Knowledge Base

How to set impersonation rights manually

Problem:

How to manually manage impersonation rights for an administrator account.

Solution:

Important

Note that the old Office 365 Small Business plans do not allow you to assign impersonation rights manually. The default built-in admin account is the only one who can hold such permissions. Also, the current plans with a partial support for Exchange Online services (e.g. for frontline workers) might not support this either. For general information about supported features, consult this table.

If your Microsoft 365/Office 365 plan supports assigning impersonation rights, use the links below to learn how to add impersonation rights to your admin account via:

Add impersonation rights using PowerShell

You can perform the following steps using either the Exchange Management Shell or Windows PowerShell. If you have direct access to your Exchange Server or can connect to your server via RDP, it’s easier to use the Exchange Management Shell. If you need to access the server using a client machine, connect to a hosted Exchange server or access Exchange Online, you can remotely connect to Exchange via PowerShell.

If you are using Exchange Server 2007, follow these steps instead.

  1. Check your PowerShell version by typing the following cmdlet:

    $PSVersionTable
    • An empty response means that you are using version 1.0.
    • For versions 2.0 and newer, you should see a detailed answer.
    • We recommend that you keep PowerShell updated to avoid compatibility problems. To download the newest version of PowerShell, please visit this Microsoft website.
  2. Check if the account in question already has impersonation rights assigned by executing this cmdlet:

    Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user
    where <account name> is the name of the administrator account (on the target server) that you want to check.
  3. Add impersonation rights:

    New-ManagementRoleAssignment -Name:<impersonation Assignment Name> -Role:ApplicationImpersonation -User: "<account name>"
    where <impersonation Assignment Name> is the name of your choice for this assignment. Be aware that each assignment should have a unique name. You can omit the Name switch, and a unique assignment name will be created automatically.
  4. If necessary, you can also restrict these impersonation rights so that they apply to a specific group of users. To do so, you first need to define a management scope that includes your AD group:

    $ADGroup = Get-DistributionGroup -Identity "<group name>"
    New-ManagementScope "<scope name>" -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"
    
    where <group name> is the name of your AD group object, and <scope name> is the name of your choice for the new management scope.

    Now, modify the existing assignment by using the following cmdlet:
    Set-ManagementRoleAssignment "<impersonation Assignment Name>" -CustomRecipientWriteScope "<scope name>"
  5. You can remove impersonation rights with this command, if necessary:

    Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment

Exchange Server 2007

To add impersonation rights in Exchange 2007, open the Exchange Management Shell and execute the following commands:

Get-ExchangeServer | where { $_.IsClientAccessServer -eq $true } | where { $_.IsValid  -eq $true } | where { $_.IsExchange2007OrLater -eq $true } | where { $_.AdminDisplayVersion.Major -eq 8 } | ForEach-Object { Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity <account name>| select-object).identity -accessRights GenericRead, GenericWrite -extendedRights Send-As, Receive-As, ms-Exch-Store-Admin, ms-Exch-EPI-Impersonation -InheritanceType All }

Get-MailboxDatabase | ForEach-Object { Add-ADPermission -Identity $_.DistinguishedName -User (Get-User -Identity <account name> | select-object).identity  -ExtendedRights ms-Exch-EPI-May-Impersonate }

where <account name> is the name of the administrator account to whom you want to assign the impersonation rights. 

Add impersonation rights in Exchange admin center (EAC)

On-premises Exchange server

  1. Log in to Exchange admin center (https://localhost/ecp).
  2. Go to Permissions admin roles (Fig. 1.) and edit the Discovery Management role by double-clicking it.

How to add the right roles and users.
Fig. 1. How to add the right roles and users.

  1. Add the role ApplicationImpersonation and add your admin user as the group member (Fig. 2.).

How to add the right roles and users.
Fig. 2. How to add the right roles and users.

Exchange Online (Office 365)

  1. Sign in to the Exchange admin center.
  2. Go to Roles > Admin roles and select Discovery Management from the role group list (Fig. 3.).

Opening the Discovery Management role group for editing.
Fig. 3. Opening the Discovery Management role group for editing.

  1. In the pane that opens, go to the Permissions tab and select the ApplicationImpersonation role. Click Save to submit changes (Fig. 4.).

Adding a new role to the Discovery Management role group.
Fig. 4. Adding a new role to the Discovery Management role group.

  1. Go to the Assigned tab and click Add to assign admin users to this role group. When the users are assigned close the pane (Fig. 5.).

Adding members to the role group.
Fig. 5. Adding members to the role group.

See also:

Was this information useful?