Management roles

CodeTwo Exchange Migration takes advantage of the Role Based Access Control (RBAC) permission model to connect to both source and target on-premises Exchange servers via EWS. RBAC enables assigning different roles to users in order to maintain their access rights or allow them to perform specific tasks. Our program requires the admin accounts used for the migration process to have only the minimum required roles assigned. If these roles are missing, the program will attempt to assign them automatically. Moreover, if you know exactly which roles are needed, you can select an existing account that matches the requirements or create a new one yourself and use this account only for migration.


This article concerns connecting to on-prem Exchange via EWS. When connecting to the source server via MAPI, the used service account needs to fulfill these requirements.

What are roles?

In the Exchange infrastructure, roles specify what a user (and also an administrator) or a user group can do in your organization, i.e. what actions they are allowed to perform or what information they can access. In other words, roles tell us which cmdlets a user can run in PowerShell.

Which roles are used?

The list below shows all the roles that are used in our software to perform a migration:

  • ApplicationImpersonation – enables accessing user mailboxes;
  • View-Only Recipients – allows viewing users and mailboxes;
  • View-Only Configuration – checks what roles are assigned to the users; also checks the configuration of Exchange Server;
  • Public Folders – enables the program to add administrative permissions to public folders;
  • Mail Recipient Creation and Mail Recipients – create new users and mailboxes.


Be aware that these are not the only roles that assign appropriate access rights and permissions to perform the above-mentioned actions. The roles listed above are the minimum requirements necessary to run the migration.

When you are configuring a source/target Exchange connection, you need to select an admin account that will be used to connect to your server. Such an account needs to be assigned specific roles, depending on whether you are connecting to your source or target environment:

Role Source
on-premises Exchane
on-premises Exchange
ApplicationImpersonation Green tick yes Green tick yes
View-Only Recipients   Green tick yes
View-Only Configuration Green tick yes Green tick yes
Public Folders   Green tick yes(*)
Mail Recipient Creation   Green tick yes(**)
Mail Recipients   Green tick yes(**)

(*) The Public Folders role is optional. You only need to assign it to the admin account if you plan to migrate public folders.

(**) The Mail Recipient Creation and Mail Recipients roles are also optional if you migrate data to existing mailboxes. If you don't have any mailboxes on the target server and you want the program to create them, you need to assign these roles to the admin account.

The program will always check if the accounts used to connect to the source or target server have all the necessary roles. If not, it will attempt to assign the missing roles, which may require providing credentials of another account that must be a member of the Organization Management role group. 

You can also create a user account from scratch and assign all the necessary roles to this account yourself.

Hosted Exchange servers

If you want to migrate mailbox data from an Exchange server that is hosted for you by a third-party provider (e.g. Intermedia, Rackspace or GoDaddy), you will need an admin account that is assigned the ApplicationImpersonation role for the mailboxes you want to migrate. Learn more

The role must be assigned before you start the migration process. If you cannot assign the role yourself, ask your provider to assign the role for you.

In this article

Was this information useful?