Troubleshooting permission to create new mailboxes

When configuring the connection to a target server, the connection wizard checks if the provided admin account is assigned either the User management administrator or Global administrator role. If both are missing, the Configuration step shows the following warning message (Fig. 1.):

Admin account is not permitted to create new mailboxes

O365 Migration troubleshooting admin warning
Fig. 1. A warning message informing about the missing management role.

Important

If the program is unable to check the roles assigned to the admin account, it means that the used account does not have the View-Only Configuration role assigned (learn more).

Even if the User management administrator or the Global administrator role is not assigned to the admin account, this will not impact the migration process as long as you are migrating data to the existing mailboxes. However, if you want the program to create new mailboxes on the target server, you need to assign one of them to the used admin account. The program will attempt to assign the User management administrator role automatically (Fig. 2.), as well as other missing roles. Click Yes to proceed.

O365 Migr troubleshooting assign optional roles
Fig. 2. Automatically assigning the missing management role.

If the program is unable to assign the missing roles, it means that the account provided in the Configuration step doesn't have appropriate rights to do so. To assign these roles, you will be asked to enter credentials of an admin user who is assigned the Global administrator role (Fig. 3.). Please also check, if you didn't misspell the entered credentials.

O365 Migration troubleshooting admin cred2
Fig. 3.  Providing credentials of an account that is assigned
the Global administrator role.

Important

If you intend to provide the credentials of a Global administrator account that has the multi-factor authentication enabled, make sure to enter the app password instead of the regular Office 365 password. Otherwise, the program will not be able to use this account to assign the missing roles. Learn more.

Provide a valid UPN and password and click OK. The missing roles will be assigned, and the Configuration step will finish successfully. 

Important

Note that only the credentials specified in the Admin account step are used to connect to the source or target server. Credentials provided in the Configuration step are only used once to assign the missing roles. Therefore, you will not be asked to provide the credentials of other admin users again as long as you use the same admin account for the migration process.

If you don't want the program to assign any roles automatically, you can do it manually, following the steps described in this KB article.

Was this information useful?