Introduction
Managing Exchange mailbox access centrally is recommended for businesses with 5+ users in order to avoid asking users to re-authenticate on both Office 365 and The Layer.
There are two ways to connect to Microsoft Exchange & Office 365.
Basic Authentication (Retiring October 2022)
Easy to set up & manage, but means that you can't set up multi-factor authentication for Office 365 user accounts in your organisation.
โModern Authentication (Recommended)
This authentication technique is more secure, and puts your organisation in control of access. This also allows customers to enable multi-factor authentication on Office 365 user accounts if desired.
Before completing any configuration, you need to set the Exchange Authentication Method in company settings:
Creating an impersonation user on Office 365
Next, regardless of the authentication type (although we recommend Modern Authentication), we need to create an impersonation account on Exchange or Office 365.
Exchange Impersonation enables a caller to impersonate a given user account. This enables the caller to perform operations by using the permissions that are associated with the impersonated account, instead of the permissions that are associated with the caller's account.
Please note that the Application Impersonation feature is available in some Office 365 accounts. Please check with your IT team when setting up this account.
How to create a user account on Office 365
It is best practice to create a separate user account to handle impersonation and set a strong password. e.g. [email protected].
This account acts as the impersonating account and it is important to specify that the password for this account should not expire. However, for customers using Modern Authentication, this isn't an issue.
How to create an Exchange impersonation user via Powershell (Recommended)
User must be an Exchange Administrator to run these commands.
Recommended Method
Connect-ExchangeOnline -UserPrincipalName [email protected]
New-RoleGroup -Name "Layer_Impersonation" -Roles "ApplicationImpersonation"
Add-RoleGroupMember -Identity "Layer_Impersonation" -Member "[email protected]"
Alternative Method
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Set-ExecutionPolicy RemoteSigned
Enable-OrganizationCustomization -Verbose
New-RoleGroup -Name "Layer_Impersonation" -Roles "ApplicationImpersonation"
Add-RoleGroupMember -Identity "Layer_Impersonation" -Member "[email protected]" // CHANGE THIS
How to create an Exchange impersonation user via Office 365
Login to the Office 365 Exchange Admin Center
Expand "Roles" on left hand side
Select "Admin Roles"
Click on "Add Role Group"
In the role group dialog box Provide a name for your Role Group (ie. "LAYER_Impersonation")
Click "Next"
Under Permissions add an RBAC Role.
Select ApplicationImpersonation" and then click Next.
Under Members Click the Search Box to add a new member to the RoleGroup
Select your admin user account that will act as the maintenance account for The Layer (layeradmin), and then click Next.
Click Save
Adding your secure Exchange Web Services (EWS) password in to The Layer
To log in to your account in The Layer, you must enter your EWS username and password via this page.
This page will differ depending on which Exchange Authentication Type you are using.
Basic Authentication
If you are using Basic Authentication, you can enter your username and password directly.
OAuth / Modern Authentication
Users of OAuth / Modern Authentication will see a view similar to that below. and will need to click the Login Now button.
This will route you through Microsoft's own login flow in order to obtain an OAuth token. Enter the account name and password when prompted.
You'll be taken back to The Layer, where you'll be able to see the time remaining on your token.
You can see your authorisation grants on this page on Office 365 if required.