Issue
The Office 365 Module uses Exchange Web Services (EWS) in order to ingest data into mailboxes and Personal Archives. If this is not configured correctly the following may be seen in the Office 365 Module log file:
2019-06-18 16:18:24Z|5748| 19|ERROR|Ingest|Error during ingest Void ProcessWebException(System.Net.WebException) The account does not have permission to impersonate the requested user. at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ProcessWebException(WebException webException) at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request) at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request) at Microsoft.Exchange.WebServices.Data.SimpleServiceRequestBase.InternalExecute() at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute() at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder(FolderId folderId, PropertySet propertySet) at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder[TFolder](FolderId folderId, PropertySet propertySet) at Microsoft.Exchange.WebServices.Data.Folder.Bind(ExchangeService service, WellKnownFolderName name, PropertySet propertySet) at ArchiveShuttle.Module.Office365.ExchangeServiceWrapper.GetOrCreateFolder(String pathInArchive) at ArchiveShuttle.Module.Office365.ExchangeServiceWrapper.Ingest(ExchangeItem item, PerformanceLogging performanceLogging)
Solution
Additional permissions must be granted to the Admin account which is used for Office 365 ingestion. This is a role called Application Impersonation. The steps to grant this role are as follows:
$UserCredential = Get-Credential
Supply values for the following parameters:
Credential
A pop-up will appear asking for a username and password. The Global Administrator which needs to have Application Impersonation granted to them, should be input
$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic –AllowRedirection
This connects a PowerShell session to Office 365 using the credentials which were just entered.
Import-PSSession $Session
This activates the above session. It may take a few seconds for this to return to the command prompt.
New-ManagementRoleAssignment –Name:VaultAdminImpersonation –Role:ApplicationImpersonation –User:
Note: If multiple service accounts are being used (for example to increase performance) then the Application Impersonation role must be granted to each account.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center