Here are two ways to grant ApplicationImpersonation rights. These steps will need to be performed twice, once in the source tenant for the source migration admin and again in the target tenant for the target migration admin:
1. Grant ApplicationImpersonation rights via the Office 365 Portal:
- Login to the Office 365 Portal as a Global Administrator. (http://portal.microsoftonline.com)
- Click Admin
- Click Admin Centers | Exchange.
- Select "Permissions" from the navigation tree on the left.
- Click on "Admin Roles"
- Click the "+" Icon to add a new role
- In the role group dialog box Provide a name for your Role Group (ie. "ODME_Impersonation")
- Under Roles, click the "+" icon to add an RBAC Role.
- Highlight "ApplicationImpersonation", click "add ->" and then click OK.
- Under Members click the "+" icon to add a new memeber to the RoleGroup
- Highlight your migration admin user account(s) that will be performing the migrations, click "add ->", and then click OK.
- Click Save
2. Grant ApplicationImpersonation rights via PowerShell:
- Login to Office 365 via PowerShell.
- Use the following sample PowerShell cmdlet to apply ApplicationImpersonation rights directly to your migration admin user account(s):
New-ManagementRoleAssignment -Role "ApplicationImpersonation" –User firstname.lastname@example.org
Note: It can take up to 48 hours for these new "ApplicationImpersonation" rights to take effect in Office 365.