How to manually assign management roles
You want to assign only the minimum required management roles to the admin account used to connect to your Exchange on-prem environment.
Since CodeTwo migration tools use the Role Based Access Control (RBAC) permission model, we know exactly which roles need to be assigned to admin accounts that are used to connect to the source and target Exchange servers using EWS. That way, you don’t have to give these accounts more permissions than necessary. Read on to learn more about:
The table below lists all the roles used by the software:
|Mail Recipient Creation||(**)|
|User management role or Global administrator|
(*) The Public Folders role is optional. You only need to assign it to the admin account if you plan to migrate public folders (applies only to Exchange Server 2013 and newer).
(**) The Mail Recipient Creation and Mail Recipients roles are optional if you migrate data to existing mailboxes. If you don't have any mailboxes on the target Exchange server and you want the program to create them, you need to assign these roles to the admin account.
So, for example, if you want to connect to a target on-premises Exchange server, the used admin account must be assigned the following roles: ApplicationImpersonation, View-Only Recipients, View-Only Configuration, and Mail Recipient Creation.
No matter if are using an existing account or creating a new one, it must fulfill these requirements:
- AD user account must be active with UPN address assigned,
- the account must be mailbox-enabled in Exchange.
Get-ManagementRoleAssignment -Role "<RoleName>"
where instead of <RoleName> you need to provide the name of the role, e.g. ApplicationImpersonation. This cmdlet will list all the users assigned the ApplicationImpersonation role.
You need to be logged in as an administrator who belongs to the Organization Management role group to be able to use the cmdlets specified below.
Run Exchange Management Shell and type the following cmdlet:
New-ManagementRoleAssignment -Role "<RoleName>" -User "<UserName>"
where instead of <RoleName> you need to enter a specific role, as provided in the table above, and instead of <UserName> – a valid name or alias of your AD user. For example, if you want to assign the View-Only Configuration role to user Anna White, use the following cmdlet:
New-ManagementRoleAssignment -Role "View-Only Configuration" -User "Anna White"
You can check if the assignment was successful via the following cmdlet:
Get-ManagementRoleAssignment -RoleAssignee "<UserName>"
You can also use this cmdlet to see all the roles assigned to any user. By default, each Exchange user is assigned some roles that begin with My*. They simply allow users to manage their mailboxes.