All Collections
Help Articles
External Communications
MS Exchange
Exchange (0365 and Penelope Configuration) - Limited Scope
Exchange (0365 and Penelope Configuration) - Limited Scope

Exchange setup with a Limited Scope

Updated over a week ago

Microsoft has deprecated functionality that Penelope used to rely on, so most email/external communications issues can be resolved by switching to Centralized Email Sending (aka SendGrid!).

It should be noted that the instructions provided here assume a limited scope. For instructions on how to create a default scope click here.

Some steps can be done via the Admin>Setup>Exchange side of 0365, others will need to be done via the Exchange Online PowerShell. It’s important to note that the account being used to perform this configuration must have administrative access/permissions.

To configure O365 Exchange (limited scope) in Penelope you will need:

1. An Admin level account and an Impersonation Account at a minimum in Office 365.

2. A System Administrator account in Penelope.

In this article

  1. Changing from EWS to MS Graph

  2. Exchange Admin - Account Setup

  3. Exchange setup in Penelope

  4. Common issues and Errors

Changing from EWS (Web Services) to MS Graph

Microsoft no longer supports the current EWS (Web Services) method of synchronizing events to MS Exchange/O365. We recommend all customers using Penelope 4.21.1.0 and above use MS Graph to synchronize events with MS Exchange/O365. If you have any questions please contact the Penelope Support Team.

Exchange Admin – Account Setup

1. Log in to Office 365.

2. Select Admin icon which will take you to the Microsoft 365 admin center. The icon should look similar to the one below.

3. From the left-hand side menu click on Users (1) > Active Users (2).

4. Verify that the user’s email address appears in the Active users list.

5. You will also need to check the Mail tab for each user to ensure that they have mailbox permissions. To do this click the Display name of the user, a window will open on the right-hand side of the screen with the Mail tab (see the image in step 6). Click the Mail tab. If the user does not have mailbox permissions a message similar to this will be displayed: “This user doesn’t have an Exchange Online license”. If information about mailbox permissions etc appears then the user has a mailbox.

6. You will need to verify that the following Email apps are included for each user: Authenticated SMTP, Exchange Web Services and Outlook on the web or Outlook Desktop. Select the Active user (1), Select Mail (2) and then select Manage email apps (3).

7. You can now check the Manage email apps list to ensure it includes Authenticated SMTP, Exchange web services and Outlook on the web or Outlook Desktop. If any apps are missing, add them and click Save changes.

8. From the left-hand side menu in the Microsoft 365 admin center click Exchange (a new window will open called Exchange admin center).

9. From the Exchange admin center navigate to recipients > mailboxes and verify that all users appear here as able to receive messages in their mailbox.

10. From the Microsoft 365 admin center create an account with a mailbox to use for the Impersonation account process. This will follow the normal processes for creating users in 0365.

11. Navigate to the Exchange admin center (Admin > Setup > Exchange – see step 8 for help on navigating there). Create a group to use for this purpose.

12. Ensure that the Privacy field is set to Private so that the group is not used for other purposes accidentally.

13. Add the mailboxes/users to the group created in step 10.

14. Obtain the DistinguishedName property for the group that you just created (e.g. LimitedImpersonationRightsGroup in the above screenshots). This will require using the Exchange Online Powershell (for instructions on how to connect to and use this tool, please click here). Enter the following command in the Exchange Online Powershell replacing the xxxx in the command with the name of the group that you created in step 11.


Command:
Get-DistributionGroup -Identity xxxx |fl name, dist*For example:
Get-DistributionGroup -Identity LimitedImpersonationRightsGroup |fl name, dist*

15. You now need to create a Custom Management Scope. This will be used when configuring the Impersonation account permissions. Enter the following command replacing the yyyy with the results from step 12.


Command:
New-ManagementScope -Name “LimitedImpersonationScope” -RecipientRestrictionFilter {MemberOfGroup -eq ‘yyyy’}

For example:
New-ManagementScope RestrictedMigrationScope -RecipientRestrictionFilter {MemberOfGroup -eq ‘CN=AllowImpersonationDistributionGroup,OU=tenantname.onmicrosoft.com,OU=Micrrosoft Exchange Hosted Organizations,DC=EURP193A002,DC=PROD,DC=OUTLOOK,DC=COM’}

16. Add a custom admin role in the Exchange admin centre (Admin > Setup > Exchange > Permissions (see step 8 for information)).

17. Set the Write scope field to use the Custom Management Scope that you created in step 15. Add ApplicationImpersonation in the Roles field.

18. Add the email account created in step 10 to the Members list.


You have now completed all the required configuration in Exchange. Instructions on how to configure Penelope for MS Exchange can be found below.

Penelope – Setup

1. Log in to Penelope using a System Administrator account.

2. Click Agency Setup and navigate to the Setting tab.

3. Set the Use MS Exchange setting to Yes and click Save.

4. Return to the System Administrators My Home (click the home icon on the left-hand side of the screen) page and click MS Exchange.

5. Enter the applicable credentials including an admin level O365 account and click Save. For the admin account ensure that only the first part (minus @domain) is entered.

6. After this is configured perform a test connection. To perform a test connection you need to use an account that is not the impersonation account (e.g. admin account).

7. Log into your Exchange calendar with the account the test was completed with and ensure the message appears in the inbox.

You have now configured Penelope for MS Exchange.

Important Information

For each Worker in Penelope ensure they have their valid O365 email address entered into the Email field in the Contacts section of the Individual Profile.

It is important to note that this field is different than the email address in the Personal Message Settings. The email address entered in the Contacts section must exactly match the email address/username as it appears in 0365.

Common Issues and Errors

Below you will find a list of common issues and errors which occur when configuring O365 with Penelope:

  • Incorrect Credentials in Penelope Setup - Ensure username, password, URL, domain and admin account are correct.

  • Missing Impersonation Permissions for accounts - Ensure the account is set up with AccountImpersonation role and is not a DG group.

  • Missing SMTP mailbox - Ensure the admin account is username only. Ensure Worker accounts match exactly in Penelope and O365. Ensure Worker account, Impersonation account and Admin account have SMTP setup in O365.

  • Impersonation Account or worker accounts are DG groups - DG groups do not have mailboxes. Ensure each account is added as a User and not a Group.

  • Subset of users - The impersonation account can be limited to only have access to add calendar entries for a group of accounts. This is the scope field when adding the admin role in Exchange.

Have a Question?

If you have any further questions or need assistance, please contact the Penelope Support Team.

Related Articles
MS Exchange Setup
Exchange (0365 and Penelope Configuration) - Default Scope
Getting Started with MS Graph Exchange Synchronization
Microsoft Exchange MSGraph Error Messages
Support Scope Guidelines for Penelope
Did this answer your question?