CodeTwo Base.title

Create RBAC-compliant account for CodeTwo Software

Problem:

You need to use with CodeTwo software an account that is assigned absolutely minimum required permission following Role Based Access Control (RBAC) approach.

Solution:

CodeTwo software listed in the Applies To section (see right hand side pane) requires credentials to an account on the target Exchange Server that meets the following requirements:

  • AD user is active with UPN address assigned
  • the account is mailbox-enabled in Exchange
  • the account is assigned ApplicationImpersonation role in Exchange
  • the account is assigned any role that can execute Get-Mailbox cmdlet for all users (see below other reason why Role Management would be the best choice for that)

The above is the absolute minimum, however providing credentials of an account that meets only the above listed requirements will result in Target server connection wizard to fail. This is because the wizard attempts to execute some more PowerShell cmdlets to self-check if ApplicationImpersonation role has been assigned to it already, removes old assignment if there is one, and attempts to create a new assignment.

You may ignore wizard failure warnings and start using the software, providing the account you configured the connection with, meets all the above requirements.

However, if for some reason you must be able to go through the wizard with all checks green, the account must not only meet the above requirements but also be assigned any role that has rights to execute the following cmdlets: Get-ManagementRoleAssignment, New-ManagementRoleAssignment, Remove-ManagementRoleAssignment. Role named "Role Management" is probably the best choice. You can either use an account that is a member of Organization Management group or is assigned to Role Management.

How to create an account with minimum required permissions

The below steps explain how to create from scratch an account that would meet CodeTwo software requirements and be assigned only the absolutely necessary permissions. In this instruction some exemplary names are used, you can customize them to suit your needs (e.g., "c2role", "c2user", "c2assignment1", "c2assignment2").

  1. Create a new user in your Active Directory, make sure you assign a UPN address and create a mailbox for this user. In the case of Exchange Online you must also make sure the account has been assigned a license.
  2. On Exchange On-Premises start the ems Exchange Management Shell or similarly to Exchange Online (Office 365) connect remotely.
  3. Create a new role that would be a child of "Role Management". It must be this particular role so you have access to all required cmdlets. It should be a new, child role and not direct assignment of this role so you can remove unnecessary cmdlets for security purposes.
    New-ManagementRole -Parent "Role Management" -Name "c2role"
  4. Run the below cmdlet to remove all the unnecessary cmdlets from newly created child role. This is for your environment's security, the account used on the target server should have access only to actually needed cmdlets.

    • In the case of Exchange On-Premises (2010, 2013, 2016):
      Get-ManagementRoleEntry "c2role\*" | Where-Object {($_.Name -ne "Get-Mailbox") -and ($_.Name -notlike "*ManagementRoleAssignment")} | Remove-ManagementRoleEntry
      
    • In the case of Exchange Online (Office 365):
      Get-ManagementRoleEntry "c2role\*" | Where-Object {($_.Name -ne "Get-Mailbox") -and ($_.Name -notlike "*ManagementRoleAssignment")} | Foreach-Object {Remove-ManagementRoleEntry -Identity "$($_.Role)\$($_.Name)" -Confirm:$False}
    • WARNING! CodeTwo Out of Office Manager and CodeTwo Email Signatures for Email Clients when configured for Exchange Online (Office 365) require additional permissions to run Get-User cmdlet, therefore use this cmdlet instead:
      Get-ManagementRoleEntry "c2role\*" | Where-Object {($_.Name -ne "Get-Mailbox") -and ($_.Name -ne "Get-User") -and ($_.Name -notlike "*ManagementRoleAssignment")} | Foreach-Object {Remove-ManagementRoleEntry -Identity "$($_.Role)\$($_.Name)" -Confirm:$False}
  5. Run this cmdlet to see that upon successful execution of previous commands your new custom role is assigned only the cmdlets related to ManagementRoleAssignment and Get-Mailbox cmdlet, on the top of that.
    Get-ManagementRoleEntry "c2role\*"
  6. Let us now assign your desired account to this custom role.
    New-ManagementRoleAssignment –Name "c2assignment1" –Role "c2role" –User "c2user"
  7. As mentioned before, CodeTwo software requires also ApplicationImpersonation rights. This is separate administrative role that holds only one cmdlet, so you do not need to create a new tailored child role. Simply assign your user to this role.
    New-ManagementRoleAssignment –Name "c2assignment2" –Role "ApplicationImpersonation" –User "c2user"
  8. You can see all roles assigned to your user by running the below cmdlet
    Get-ManagementRoleAssignment -RoleAssignee "c2user"
  9. You will notice that apart from your newly created c2assignments there are some others with names starting "My*". Those are roles assigned automatically when the mailbox is created in Exchange, following your Default Role Assignment Policy (we assume you are using the default settings here, it may look differently in environments with already customized policies). It is not possible to manually remove those roles. In the case of Exchange Server On-Premises, it is possible however, to simply remove the aforementioned policy assignment. This step is not required but the default policy assigns roles that allow, for example logging-in to OWA. Some organizations require such permissions to be revoked for service accounts. If you run the below cmdlet, all policy assignments will be removed for this user.
    Set-Mailbox "c2user" -RoleAssignmentPolicy $null
    In the case of Exchange Online (Office 365) every mailbox must always be assigned to one policy therefore the above will not work. You might want to check this article to find out how to work with role assignment policies in Office 365.

See also:

Our Clients:
Unicef
Facebook
Shell
T-Systems
Loreal
Casio
UPS Israel
Oford University
Mitsubishi Motors
Toshiba TEC UK Imaging Systems Ltd
Illinois Institute of Technology
MAN Diesel
McDonalds India
Skoda Auto
Bank of Israel
Fujifilm
China Mobile
Santander
Samsung SDI
Skanska
Generali
Telmex
Toyota Tsusho
BECHTEL
Ricoh
BAE SYSTEMS
Federação Portuguesa de Futebol
Credit Agricole
HYUNDAI
Rothschild
Toyota Boshoku
Oriflame Romania
ING
Ikea
Nordea

Partners, certificates & awards