How to create an Exchange Server service account (Exchange 2013 & above)

  • Published on Feb 6, 2026
  • 4 minute(s) read
  • CC
 Prev Next

Requirements:

1. Ensure Exchange Web Services (EWS) are enabled on an SSL connection.

  •  Ensure that your Exchange server has a signed SSL certificate from an approved certificate authority.
  •  Ensure that inbound connections are allowed on any firewall on port 433 to your Exchange server.  You can restrict IP access IP ranges.  These are listed in step 4 of this article:
    Whitelist Ebsta's IP addresses in Salesforce

2. Enable Exchange Autodiscover service

3. Enable basic authentication on Exchange server and Autodiscover service.

1. Create an Exchange user with a mailbox that will act as the service account.

2. Using Exchange Management Shell, enable the Active Directory extended permission for ms-Exch-EPI-Impersonation on all Client Access servers.*

Get-ExchangeServer | where {$_IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

3. Enable the Active Directory extended rights for ms-Exch-EPI-May-Impersonate to provide the service account impersonate rights over mailboxes.*

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User -ExtendedRights ms-Exch-EPI-May-Impersonate}

* If you receive a pipeline error message, wait a few minutes and re-enter the command to let your server process the requests.

4. Configure your service account to impersonate the group of users you wish to connect to Ebsta by creating a management scope which defines the filter grouping the Exchange users.

e.g. If all relevant mailboxes had the Department filterable property set as 'InsideSales' replace  with Department -eq 'InsideSales'

New-ManagementScope -Name:<DefineExchangeSyncScopeName> -RecipientRestrictionFilter:{}

5. Create a management role assignment that restricts the service account to impersonate only the users you defined in the management scope above.

New-ManagementRoleAssignment -Name: -Role:ApplicationImpersonation -User: -CustomRecipientWriteScope:

6. Once you have created your service account, you can test the connectivity and the scope at:

https://testconnectivity.microsoft.com/

Once connectivity of your service account has been tested, you are ready to connect your service account to Ebsta and to connect your mailboxes.  Follow instructions in this article:

Connect an Office 365 or Exchange service account & connect mailboxes to Ebsta

Fullcast Revenue Intelligence
© 2026 Fullcast, Inc. All Rights Reserved