Knowledge Base

How to manually assign management roles

Problem:

You want to assign only the minimum required management roles to the admin account used to connect to your Exchange on-prem environment.

Solution:

Since CodeTwo migration tools use the Role Based Access Control (RBAC) permission model, we know exactly which roles need to be assigned to admin accounts that are used to connect to the source and target Exchange servers using EWS. That way, you don’t have to give these accounts more permissions than necessary. Read on to learn more about:

The management roles used by CodeTwo migration software

The table below lists all the roles used by the software:

Role Source
on-premises
Target
on-premises
ApplicationImpersonation Green tick yes Green tick yes
View-Only Recipients   Green tick yes
View-Only Configuration Green tick yes Green tick yes
Public Folders   Green tick yes(*)
Mail Recipient Creation   Green tick yes(**)
Mail Recipients   Green tick yes(**)
User management role or Global administrator    

(*) The Public Folders role is optional. You only need to assign it to the admin account if you plan to migrate public folders (applies only to Exchange Server 2013 and newer).

(**) The Mail Recipient Creation and Mail Recipients roles are optional if you migrate data to existing mailboxes. If you don't have any mailboxes on the target Exchange server and you want the program to create them, you need to assign these roles to the admin account.

So, for example, if you want to connect to a target on-premises Exchange server, the used admin account must be assigned the following roles: ApplicationImpersonation, View-Only Recipients, View-Only Configuration, and Mail Recipient Creation. 

Important

No matter if are using an existing account or creating a new one, it must fulfill these requirements:

  • AD user account must be active with UPN address assigned,
  • the account must be mailbox-enabled in Exchange.

If you want to check which users are assigned a specific role, use the following cmdlet:

Get-ManagementRoleAssignment -Role "<RoleName>"

where instead of <RoleName> you need to provide the name of the role, e.g. ApplicationImpersonation. This cmdlet will list all the users assigned the ApplicationImpersonation role.

Assigning management roles in Exchange 2019/2016/2013/2010

Important

You need to be logged in as an administrator who belongs to the Organization Management role group to be able to use the cmdlets specified below.

Run ems Exchange Management Shell and type the following cmdlet:

New-ManagementRoleAssignment -Role "<RoleName>" -User "<UserName>"

where instead of <RoleName> you need to enter a specific role, as provided in the table above, and instead of <UserName> – a valid name or alias of your AD user. For example, if you want to assign the View-Only Configuration role to user Anna White, use the following cmdlet:

New-ManagementRoleAssignment -Role "View-Only Configuration" -User "Anna White"

You can check if the assignment was successful via the following cmdlet:

Get-ManagementRoleAssignment -RoleAssignee "<UserName>"

You can also use this cmdlet to see all the roles assigned to any user. By default, each Exchange user is assigned some roles that begin with My*. They simply allow users to manage their mailboxes.