How to set impersonation rights manually
How to manually manage impersonation rights for the administrator account.
Add impersonation rights to your admin account via:
- Windows PowerShell - click this link,
- EAC (Exchange Admin Center) - click here for details (applies to Exchange 2013, 2016 and Office 365 only).
Add impersonation rights using PowerShell
- Run Windows PowerShell.
Check the PowerShell version by typing the following cmdlet:$PSVersionTable
- An empty response means you are using version 1.0.
- For versions 2.0 and newer you should see a detailed answer.
- We recommend to keep PowerShell updated to avoid compatibility problems. To download the newest version of PowerShell please visit this Microsoft website.
- If Exchange Server is in a remote location (for example hosted) or you are connecting to Office 365, learn how to connect to remote Exchange via PowerShell. To manage permissions locally (MS Exchange Server on-premises or when logged on to remote Exchange via Remote Desktop, etc.) execute the commands below in Exchange Management Shell.
Check if the account in question already has impersonation rights assigned:Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user
- where <account name> is the name of the administrator account on the target server you want to check.
Add impersonation rights:New-ManagementRoleAssignment –Name:<impersonation Assignment Name> –Role:ApplicationImpersonation –User: "<account name>"
- where <impersonation Assignment Name> is the name of your choice for this assignment. Be aware that each assignment should have a unique name. You can omit the Name switch and a unique assignment name will be created automatically.
If necessary, you can also restrict these impersonation rights so that they apply to a specific group of users. To do so, you first need to define a management scope that will include your AD group:$ADGroup = Get-DistributionGroup -Identity "<group name>" New-ManagementScope "<scope name>" -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"
- where <group name> is the name of your AD group object, and <scope name> is the name of your choice for the new management scope.
Now, modify the existing assignment by using the following cmdlet:Set-ManagementRoleAssignment "<impersonation Assignment Name>" -CustomRecipientWriteScope "<scope name>"
You can remove impersonation rights with this command, if necessary:Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment
Add impersonation rights using EAC (Exchange Admin Center)
Log on to Office 365 using the admin account or log on to Exchange Admin Center (https://localhost/ecp). In Office 365, access the Exchange tab:
Fig. 1. Exchange Admin Center in Office 365.
Next, go to Permissions, then admin roles and choose Discovery Management by double-clicking it:
Fig. 2. Discovery Management.
- Add the Role ApplicationImpersonation and add your admin user as the group member:
Fig. 3. Add correct roles and users.
Please note that according to Microsoft, Office 365 Small Business plans cannot assign impersonation rights manually. The default built-in admin account is the only one who can hold such a permission.
When you add a new role assignment, you can specify a built-in or custom role that was created using the New-ManagementRole cmdlet and specify an organizational unit (OU) or predefined or custom management scope to restrict the assignment.
You can create custom management scopes using the New-ManagementScope cmdlet and can view a list of existing scopes using the Get-ManagementScope cmdlet. If you choose not to specify an OU, or predefined or custom scope, the implicit write scope of the role applies to the role assignment.
For more information about management role assignments, see Understanding management role assignments.
You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Role assignments" entry in the Role management permissions topic.