Setting up Application Impersonation for Exchange or Office 365

Created by Paul Lees (Deactivated)
Last updated: Jan 20, 2020 by Michael Keighery

Application Impersonation can be used by the CloudMigrator to impersonate users so knowledge of the users' credentials is not required. 

Application Impersonation is available on Microsoft Office 365 plan E3 and on Microsoft Exchange 2007 or higher. In order to setup Application Impersonation using PowerShell, the following steps should be carried out.

If migrating users to, or from, Microsoft Office 365 for Small Business, BPOS or many hosted Exchange systems, then it is not possible to setup Application Impersonation and either delegated access or the user’s passwords must be used for the migration.

If your are migrating into an active tenant, or require a to migrate with the least privilege approach, you will also need to create an Exchange Write Scope 

Office 365

Login to the Office 365 Exchange Admin Portal.

Go to Permissions, then under Admin Roles click the '+' symbol to add a new role and enter the Name and Description 'CloudMigratorImpersonation'.

Click the '+' symbol under 'Roles:', select ApplicationImpersonation, click 'add →' then 'OK'

Click the '+' symbol under 'Members:' and select your Admin User, click 'add →' then 'OK'


Click 'Save' in the 'Role Group' window and you will then see the Impersonation role listed in Admin Roles. You can now use application impersonation with your admin user in CloudMigrator.



Exchange 2010/2013/2016

If migrating to or from Exchange 2010+ or Office 365 CloudMigrator can apply impersonation without you having to run PowerShell directly. Go to Tools > Exchange2010/Office 365 and select 'Run Source/Destination Application Impersonation Setup Script'. This will run the commands required to apply Impersonation to your admin user. It can take up to 5 minutes to run and you will receive confirmation in the Powershell window once complete. 

If you cannot run the automatic script then you should run the following command in a powershell session on your Exchange server.  Replace ADMIN with the email address of your admin user.

New-ManagementRoleAssignment –Name "CloudMigratorImpersonation" –Role "ApplicationImpersonation" –User ADMIN

Enabling Basic Authentication

It often useful to enable Basic authentication for the Exchange Web Services endpoint, as to use Ntlm you must be logged into the workstation running the migration tool as the migration admin user. Run the following to enable Basic authentication, replacing the name of the site if required.

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -BasicAuthentication $true

If migrating to or from Office 365, Basic authentication is already enabled

Exchange 2007

  • Start the Exchange PowerShell Console
  • Run the following commands in the PowerShell session, replacing the admin email with the email address of the user you will use to perform migrations
     
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ADMIN_EMAIL | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} 
Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User ADMIN_EMAIL -ExtendedRights ms-Exch-EPI-May-Impersonate}