{"id":1903,"date":"2018-11-27T01:00:00","date_gmt":"2018-11-27T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/application-impersonation-o365-and-email-archive-migrations\/"},"modified":"2024-09-11T07:53:24","modified_gmt":"2024-09-11T07:53:24","slug":"application-impersonation-o365-and-email-archive-migrations","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/migrations\/application-impersonation-o365-and-email-archive-migrations\/","title":{"rendered":"Application Impersonation \u2013 O365 and Email Archive Migrations"},"content":{"rendered":"

For email archive migrations one of the pre-requisites are accounts with the application impersonation role.  Application Impersonation is a management role within Office365 (O365) enabling applications to impersonate users so actions can be performed on their behalf using EWS.<\/p>\n

Within O365 there are two ways to set this up: via the O365 GUI or via PowerShell.<\/p>\n

Migration account(s)<\/strong><\/p>\n

Create the migration account(s) via your normal process and set the password not to expire. Although this is not actually required to assign the role, setting the password to expire it will mean that once the account details are added into the migration tool you will not be needing to update them every 30,60,90 days depending on your policy. Having to update the credentials repeatedly could cause delays in the migration project.<\/p>\n

Assigning role via the GUI<\/strong><\/p>\n

In the Exchange admin center, under permissions, admin roles.<\/p>\n

\"\"<\/p>\n

Click the + to add a new role group, give it a name and description then add the ApplicationImpersonation role to it. Finally add the members which will be the accounts (that you created earlier) you want to assign this role to and click save.<\/p>\n

\"\"<\/p>\n

When you now look under the admin roles you will see the new admin role and on the right-hand side, you can see the role assigned.<\/p>\n

\"\"<\/p>\n

Assigning role via PowerShell<\/strong><\/p>\n

Connect to your O365 PowerShell (https:\/\/docs.microsoft.com\/en-us\/powershell\/exchange\/exchange-online\/connect-to-exchange-online-powershell\/connect-to-exchange-online-powershell?view=exchange-ps#connect-to-exchange-online-powershell-1<\/a>)<\/p>\n

Creating the role group and assigning the role is done with a single script, replacing the <..> values as shown:<\/p>\n

Syntax<\/strong><\/p>\n

New-RoleGroup -Name <admin role name> -Roles ApplicationImpersonation -Members <UPN for migration accounts><\/p>\n

Example<\/strong><\/p>\n

New-RoleGroup -Name \u201cApplication Impersonation PS Group\u201d -Roles ApplicationImpersonation -Members Migration.Account.PS@nickslab.onmicrosoft.com<\/p>\n

Output<\/strong><\/p>\n

\"\"<\/strong><\/p>\n

You can check the Role Group with this script:<\/p>\n

Syntax<\/strong><\/p>\n

Get-RoleGroup <Role group name><\/p>\n

Example<\/strong><\/p>\n

Get-RoleGroup \u201cApplication Impersonation PS Group\u201d<\/p>\n

Output<\/strong><\/p>\n

In the output, you can see the role assigned the members of the role group<\/p>\n

\"\"<\/p>\n

Confirm that the application impersonation role is working<\/strong><\/p>\n

Browse to <\/span>https:\/\/testconnectivity.microsoft.com\/<\/a><\/strong><\/p>\n