Impersonation and delegation in Microsoft Exchange

Impersonation

Setting up Application Impersonation is only required if you are migrating to/from Microsoft Exchange Server. Microsoft 365 uses Modern Authentication which does not require Application Impersonation.

Application Impersonation can be used by the CloudM Migrate to impersonate users so knowledge of their credentials is not required. In order to setup Application Impersonation using PowerShell, the following steps should be carried out.

If migrating users to or from BPOS or some hosted Exchange systems, then it is not possible to setup Application Impersonation and either delegated access or the users' passwords must be used for the migration.

To apply the Application Impersonation role to your admin account, run the following command in a PowerShell session on your Exchange server. Replace ADMIN with the email address of your admin user.

New-ManagementRoleAssignment –Name "CloudMMigrateImpersonation" –Role "ApplicationImpersonation" –User ADMIN

Exchange 2007

  • Start the Exchange PowerShell Console
  • Run the following commands in the PowerShell session, replacing the admin email with the email address of the user you will use to perform migrations
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ADMIN_EMAIL | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User ADMIN_EMAIL -ExtendedRights ms-Exch-EPI-May-Impersonate}

Delegation

To set up delegated access, do the following:

  1.  You should choose or create a user that will be given delegated access to all mailboxes.
  2.  Start an elevated PowerShell session on your Exchange server.
  3.  Run the following command in the PowerShell session, replacing ADMIN with the user that will perform the migration: 

    Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'ADMIN')} | Add-MailboxPermission -User ADMIN -AccessRights fullaccess -InheritanceType all

Enabling Basic Authentication

It often useful to enable Basic authentication for the Exchange Web Services endpoint, as to use Ntlm you must be logged into the workstation running the migration tool as the migration admin user. Run the following to enable Basic authentication, replacing the name of the site if required.

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -BasicAuthentication $true
Was this article helpful?
0 out of 0 found this helpful