You are here: OnePlaceLive Services > Email Tracking service > Setup for email tracking > Configure an Impersonation Account

Configure an Impersonation Account to User Mailboxes

Create a user account to use specifically for the purpose of using for the Email Tracking service. This account will need to be given Application Impersonation permission on all OnePlaceMail user mailboxes. Either make this account with a password that doesn’t expire, or ensure you have procedures in place to ensure passwords are updated so that an expired password scenario is not encountered.


Option 1: Grant Access to Impersonate All Users

Use the following procedure to give the service account permission to impersonate any user. The same procedure applies to Exchange on-premises and Exchange Online (Office 365)

  • Open the Exchange Admin Center (this is available from the Admin application in Office 365 as shown below)

  • Select Permissions | Add

Please take note of these considerations

  • Write Scope: Select Default. This determines which mailboxes the permission applies to, Default includes all mailboxes within the scope.
  • Roles – Select ApplicationImpersonation. This is the type of permission to grant to mailboxes within the write scope.

  • Members – Specify the name of your service account (OnePlaceSolutions EmailTracking) that is going to be connecting to all the mailboxes and performing the updates. Effectively we are granting this user the ability to impersonate within mailboxes within the write scope.


Option 2: Grant Access to Impersonate Limited Users

Granting impersonation access to a limited set of Exchange users is more complex than granting access to all users. In Exchange this requires the creation of a Management Scope which identifies the users that the impersonation will apply to.

The remainder of this section details how to create a Management Scope that is bound to a Group. While this is conceptually an easier example to understand, it may not be suitable for your environment due to the following reasons:

  • Management scopes bound to a group does not support nested groups

  • Management scopes bound to a group use the full distinguished name of the group, in Office 365 Microsoft reserve the right to change the distinguished name of a group to support restructuring and you may have no control or warning over this.

  • A full explanation of Exchange Management Scopes is beyond the scope of this document and it is recommended that you familiarize yourself with the options available. The following MSDN article is a good starting point.

  • Understanding management role scope filters:


Create the Management Scope - Select either Online/365 or on-premise



Next Step: Configure Email tracking software