Troubleshooting Exchange/Office 365 administrator's impersonation rights

No matter if you configure EWS connection to source Exchange Server or to source/target Office 365, the second action (test) performed by the program is always granting impersonation rights (Fig. 1.). During this operation, the software checks if the administrator (whose email address was entered in the previous step of the wizard) has application impersonation rights.

Exchange Migration actions EWS
Fig. 1. Actions performed when connecting to a source Exchange Server via EWS. The configuration window for source/target connection to Office 365 looks similar.

If the result is negative (Fig. 2.), the program tries to add such rights for the administrator.

Exchange Migration EWS wizard failure 2
Fig. 2. Failure to grant impersonation rights (this error message looks the same for Office 365 or source Exchange Server connections via EWS).

The wizard's failure to either check or grant impersonation rights may happen because:

In some migration scenarios the wizard fails to either check or grant impersonation rights. This may happen in the case the Admin permissions or role membership on the Exchange Online (Office 365) have been customized e.g. the account has been improperly configured to be RBAC-compliant and now does not meet all requirements.

Aside from the last (rather obvious) case, in other scenarios we strongly recommend to try the below first, to simply rule out wizard imperfections:

  1. Following this Knowledge Base article, check if the admin account has already been granted impersonation rights. If not, grant them manually.
  2. Try the wizard again. Even if it still fails, ignore all errors, click Finish and attempt to normally use the software to migrate.

Only if this does not work, go back to checking all possible reasons. Also, click the Failure link in the wizard window to study the exact error message. A few known errors have been listed below:

  • The server could not be contacted. The LDAP server is unavailable.

This error might be caused by missing impersonation rights. Wizard tries to grant them automatically but when it fails then the above message is shown.

Follow our Knowledge Base article to grant application impersonation rights manually and fix this issue. If the above solution is not helping, try creating a trust relationship between the servers you are migrating.

  • Cannot bind parameter 'Name' to the target.

The error message is produced when the UPN of the user is too long and, therefore, software is not able to check/add impersonation rights properly. Either use a different server domain's admin account with shorter name (global administrator account in the case of Office 365) or add impersonation rights manually using PowerShell.

Was this information useful?