Knowledge Base

Troubleshooting the ApplicationImpersonation role assignment

This article is obsolete and may relate only to older versions of our software.


You want to configure a connection to Office 365 in your CodeTwo migration software; however, the following error message is displayed:

Failed to assign role 'ApplicationImpersonation' to admin account
The command you tried to run isn't currently allowed in your organization. To run the command, you first need to run the command Enable-OrganizationCustomization.



This problem, as well as the solution described below, applies only to CodeTwo Exchange Migration and CodeTwo Office 365 Migration version 3.1.x and older. We recommend updating your CodeTwo migration software to the newest version. Click the links below to download the newest version of:

To be able to access user mailboxes, the ApplicationImpersonation management role needs to be assigned to the admin account used to connect to your Office 365 tenant (source and/or target). Normally, CodeTwo migration software can assign this role automatically. However, in this case, the customization of role assignment policy is blocked by Office 365, even for global admins. To fix this, you first need to run the Enable-OrganizationCustomization cmdlet for your tenant (for further information about this cmdlet, consult the official Microsoft documentation).

To resolve this issue, follow the steps below:

  1. Run ps Windows PowerShell.
  2. Connect to Office 365 using the following commands:
    $cred = Get-Credential
    Import-PSSession (New-PSSession -ConfigurationName Microsoft.Exchange -Credential $cred -ConnectionURI -Authentication Basic -AllowRedirection) -AllowClobber
    Enter your Office 365 global admin credentials when prompted.
  3. Run the command:


    You will only be required to do this once in your Exchange Online organization.

You will now be able to connect to Office 365 with your CodeTwo migration software.

Was this information useful?