this method is that it’s not subject to the challenges outlined above.

This method does not allow granularity of permissions.  The service account is given full read access to items in the target mailboxes.

There are also scalability limitations for this method (see below Impersonation).

Setup instructions for this method found here.

Impersonation

In both of the delegate access methods described above, Komiko accesses the Exchange Web Service interface as the service account.   Due to the way Exchange enforces connection limits and API quotas, this severely limits the number of connections the Komiko service can make and the rate at which data can be extracted.  If Komiko is monitoring 10 or fewer mailboxes with normal end user mail volumes (up to several hundred messages a day) these limits won’t come into play.   If Komiko is configured to manage a larger number of mailboxes or shared mailboxes with large volumes of email, this method is recommended.

The advantage of this method is that Komiko can impersonate the end user account for purposes of quota consumption and access to the mailbox.  This allows unlimited scale out.

The disadvantage of this method is that the service account has full access to the target mailboxes.  Komiko only uses this to read data.  As with all cases, the company should take care with who has access to the service account credential.

Setup instructions for this method found here.

Impersonation for Office 365 – more details

Here is how to set up impersonation in Office 365 Admin Center:

  1. Login to the Office 365 Admin Center.
  2. Select Exchange from the Admin list in the navigation bar on the left of the screen to launch the Exchange Admin Center.
  3. Select Permissions from the navigation bar on the left of the screen
  4. While on the admin roles page select the ‘+’ icon to add a new role.
  5. Enter a Name for the new role.
  6. In the Roles section select the ‘+’ icon and add the ApplicationImpersonation role. Click OK.
  7. In the Members section select the ‘+’ icon and add the Komiko service account. Click Save.

 

 

Was this article helpful?

Related Articles

Leave A Comment?