Exchange,Impersonation and RBAC in a multi forest scenario

The other day I was asked by a team, which is responsible for an application, for help. They needed ApplicationImpersonation role for specific mailboxes. After we clarified the legal and dataprotection part, we headed towards to implement the technical part in a POC.

The goal was to assign the role ApplicationImpersonation to a specific group in a trusted forest (let’s call it, to mailboxes in the forest where Exchange was installed (let’s call it But only for mailboxes with a specific value in an attribute. This would be the CustomRecipientWriteScope.

First thought: Okay, this is not too hard.

First a Universal group was created in the forest

