Using Impersonation with Exchange & Office 365
Forensic Email Collector allows you to acquire end-user mailboxes using centralized credentials. This makes it possible to preserve emails from a large number of custodians in an organization without having to track each user down for authentication. FEC provides two options for Exchange / O365:
1. Delegation (you can read more about delegation here)
2. Impersonation
The following article from the MSDN archive summarizes the differences between delegation and impersonation:
Exchange Impersonation vs. Delegate Access
Perhaps the most important distinction is that delegate access is configured at the mailbox level. That is, the centralized account is given full access rights to the target mailboxes. If a new mailbox is created, it needs to be configured for delegate access.
On the other hand, impersonation is configured once by creating a service account and giving it the ApplicationImpersonation role as follows:
1. Visit the Exchange Admin Center
2. Create a new service account
3. Create a new role group (Roles ➫ Admin roles ➫ Add role group)
4. Add the ApplicationImpersonation role to the role group
5. Add the service account you created in #2 above to the new role group
NOTE: If you recently assigned the ApplicationImpersonation role, the new role may take some time to take effect—especially in large organizations. If you receive an error during authentication along the lines of "The account does not have permission to impersonate the requested user", we recommend waiting for half an hour and trying again.
When acquiring target mailboxes in FEC, you can activate impersonation as follows:
1. Enter the target email address (i.e., the email address of the end-user).
2. If using legacy authentication, enter the credentials of the service account on the connection settings page. This typically applies to on-premises Exchange only—for M365, we recommend using OAuth (see Important Note 1 below).
3. Check the Use Impersonation checkbox. If you do not check the checkbox, FEC will use delegation instead.
4. If you plan to use OAuth authentication, check the Use OAuth 2.0 checkbox and authenticate as the service account.
Important Note 1: Most M365 tenants currently do not allow legacy authentication. Therefore, if you do not use modern authentication (i.e., Use OAuth 2.0), you would receive a 401 error.
Important Note 2: If you use a service account without a mailbox for authentication, do not enter that account as your target or include it in your list of acquisition targets. Use the service account during authentication.
In the above example, we started the acquisition by entering the target account, enduser@metaspike.com, as the target email address. In subsequent steps, a web browser will open for modern authentication and we will authenticate as the service account with the ApplicationImpersonation role.