ODM Mailbox Migration has been running successfully before, when all of a sudden, with no change to any attribute of ODM Migrator Service Accounts, all ODM Mailbox Migration tasks start to fail with this error encountered :
The account does not have permission to impersonate the requested user.
ErrorCode = ErrorImpersonateUserDenied
Exchange Online services might be temporarily unavailable from one or both of M365 tenants due to :
Since this Application Impersonation Role needs to be taking effect on a whole M365 tenant basis, this is a Microsoft issue and so there is no fix from within ODM, customer can just only wait for both M365 tenants to recover back to working condition, then proceed to stop current ODM mailbox migration tasks, which are likely to have already hung, so will need to be restarted again.
To validate on integrity of both M365 tenants if their required mailbox authentication can be properly resolved online, Microsoft Remote Connectivity Analyzer Tool can be accessed at this URL :
A successful test result should look like this :
Connectivity Test SuccessfulTest Details
Exchange Web Services service account access verificationAll tests completed successfully with the service account.Test Steps
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for firstname.lastname@example.org.Autodiscover was tested successfully.Test Steps
A new mail item is being created.A mail item was created successfully.
Deleting an item.An item was deleted successfully.Additional Details
ErrorImpersonateUserDenied, indicates that the specified Service account doesn't have the ms-Exch-EPI-May-Impersonate correct on the Act As Account it's trying to impersonate.