CodeTwo Office 365 Migration takes advantage of the Role Based Access Control (RBAC) permission model to connect to on-premises Exchange server via EWS. RBAC enables assigning different roles to users in order to maintain their access rights or allow them to perform specific tasks. Our program requires the admin accounts used for the migration process to have only the minimum required roles assigned. If these roles are missing, the program will attempt to assign them automatically. Moreover, if you know exactly which roles are needed, you can select an existing account that matches the requirements or create a new one yourself and use this account only for migration.
This article concerns connecting to on-prem Exchange via EWS. When connecting to the source server via MAPI, the used service account needs to fulfill these requirements.
What are roles?
In the Exchange infrastructure, roles specify what a user (and also an administrator) or a user group can do in your organization, i.e. what actions they are allowed to perform or what information they can access. In other words, roles tell us which cmdlets a user can run in PowerShell.
Which roles are used?
The list below shows all the roles that are used in our software to perform a migration:
- ApplicationImpersonation – enables accessing user mailboxes;
- View-Only Configuration – checks what roles are assigned to the users; also checks the configuration of Exchange Server.
When you are configuring a source Exchange connection, you need to select an admin account that will be used to connect to your server. Such an account needs to be assigned all the roles specified above.
Be aware that these are not the only roles that assign appropriate access rights and permissions to perform the above-mentioned actions. The roles listed above are the minimum requirements necessary to run the migration.
The program will always check if the account used to connect to the source Exchange server has all the necessary roles. If not, it will attempt to assign the missing roles, which may require providing credentials of another account that must belong to the Organization Management role group.
You can also create a user account from scratch and assign all the necessary roles to this account yourself.
Hosted Exchange servers
If you want to migrate mailbox data from an Exchange server that is hosted for you by a third-party provider (e.g. Intermedia, Rackspace or GoDaddy), you will need an admin account that is assigned the ApplicationImpersonation role for the mailboxes you want to migrate. Learn more
The role must be assigned before you start the migration process. If you cannot assign the role yourself, ask your provider to assign the role for you.