Introduction

Managing Exchange mailbox access centrally is recommended for businesses with 5+ users in order to avoid asking users to re-authenticate on both Office 365 and The Layer.

There are two ways to connect to Microsoft Exchange & Office 365.

  • Basic Authentication (Retiring October 2022)
    Easy to set up & manage, but means that you can't set up multi-factor authentication for Office 365 user accounts in your organisation.

  • Modern Authentication (Recommended)
    This authentication technique is more secure, and puts your organisation in control of access. This also allows customers to enable multi-factor authentication on Office 365 user accounts if desired.

Before completing any configuration, you need to set the Exchange Authentication Method in company settings:

Creating an impersonation user on Office 365

Next, regardless of the authentication type (although we recommend Modern Authentication), we need to create an impersonation account on Exchange or Office 365.

Exchange Impersonation enables a caller to impersonate a given user account. This enables the caller to perform operations by using the permissions that are associated with the impersonated account, instead of the permissions that are associated with the caller's account.

Please note that the Application Impersonation feature is available in some Office 365 accounts. Please check with your IT team when setting up this account.


How to create a user account on Office 365

It is best practice to create a separate user account to handle impersonation and set a strong password. e.g. [email protected].

This account acts as the impersonating account and it is important to specify that the password for this account should not expire. However, for customers using Modern Authentication, this isn't an issue.


Recommended Method:

Connect-ExchangeOnline -UserPrincipalName [email protected]

New-RoleGroup -Name "Layer_Impersonation" -Roles "ApplicationImpersonation"

Add-RoleGroupMember -Identity "Layer_Impersonation" -Member "[email protected]"

Alternative Method:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection 

Import-PSSession $Session
Set-ExecutionPolicy RemoteSigned

Enable-OrganizationCustomization -Verbose

New-RoleGroup -Name "Layer_Impersonation" -Roles "ApplicationImpersonation"

Add-RoleGroupMember -Identity "Layer_Impersonation" -Member "[email protected]" // CHANGE THIS


How to create an Exchange impersonation user via Office 365

  • Login to the Office 365 Exchange Admin Center

  • Scroll down to "Admin" and expand

  • Select "Exchange"

  • Select "Permissions"

  • Click on "Admin Roles"

  • Click the "+" Icon to add a new role

  • In the role group dialog box Provide a name for your Role Group (ie. "LAYER_Impersonation")

  • Under Role click the "+" icon to add an RBAC Role.

  • Select ApplicationImpersonation", click "add ->" and then click OK.

  • Under Members click the "+" icon to add a new memeber to the RoleGroup

  • Select your admin user account that will act as the maintenance account for The Layer (layeradmin), click "add ->", and then click OK.

  • Click Save


Adding your secure Exchange Web Services (EWS) password in to The Layer

To log in to your account in The Layer, you must enter your EWS username and password via this page.

This page will differ depending on which Exchange Authentication Type you are using.

Basic Authentication

If you are using Basic Authentication, you can enter your username and password directly.

OAuth / Modern Authentication

Users of OAuth / Modern Authentication will see a view similar to that below. and will need to click the Login Now button.

This will route you through Microsoft's own login flow in order to obtain an OAuth token. Enter the account name and password when prompted.

You'll be taken back to The Layer, where you'll be able to see the time remaining on your token.

You can see your authorisation grants on this page on Office 365 if required.

Did this answer your question?