.png)
Impersonation
The following should only be performed by an IT-administrator. If you are working in Branding or Marketing and are not knowledgeable about IT-administration, please refer to the IT Department for help.
The DSBS is running as “Network Services” and therefore do not have permissions to change signatures on behalf of users.
For the job to be able to send signatures to Owa / Office365 you must add an account that has Application Impersonation permissions on the Exchange installation.
However, before you can enter and test the impersonation setup you must create this account, and grant it permissions.
For UI method see at the bottom
On-Premises - Setup
In Active Directory create an account called e.g. BatchPush. A good place for that is in the “Users” container.
Start PowerShell and run the following command:
New-RoleGroup -Name "DynamicSignature" -Roles "ApplicationImpersonation","View-Only Recipients" -Members batchpush
If you later on wish to revoke the permission you can use:
Remove-RoleGroup -Identity DynamicSignature
Office365 – Setup
There is a good deal more work to do if you are in the cloud.
Go to Windows Azure Active Directory Module. Create an account called e.g. BatchPush.
By not using the ECP module to create this account you will not be making an account with a mailbox. That is not necessary and will only increase your hosting expenses.
(The Office 365 cmdlets have been renamed to Windows Azure Active Directory Module)
Download and install the Microsoft Online Services Sign-In Assistant. Then download and install the appropriate module for Azure.
This should give you a shortcut on the Desktop called something along the lines of:
"Windows Azure Active Directory-modul for Windows PowerShell"
This new PowerShell icon will contain the proper cmdlets to make a connection to Office 365.
Note that this may require an elevated PowerShell session.
Do:
$cred = Get-Credential
Connect-MsolService -Credential $cred
This will allow you to manage all things Office365 related, but NOT Exchange Online.
Managing Exchange Online works a little differently. This is because you have to connect directly to the Exchange server, which is not the same as Office 365.
The cmdlets for Exchange Online are imported through the internet; so first, you need to change the PowerShell execution policy to allow remotely signed modules to be loaded. In an elevated PowerShell, run this:
Set-ExecutionPolicy RemoteSigned
This prevents errors about not being digitally signed during import. If the above command is not accepted, you probably do not have admin privileges. Either use an elevated PowerShell or ask your network administrator to enable it for you.
To make the actual connection, run these in a regular PowerShell:
$cred = Get-Credential
Then:
$office365 = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection
And:
Import-PSSession $office365
This will start to import several modules, adding the required cmdlets to your session. When completed without errors, the Exchange management cmdlets will be available. These are roughly the same as on On-premise Exchange server.
Almost finished. Do:
Enable-OrganizationCustomization
(It will do a lot of stuff.)
So finally, you can run the real command to grant permission:
Do:
New-RoleGroup -Name "DynamicSignature" -Roles "ApplicationImpersonation","View-Only Recipients" -Members batchpush
To revoke this you can do:
Remove-RoleGroup -Identity DynamicSignature
You may have other tools available to you. In which case you can use those instead.
UI Method
a. Create User Account
First start by creating a regular user account, without a mailbox. This does not need to have any special rights or belong to any group. You can call this account for BatchPush or any other name you prefer. Since this is a system service account you may want to put it into an OU like "Users".
If you are using Azure AD (e.g. hybrid) then preferably create the account there, because then you do not need to wait for a syncronisation to occur, before the account is visible in ECP.
b. Assign rights
Using Exchange Control Panel it is now possible to set up this impersonation account.
Go to https://youexchange/ecp
Then go to "Permissions" -> "Admin Roles", and choose to add an Admin Role.
Call this "DynamicSignature", and assign the "ApplicationImpersonation" + "View-Only Recipients" roles
Then add the member account you have create. BatchPush or what you called it.
Then save.
A group will be created in "Microsoft Exchange Security Groups" OU, with these settings.