Knowledge Base

How to manually assign management roles

Problem:

You want to assign only the minimum required management roles to the admin account used to connect to your Exchange on-prem environment.

Solution:

Since CodeTwo migration tools use the Role Based Access Control (RBAC) permission model, we know exactly which roles need to be assigned to admin accounts that are used to connect to the source and target Exchange servers using EWS. That way, you don’t have to give these accounts more permissions than necessary. Read on to learn more about:

The management roles used by CodeTwo migration software

The table below lists all the roles used by the software:

RoleSource
on-premises
Target
on-premises
ApplicationImpersonationGreen tick yesGreen tick yes
View-Only Recipients Green tick yes
View-Only ConfigurationGreen tick yesGreen tick yes
Public Folders Green tick yes(*)
Mail Recipient Creation Green tick yes(**)
Mail Recipients Green tick yes(**)
User management role or Global administrator  

(*) The Public Folders role is optional. You only need to assign it to the admin account if you plan to migrate public folders (applies only to Exchange Server 2013 and newer).

(**) The Mail Recipient Creation and Mail Recipients roles are optional if you migrate data to existing mailboxes. If you don't have any mailboxes on the target Exchange server and you want the program to create them, you need to assign these roles to the admin account.

So, for example, if you want to connect to a target on-premises Exchange server, the used admin account must be assigned the following roles: ApplicationImpersonation, View-Only Recipients, View-Only Configuration, and Mail Recipient Creation. 

Important

No matter if are using an existing account or creating a new one, it must fulfill these requirements:

  • AD user account must be active with UPN address assigned,
  • the account must be mailbox-enabled in Exchange.

If you want to check which users are assigned a specific role, use the following cmdlet:

Get-ManagementRoleAssignment -Role "<RoleName>"

where instead of <RoleName> you need to provide the name of the role, e.g. ApplicationImpersonation. This cmdlet will list all the users assigned the ApplicationImpersonation role.

Assigning management roles in Exchange 2019/2016/2013/2010

Important

You need to have full access to your Exchange server and be logged in as an administrator who belongs to the Organization Management role group to be able to use the cmdlets specified below.

Run ems Exchange Management Shell and type the following cmdlet:

New-ManagementRoleAssignment -Role "<RoleName>" -User "<UserName>"

where instead of <RoleName> you need to enter a specific role, as provided in the table above, and instead of <UserName> – a valid name or alias of your AD user. For example, if you want to assign the View-Only Configuration role to user Anna White, use the following cmdlet:

New-ManagementRoleAssignment -Role "View-Only Configuration" -User "Anna White"

You can check if the assignment was successful via the following cmdlet:

Get-ManagementRoleAssignment -RoleAssignee "<UserName>"

You can also use this cmdlet to see all the roles assigned to any user. By default, each Exchange user is assigned some roles that begin with My*. They simply allow users to manage their mailboxes.

Was this information useful?