How to set impersonation rights manually
Problem:
How to manually manage impersonation rights for an administrator account.
Solution:
Important
Note that the old Office 365 Small Business plans do not allow you to assign impersonation rights manually. The default built-in admin account is the only one who can hold such permissions. Also, the current plans with a partial support for Exchange Online services (e.g. for frontline workers) might not support this either. For general information about supported features, consult this table.
If your Microsoft 365/Office 365 plan supports assigning impersonation rights, use the links below to learn how to add impersonation rights to your admin account via:
- PowerShell
- Exchange admin center (applies to Exchange 2013, 2016, 2019, and Office 365 only).
Add impersonation rights using PowerShell
You can perform the following steps using either the Exchange Management Shell or Windows PowerShell. If you have direct access to your Exchange Server or can connect to your server via RDP, it’s easier to use the Exchange Management Shell. If you need to access the server using a client machine, connect to a hosted Exchange server or access Exchange Online, you can remotely connect to Exchange via PowerShell.
If you are using Exchange Server 2007, follow these steps instead.
Check your PowerShell version by typing the following cmdlet:
$PSVersionTable
- An empty response means that you are using version 1.0.
- For versions 2.0 and newer, you should see a detailed answer.
- We recommend that you keep PowerShell updated to avoid compatibility problems. To download the newest version of PowerShell, please visit this Microsoft website.
Check if the account in question already has impersonation rights assigned by executing this cmdlet:
Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user
where <account name> is the name of the administrator account (on the target server) that you want to check.Add impersonation rights:
New-ManagementRoleAssignment -Name:<impersonation Assignment Name> -Role:ApplicationImpersonation -User: "<account name>"
where <impersonation Assignment Name> is the name of your choice for this assignment. Be aware that each assignment should have a unique name. You can omit the Name switch, and a unique assignment name will be created automatically.If necessary, you can also restrict these impersonation rights so that they apply to a specific group of users. To do so, you first need to define a management scope that includes your AD group:
$ADGroup = Get-DistributionGroup -Identity "<group name>" New-ManagementScope "<scope name>" -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"
where <group name> is the name of your AD group object, and <scope name> is the name of your choice for the new management scope.
Now, modify the existing assignment by using the following cmdlet:Set-ManagementRoleAssignment "<impersonation Assignment Name>" -CustomRecipientWriteScope "<scope name>"
You can remove impersonation rights with this command, if necessary:
Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment
To add impersonation rights in Exchange 2007, open the Exchange Management Shell and execute the following commands:
Get-ExchangeServer | where { $_.IsClientAccessServer -eq $true } | where { $_.IsValid -eq $true } | where { $_.IsExchange2007OrLater -eq $true } | where { $_.AdminDisplayVersion.Major -eq 8 } | ForEach-Object { Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity <account name>| select-object).identity -accessRights GenericRead, GenericWrite -extendedRights Send-As, Receive-As, ms-Exch-Store-Admin, ms-Exch-EPI-Impersonation -InheritanceType All } Get-MailboxDatabase | ForEach-Object { Add-ADPermission -Identity $_.DistinguishedName -User (Get-User -Identity <account name> | select-object).identity -ExtendedRights ms-Exch-EPI-May-Impersonate }
where <account name> is the name of the administrator account to whom you want to assign the impersonation rights.
Add impersonation rights in Exchange admin center (EAC)
On-premises Exchange server
- Log in to Exchange admin center (https://localhost/ecp).
- Go to Permissions > admin roles (Fig. 1.) and edit the Discovery Management role by double-clicking it.
Fig. 1. How to add the right roles and users.
- Add the role ApplicationImpersonation and add your admin user as the group member (Fig. 2.).
Fig. 2. How to add the right roles and users.
Exchange Online (Office 365)
- Sign in to the Exchange admin center.
- Go to Roles > Admin roles and select Discovery Management from the role group list (Fig. 3.).
Fig. 3. Opening the Discovery Management role group for editing.
- In the pane that opens, go to the Permissions tab and select the ApplicationImpersonation role. Click Save to submit changes (Fig. 4.).
Fig. 4. Adding a new role to the Discovery Management role group.
- Go to the Assigned tab and click Add to assign admin users to this role group. When the users are assigned close the pane (Fig. 5.).
Fig. 5. Adding members to the role group.
See also:
Related products: | CodeTwo Backup for Exchange, CodeTwo Backup for Office 365, CodeTwo Email Signatures for Email Clients, CodeTwo Exchange Migration, CodeTwo Office 365 Migration |
Categories: | How-To |
Last modified: | October 24, 2022 |
Created: | August 26, 2013 |
ID: | 285 |