How to use PowerShell to Verify and grant Application Impersonation Permissions
When performing a migration interfacing with Exchange Online or On-premises either directly as a target or in support of post-processing operations, Application Impersonation permissions are frequently required. This article discusses how to use PowerShell to validate these settings are set and how you can set them if you have sufficient permissions to do so.
Remote Connection via PowerShell
To execute a PowerShell command in an Exchange Online environment, you will need to establish a remote PowerShell session with the Exchange server. This is also possible with local deployments of Exchange. The following will provide an example using Exchange Online.
Once connected, it may be useful to validate that the correct permissions are associated with an account. To verify that an account has the required role association use the following Command: Get-ManagementRoleAssignment -Role ApplicationImpersonation
If permissions are validated as expected, make sure to close your PowerShell connection to prevent future issues. Instructions to do so are found below.
If required, run the following PowerShell command to assign “application impersonation” rights to the account(s) used for ingestion: New-ManagementRoleAssignment –Name “Mig Import User” –User “User@ExampleDomain.local” –Role ApplicationImpersonation
Closing the Session
Once your work in the remote PowerShell session has concluded, you should close the open session using the following command: Remove-PSSession $ExOnline
For additional information about connecting to Exchange Online using remote PowerShell, please read the following document:
For information on how to remotely connect to PowerShell on an Exchange server, please read the following document: