Management roles

CodeTwo Exchange Migration takes advantage of the Role Based Access Control (RBAC) permission model to connect to both source and target servers via EWS. RBAC enables assigning different roles to users in order to maintain their access rights or allow them to perform specific tasks. Our program requires the admin accounts used for the migration process to have only the minimum required roles assigned. If these roles are missing, the program will attempt to assign them automatically. Moreover, if you know exactly which roles are needed, you can select an existing account that matches the requirements or create a new one yourself, and use this account only for migration.

Info

This article concerns the connection via EWS. When connecting to the source server via MAPI, the used service account needs to fulfill these requirements.

What are roles?

In the Exchange infrastructure, roles specify what a user (and also an administrator) or a user group can do in your organization, i.e. what actions they are allowed to perform or what information they can access. In other words, roles tell us which cmdlets a user can run in PowerShell.

Which roles are used?

The list below shows all the roles that are used in our software to perform a migration:

  • ApplicationImpersonation – enables accessing user mailboxes;
  • View-Only Recipients – allows viewing users and mailboxes;
  • View-Only Configuration – checks what roles are assigned to the users; also checks the configuration of Exchange Server;
  • Public Folders – enables the program to add administrative permissions to public folders;
  • Mail Recipient Creation and Mail Recipients – create new users and mailboxes.

Important

Be aware that these are not the only roles that assign appropriate access rights and permissions to perform the above-mentioned actions. The roles listed above are the minimum requirements necessary to run the migration.

When you configure the source/target connection, you need to select an admin account that will be used to connect to your source/target server. Such an account needs to be assigned specific roles, depending on whether you are connecting to your source or target environment:

Role Source
on-premises
Source
Office 365
Target
on-premises
ApplicationImpersonation tic yes tic yes tic yes
View-Only Recipients   tic yes tic yes
View-Only Configuration tic yes tic yes tic yes
Public Folders     tic yes(*)
Mail Recipient Creation     tic yes(**)
Mail Recipients     tic yes(**)

(*) The Public Folders role is optional. You only need to assign it to the admin account if you plan to migrate public folders.

(**) The Mail Recipient Creation and Mail Recipients roles are also optional if you migrate data to existing mailboxes. If you don't have any mailboxes on the target server and you want the program to create them, you need to assign these roles to the admin account.

Info

Keep in mind that the program will always check if the accounts used to connect to the source or target server have all the necessary roles. If not, it will attempt to assign the missing roles, which may require providing credentials of another account. This account must be a member of the Organization Management role group (or must be a Global administrator if you're configuring a connection to Office 365). 

You can also create a user account from scratch and assign all the necessary roles to this account yourself.

Was this information useful?