Nick Middleton - 27.11.201820181127

Application Impersonation – O365 and Email Archive Migrations

For email archive migrations one of the pre-requisites are accounts with the application impersonation role.  Application Impersonation is a management role within Office365 (O365) enabling applications to impersonate users so actions can be performed on their behalf using EWS.

Within O365 there are two ways to set this up: via the O365 GUI or via PowerShell.

Migration account(s)

Create the migration account(s) via your normal process and set the password not to expire. Although this is not actually required to assign the role, setting the password to expire it will mean that once the account details are added into the migration tool you will not be needing to update them every 30,60,90 days depending on your policy. Having to update the credentials repeatedly could cause delays in the migration project.

Assigning role via the GUI

In the Exchange admin center, under permissions, admin roles.

Click the + to add a new role group, give it a name and description then add the ApplicationImpersonation role to it. Finally add the members which will be the accounts (that you created earlier) you want to assign this role to and click save.

When you now look under the admin roles you will see the new admin role and on the right-hand side, you can see the role assigned.

Assigning role via PowerShell

Connect to your O365 PowerShell (

Creating the role group and assigning the role is done with a single script, replacing the <..> values as shown:


New-RoleGroup -Name <admin role name> -Roles ApplicationImpersonation -Members <UPN for migration accounts>


New-RoleGroup -Name “Application Impersonation PS Group” -Roles ApplicationImpersonation -Members


You can check the Role Group with this script:


Get-RoleGroup <Role group name>


Get-RoleGroup “Application Impersonation PS Group”


In the output, you can see the role assigned the members of the role group

Confirm that the application impersonation role is working

Browse to

  • Click on ​the Office 365 tab.
  • Select Service Account Access and click on Next
  • Specify the target mailbox email address
  • Specify the migration account user name
  • Specify the migration account password
  • Checkmark Specify Exchange Web Services URL and specify the URL
  • Check the box Use Exchange Impersonation.
  • Check Ignore Trust for SSL.​
  • Click on Perform Test.

Once results are displayed, check the overall results; also click on Expand All.


The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.