Using an Exchange Service Account for Your Connection
Connect meetergo to Microsoft Exchange with a service account and impersonation — no personal passwords required.
For enterprises and organizations, connecting meetergo to Microsoft Exchange with a dedicated service account is the recommended approach. Instead of storing each user's personal password, your IT admin creates one service account with impersonation rights, and meetergo uses it to access the calendars of the users who connect.
This article explains how to set up the service account on the Exchange side and how to use it inside meetergo.
Why use a service account?
- No personal passwords stored — users don't have to share their own credentials with meetergo.
- Centralized control — your IT admin manages one account and can revoke access at any time.
- Password policies — the service account can be excluded from user-level rotation policies that would otherwise break calendar connections.
- Auditing — all Exchange Web Services (EWS) traffic from meetergo is traceable to a single identity.
This setup uses EWS Impersonation, a standard Microsoft Exchange feature supported on Exchange 2013, 2016, 2019, and later on-premise versions.
Step 1 — Create the service account in Exchange
Ask your Exchange administrator to create a regular mailbox-enabled user that will be used only by meetergo. For example:
- Display name: meetergo Service Account
- User Principal Name:
meetergo-service@yourcompany.com - Password: a strong, non-expiring password
Set the password to not expire, or document the rotation process. If the password changes, the meetergo connection will stop working until it is reconnected.
Step 2 — Grant ApplicationImpersonation rights
The service account needs the ApplicationImpersonation RBAC role so it can access the calendars of the users who connect meetergo.
Open the Exchange Management Shell on your Exchange server and run:
New-ManagementRoleAssignment `
-Name "meetergoImpersonation" `
-Role "ApplicationImpersonation" `
-User "meetergo-service@yourcompany.com"
This grants impersonation rights for all mailboxes in the organization. If you want to limit the scope to specific users or a specific department, create a management scope first:
New-ManagementScope `
-Name "meetergoScope" `
-RecipientRestrictionFilter "Department -eq 'Sales'"
New-ManagementRoleAssignment `
-Name "meetergoImpersonation" `
-Role "ApplicationImpersonation" `
-User "meetergo-service@yourcompany.com" `
-CustomRecipientWriteScope "meetergoScope"
Only users covered by the management scope will be able to connect their calendar using this service account. If someone outside the scope tries to connect, meetergo will fail to authorize.
Step 3 — Verify EWS is enabled
Make sure Exchange Web Services (EWS) is reachable and enabled for the service account.
- Confirm the EWS endpoint is reachable from the internet, typically at
https://mail.yourcompany.com/ews/exchange.asmx. - Verify EWS is not blocked by a throttling policy or client access rule for the service account.
- If you use a firewall or reverse proxy, make sure meetergo's outbound IPs can reach your EWS endpoint.
You can test the endpoint by opening it in a browser — it should prompt for credentials and then return an XML response.
Step 4 — Connect in meetergo
Once the service account is ready, each user who wants to sync their calendar follows these steps:
- Log into meetergo and open Profile Settings.
- Next to Microsoft Exchange, click Connect.
- Check the Use service account for enhanced security option.
- Fill in the form:
- User email to access — the email address of the user whose calendar should be synced (the mailbox to impersonate).
- Service account password — the password of the meetergo service account.
- Service account username — the username of the service account (for example,
meetergo-service@yourcompany.comorDOMAIN\meetergo-service). - Exchange server — the full EWS endpoint, for example
https://mail.yourcompany.com/ews/exchange.asmx. Required if Autodiscover is not available from meetergo. - Domain — only needed if your setup uses a separate NetBIOS domain before the username.
- Click Connect.
meetergo will test the connection by fetching a few calendar entries for the target user. If the test succeeds, the connection is saved and the calendar starts syncing.
How impersonation works under the hood
When impersonation is enabled, meetergo authenticates to Exchange with the service account credentials and then tells EWS to act on behalf of the target user's mailbox. Exchange returns the target user's calendar as if the user had logged in directly — but no personal password ever leaves your organization.
Troubleshooting
- "Failed to connect exchange calendar" — the most common cause is that the
ApplicationImpersonationrole is missing or that the target user is outside the configured management scope. Verify the RBAC assignment on the Exchange side. - Autodiscover fails — enter the direct EWS URL in the Exchange server field.
- Connection stops working after a while — the service account password was likely rotated. Reconnect meetergo with the new password.
- Only some users can connect — check whether those users are inside the management scope you configured.
If you're unsure which users are covered by your management scope, your Exchange admin can run Get-ManagementRoleAssignment -Role ApplicationImpersonation to review the active assignments.
Security and privacy
- Service account credentials are transmitted to meetergo over an encrypted TLS connection.
- Passwords are encrypted at rest in an isolated database and decrypted only in memory when EWS requests are made.
- You can revoke access at any time by removing the management role assignment or disabling the service account in Exchange.
Was this article helpful?
Let us know if this article answered your questions.