Skip to main content
All CollectionsOffice 365 Integration
Configuring an Office 365 maintenance account
Configuring an Office 365 maintenance account

Details on the various supported methods

Written by Raymond Carrel
Updated over a week ago


Managing Exchange mailbox access centrally is recommended for businesses with 5+ users in order to avoid asking users to re-authenticate on both Office 365 and The Layer.

There are two ways to connect to Microsoft Exchange & Office 365.

  • Basic Authentication (Retiring October 2022)
    Easy to set up & manage, but means that you can't set up multi-factor authentication for Office 365 user accounts in your organisation.

  • Modern Authentication (Recommended)
    This authentication technique is more secure, and puts your organisation in control of access. This also allows customers to enable multi-factor authentication on Office 365 user accounts if desired.

Before completing any configuration, you need to set the Exchange Authentication Method in company settings:

Creating an impersonation user on Office 365

Next, regardless of the authentication type (although we recommend Modern Authentication), we need to create an impersonation account on Exchange or Office 365.

Exchange Impersonation enables a caller to impersonate a given user account. This enables the caller to perform operations by using the permissions that are associated with the impersonated account, instead of the permissions that are associated with the caller's account.

Please note that the Application Impersonation feature is available in some Office 365 accounts. Please check with your IT team when setting up this account.

How to create a user account on Office 365

It is best practice to create a separate user account to handle impersonation and set a strong password. e.g. [email protected].

This account acts as the impersonating account and it is important to specify that the password for this account should not expire. However, for customers using Modern Authentication, this isn't an issue.

How to create an Exchange impersonation user via Powershell (Recommended)

User must be an Exchange Administrator to run these commands.

Recommended Method

Connect-ExchangeOnline -UserPrincipalName [email protected]

New-RoleGroup -Name "Layer_Impersonation" -Roles "ApplicationImpersonation"

Add-RoleGroupMember -Identity "Layer_Impersonation" -Member "[email protected]"

Alternative Method

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection 

Import-PSSession $Session
Set-ExecutionPolicy RemoteSigned

Enable-OrganizationCustomization -Verbose

New-RoleGroup -Name "Layer_Impersonation" -Roles "ApplicationImpersonation"

Add-RoleGroupMember -Identity "Layer_Impersonation" -Member "[email protected]" // CHANGE THIS

How to create an Exchange impersonation user via Office 365

  • Login to the Office 365 Exchange Admin Center

  • Expand "Roles" on left hand side

  • Select "Admin Roles"

  • Click on "Add Role Group"

  • In the role group dialog box Provide a name for your Role Group (ie. "LAYER_Impersonation")

  • Click "Next"

  • Under Permissions add an RBAC Role.

  • Select ApplicationImpersonation" and then click Next.

  • Under Members Click the Search Box to add a new member to the RoleGroup

  • Select your admin user account that will act as the maintenance account for The Layer (layeradmin), and then click Next.

  • Click Save

Adding your secure Exchange Web Services (EWS) password in to The Layer

To log in to your account in The Layer, you must enter your EWS username and password via this page.

This page will differ depending on which Exchange Authentication Type you are using.

Basic Authentication

If you are using Basic Authentication, you can enter your username and password directly.

OAuth / Modern Authentication

Users of OAuth / Modern Authentication will see a view similar to that below. and will need to click the Login Now button.

This will route you through Microsoft's own login flow in order to obtain an OAuth token. Enter the account name and password when prompted.

You'll be taken back to The Layer, where you'll be able to see the time remaining on your token.

You can see your authorisation grants on this page on Office 365 if required.

Did this answer your question?