Sometimes assigning “Full Access” permissions in Exchange is not possible due to company security policy. So we need a flexible way to set “ApplicationImpersonation” permission for connecting user to cover a specific list of users (synchronized mailboxes) in Exchange.
MS Exchange allows more fine-grained with help of “ApplicationImpersonation” role and customizable Management Scopes. It is possible to manage the list of users with help of Exchange Distribution Groups. So if synchronization should be enabled/disabled for a specific user then it should be added/removed from the execution group correspondingly.
Add distribution group to contain users for sync:
Here we create a group named “crmAEsync”. We will need this group later.
Right click on the group and choose “Properties…”:
Switch to “Memebers” tab and choose “Add”:
Now you need to use “Exchange Management Shell”:
Here is the script that should be executed.
$groupidentity = $(Get-DistributionGroup crmAEsync).Identity.DistinguishedName
New-ManagementScope –Name:"CRMSyncScope" –RecipientRestrictionFilter "MemberOfGroup -eq '$groupidentity'"
New-ManagementRoleAssignment –Name:"CRMSyncRole" –Role:ApplicationImpersonation –User:<username> –CustomRecipientWriteScope:"CRMSyncScope"
Where <username> is login name of user connecting to CRM. This user will be able to impersonate everyone from the distribution group.