Restricting Promodag Reports permission to a limited group of users

By default, the impersonation role - or ApplicationImpersonation - allows the Promodag account to access the contents of all mailboxes in the organization. If you wish to limit this right to a group of mailboxes you can do so by following the additional steps described below.

Create a Management Scope to determine which mailboxes can be accessed by Promodag Reports

Read the Microsoft documentation to see how to create the list of users/mailboxes that can be scanned by Promodag Reports.

For example, run this command if you only want to limit the management scope to Room/Equipment Mailboxes:

New-ManagementScope -Name "PromodagMailboxScope" -RecipientRestrictionFilter {RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "EquipmentMailbox"}

Assign the Management Scope to the impersonation role

Get-RoleGroup -Identity "Promodag Reports Role Group" | fl Name, RoleAssignments

If the name of the custom role group is 'Promodag Reports Role Group', then you will obtain 'ApplicationImpersonation-Promodag Reports Role Group'.

Set-ManagementRoleAssignment -Identity "ApplicationImpersonation-Promodag Reports Role Group"-CustomRecipientWriteScope "PromodagMailboxScope"

Get-ManagementRoleAssignment -Identity "ApplicationImpersonation-Promodag Reports Role Group" | FL Name, CustomRecipientWriteScope