Setting up Application Impersonation is only required if you are using Basic Authentication as your Authentication Method AND the platform is on a Microsoft 365 Enterprise Plan.
CloudM recommend using Modern Authentication instead as Basic Authentication is being deprecated by Microsoft.
Application Impersonation can be used by the CloudM Migrate to impersonate users so knowledge of the users' credentials is not required.
Application Impersonation is available on Microsoft Office 365 plan E3 and on Microsoft Exchange 2007 or higher. In order to setup Application Impersonation using PowerShell, the following steps should be carried out.
If migrating users to, or from, Microsoft Office 365 for Small Business, BPOS or many hosted Exchange systems, then it is not possible to setup Application Impersonation and either delegated access or the user’s passwords must be used for the migration.
If your are migrating into an active tenant, or require a to migrate with the least privilege approach, you will also need to create an Exchange Write Scope
Office 365
Login to the Office 365 Exchange Admin Portal.
Go to Permissions, then under Admin Roles click the '+' symbol to add a new role and enter the Name and Description 'CloudMMigrateImpersonation'.
Click the '+' symbol under 'Roles:', select ApplicationImpersonation, click 'add →' then 'OK'
Click the '+' symbol under 'Members:' and select your Admin User, click 'add →' then 'OK'
Click 'Save' in the 'Role Group' window and you will then see the Impersonation role listed in Admin Roles. You can now use application impersonation with your admin user in CloudM Migrate.
Exchange 2010/2013/2016
If migrating to or from Exchange 2010+ or Office 365, CloudM Migrate can apply impersonation without you having to run PowerShell directly. Go to Tools > Exchange2010/Office 365 and select 'Run Source/Destination Application Impersonation Setup Script'. This will run the commands required to apply Impersonation to your admin user. It can take up to 5 minutes to run and you will receive confirmation in the Powershell window once complete.
If you cannot run the automatic script then you should run the following command in a powershell session on your Exchange server. Replace ADMIN with the email address of your admin user.
New-ManagementRoleAssignment –Name "CloudMMigrateImpersonation" –Role "ApplicationImpersonation" –User ADMIN
Enabling Basic Authentication
It often useful to enable Basic authentication for the Exchange Web Services endpoint, as to use Ntlm you must be logged into the workstation running the migration tool as the migration admin user. Run the following to enable Basic authentication, replacing the name of the site if required.
Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -BasicAuthentication $true
If migrating to or from Office 365, Basic authentication is already enabled
Exchange 2007
- Start the Exchange PowerShell Console
- Run the following commands in the PowerShell session, replacing the admin email with the email address of the user you will use to perform migrations
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ADMIN_EMAIL | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User ADMIN_EMAIL -ExtendedRights ms-Exch-EPI-May-Impersonate}
Comments
0 comments
Please sign in to leave a comment.