How to set impersonation rights manually
How to manually manage impersonation rights for an administrator account.
Use the links below to learn how to add impersonation rights to your admin account via:
- Windows PowerShell
- Exchange admin center (applies to Exchange 2013, 2016, 2019, and Office 365 only).
- Run Windows PowerShell.
Check your PowerShell version by typing the following cmdlet:
- An empty response means that you are using version 1.0.
- For versions 2.0 and newer, you should see a detailed answer.
- We recommend that you keep PowerShell updated to avoid compatibility problems. To download the newest version of PowerShell, please visit this Microsoft website.
- If your Exchange server is in a remote location (for example, it is hosted) or you are connecting to Office 365 (Exchange Online), learn how to connect to remote Exchange via PowerShell. To manage permissions locally (if you have an on-premises Exchange server or if you are logged on to a remote Exchange server via Remote Desktop, etc.) execute the commands below in Exchange Management Shell.
Check if the account in question already has impersonation rights assigned by executing this cmdlet:
Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType userwhere <account name> is the name of the administrator account (on the target server) that you want to check.
Add impersonation rights:
New-ManagementRoleAssignment -Name:<impersonation Assignment Name> -Role:ApplicationImpersonation -User: "<account name>"where <impersonation Assignment Name> is the name of your choice for this assignment. Be aware that each assignment should have a unique name. You can omit the Name switch, and a unique assignment name will be created automatically.
If necessary, you can also restrict these impersonation rights so that they apply to a specific group of users. To do so, you first need to define a management scope that includes your AD group:
$ADGroup = Get-DistributionGroup -Identity "<group name>" New-ManagementScope "<scope name>" -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"where <group name> is the name of your AD group object, and <scope name> is the name of your choice for the new management scope.
Now, modify the existing assignment by using the following cmdlet:
Set-ManagementRoleAssignment "<impersonation Assignment Name>" -CustomRecipientWriteScope "<scope name>"
You can remove impersonation rights with this command, if necessary:
Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment
Open Exchange admin center:
in Office 365: log in to your Microsoft Office 365 admin center (Office 365 admin center) as an admin and choose Admin centers > Exchange from the menu on the left.
in Exchange 2013, 2016, and 2019: log in to Exchange admin center (https://localhost/ecp).
Go to Permissions > admin roles (Fig. 1.) and edit the Discovery Management role by double-clicking it:
- Add the role ApplicationImpersonation and add your admin user as the group member (Fig. 2.).
Note that according to Microsoft, in the Office 365 Small Business plans impersonation rights cannot be assigned manually. The default built-in admin account is the only one who can hold such permissions.
- Microsoft article on New-ManagementRoleAssignment cmdlet
- How to allow PowerShell to connect to Exchange Server over IP address