This manual refers to an old version of CodeTwo Office 365 Migration. Go here if you use the latest version.

Management roles

CodeTwo Office 365 Migration takes advantage of the Role Based Access Control (RBAC) permission model to connect to both source and target servers via EWS. RBAC enables assigning different roles to users in order to maintain their access rights or allow them to perform specific tasks. Our program requires the admin accounts used for the migration process to have only the minimum required roles assigned. If these roles are missing, the program will attempt to assign them automatically. Moreover, if you know exactly which roles are needed, you can select an existing account that matches the requirements or create a new one yourself, and use this account only for migration.


This article concerns the connection via EWS. When connecting to the source server via MAPI, the used service account needs to fulfill these requirements.

What are roles?

In the Exchange infrastructure, roles specify what a user (and also an administrator) or a user group can do in your organization, i.e. what actions they are allowed to perform or what information they can access. In other words, roles tell us which cmdlets a user can run in PowerShell.

Which roles are used?

The list below shows all the roles that are used in our software to perform a migration:

  • ApplicationImpersonation – enables accessing user mailboxes;
  • View-Only Recipients – allows viewing users and mailboxes;
  • View-Only Configuration – checks what roles are assigned to the users; also checks the configuration of Exchange Server;
  • Public Folders – enables the program to add administrative permissions to public folders;
  • User management administrator/Global administrator* – creates new users and mailboxes (not required when migrating data to existing mailboxes).

* Both the User management administrator and Global administrator roles allow you to create new mailboxes. However, the admin account used to connect to the source or target server needs to be assigned only one of them. If you are creating an account for the sole purpose of conducting the migration process and don't want to give it too much control over your Office 365 tenant, we recommend using the User management administrator role.


Be aware that these are not the only roles that assign appropriate access rights and permissions to perform the above-mentioned actions. The roles listed above are the minimum requirements necessary to run the migration.

When you configure the source/target connection, you need to select an admin account that will be used to connect to your source/target server. Such an account needs to be assigned specific roles, depending on whether you are connecting to your source or target environment:

Role Source
Office 365
Office 365
ApplicationImpersonation tic yes tic yes tic yes
View-Only Recipients   tic yes tic yes
View-Only Configuration tic yes tic yes tic yes
Public Folders     tic yes(*)
User management administrator/Global administrator     tic yes(**)

(*) The Public Folders role is optional. You only need to assign it to the admin account if you plan to migrate public folders.

(**) The User management administrator/Global administrator role is also optional if you migrate data to existing mailboxes. If you don't have any mailboxes on the target server and you want the program to create them, you need to assign one of these roles to the admin account.


Keep in mind that the program will always check if the accounts used to connect to the source or target server have all the necessary roles. If not, it will attempt to assign the missing roles, which may require providing credentials of another account. This account must be assigned the Global administrator role (or must belong to the Organization Management role group if you're configuring a connection to the source Exchange server via EWS).

You can also create a user account from scratch and assign all the necessary roles to this account yourself.

Was this information useful?