Skip to main content
  1. CloudM
  2. Migrate
  3. Perform a Migration
  4. Configure your Connections
  5. Connection Setup
  6. Environment Configuration Guides

Setting up Application Impersonation for Microsoft Exchange

Updated

Application Impersonation allows CloudM Migrate to access user mailboxes without needing to know individual user passwords. This permission is granted to a specific administrative account, which then "impersonates" users to read and write data during the migration.

This setup is required when migrating to or from an on-premises Microsoft Exchange Server (2007, 2010, 2013, 2016, 2019).

  • For Microsoft 365: Application Impersonation is not required. Microsoft 365 uses Modern Authentication (OAuth 2.0), which is a different process.
  • For Hosted Exchange/BPOS: If you are migrating from certain hosted Exchange environments, you may not have the necessary permissions to configure Application Impersonation. In these cases, you must use either the individual user credentials or delegated admin access.

Prerequisites

  • You must have administrative access to your Microsoft Exchange Server.
  • You must run these commands in the Exchange Management Shell on your Exchange Server.

Instructions by Exchange Version

Follow the steps corresponding to your version of Microsoft Exchange Server.

For Exchange 2010, 2013, 2016, and 2019

These newer versions of Exchange use a streamlined command to assign the ApplicationImpersonation role.

  1. Open the Exchange Management Shell.

  2. Run the following PowerShell command. Replace <AdminUserEmail> with the email address of the administrator account you will use for the migration (e.g., migration-admin@company.com).

    New-ManagementRoleAssignment –Name "CloudMImpersonate" –Role "ApplicationImpersonation" –User <AdminUserEmail>

For Exchange 2007

Exchange 2007 requires two separate commands to grant the necessary permissions at the server and database levels.

  1. Start the Exchange Management Shell.

  2. Run the following two commands. In both commands, replace <AdminUserEmail> with the email address of the administrator account you will use for the migration.

    Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity <AdminUserEmail> | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

    Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <AdminUserEmail> -ExtendedRights ms-Exch-EPI-May-Impersonate}

Optional: Enable Basic Authentication for EWS

By default, CloudM Migrate can connect using NTLM authentication. However, this requires you to be logged into the computer running the migration tool as the specified migration admin user.

To provide more flexibility, you can enable Basic Authentication on the Exchange Web Services (EWS) virtual directory. This allows the tool to authenticate using a username and password without requiring a specific user session.

  1. In the Exchange Management Shell, run the following command:

    Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -BasicAuthentication $true

    Note: The identity "EWS (Default Web Site)" is the default. If your EWS virtual directory has a different name, replace it in the command.

Was this article helpful?
19 out of 32 found this helpful