How to Grant Application Impersonation Rights in Office 365?

application impersonation rights in office 365

Nowadays, many users are migrating their data into Office 365. But migrating a large data set is not an easy task. However, Office 365 provides many advanced options for migration. With the help of those options, users can easily migrate their data to Office 365 cloud platform.

In this post, we will describe how to grant application impersonation rights in Office 365. To do this, we will use the Exchange admin center and PowerShell command. Both are useful. You can choose any method as per your requirement.

Application Impersonation is a management role. With the help of this, you can allow applications to perform actions without login credentials. Administrators can use this option for various situations like CRM integration, performing scheduled local backups, data migration to Office 365, etc.

Configure Impersonation in Office 365 using Exchange admin center

  1. Go to
  2. Log in with your Office 365 credentials.
  3. Select the Permissions option from the screen.
  4. Click on "+" icon to add a new role group.
  5. Provide a Name, Description, and click on "+" icon from the Roles.
  6. Select the ApplicationImpersonation option from the list.
  7. Click on Add and OK button.
  8. Click on "+" icon from the Members.
  9. Select Administrator, click on Add, and OK button.
  10. Finally, click on the Save button.

By following these steps, you can successfully grant Application Impersonation rights. But if you are migrating all user's mailboxes at once with impersonation, then you need to provide few more permissions.

Grant Full Access to Admin Mailbox

  1. Select Recipients from the Exchange Admin Center.
  2. Double click on the mailbox.
  3. Select the Mailbox Delegation option from the Edit User Mailbox screen.
  4. Click on "+" icon from the Full Access.
  5. Select the Admin mailbox from Select Send on Behalf screen.
  6. Click on Add and OK button.
  7. Finally, Click on Save.

You have to repeat these steps for each mailbox.

Grant Application Impersonation Rights in Office 365 using PowerShell

To successfully configure the ApplicationImpersonation role, you need:

  • Administrative credentials for the Exchange server.
  • Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.
  • Exchange management tools. These are installed on the computer from which you will run the commands.

Configure impersonation for all users in an organization

  1. Launch Exchange Management Shell.
  2. Go to the Start menu and choose All Programs.
  3. Select Microsoft Exchange Server 2013 from the list.
  4. Run the New-ManagementRoleAssignment cmdlet. The example will help you to understand how to configure impersonation to enable a service account for all users.
    New-ManagementRoleAssignment -name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount

Configure impersonation for specific users or groups of users

  1. Open Exchange Management Shell.
  2. Go to the Start and choose the All Programs option.
  3. Select Microsoft Exchange Server 2013 from the list.
  4. Run the New-ManagementScope cmdlet to create a scope. If the existing scope is available, then skip this step. The example shows you how to create a management scope for a specific group.
    New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:recipientFilter
  5. Now, run the New-ManagementRoleAssignment cmdlet to set the permission to impersonate the users of the specified scope.
    New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount -CustomRecipientWriteScope:scopeName

Questions from the topic

Q. Is this option available in Exchange Server 2007?

Yes, Application Impersonation feature is available on Microsoft Exchange Server 2007 or higher version. This option is also available in Office 365 plan E3.

Q. Why administrators choose Application Impersonation option?

Administrators choose this option to perform complex processes. By using this option, the admin allows applications to perform actions without login credentials.