Backtrack:  
 
by lunarg on August 28th 2014, at 13:11

For migrations from other e-mail platforms to Exchange, you probably want to have full access enabled for a certain Exchange-account to facilitate the migration without having to set up complex access rights. Exchange has something called application impersonation, which allows a user to impersonate other users to access individual mailboxes, which comes in very handy during a migration.

In order to set up application impersonation, you need access to the Exchange Management Shell (EMS), with an account which has permissions to set up access rights.

Exchange 2007

Exchange 2007 does not support application impersonation as in Exchange 2010 and up. Impersonation does exist but has to be set on each individual mailbox.

Open EMS and run these two commands to enable impersonation on each user mailbox:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity ADMIN_EMAIL | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User Administrator@domain -ExtendedRights ms-Exch-EPI-May-Impersonate}

Replace Administrator@domain with whatever user needs impersonation to be enabled.

Exchange 2010/2013 and Office365

Application impersonation exists as a management role and can be assigned at the organization level.

Open EMS. If you wish to connect to Office365 or a remote Exchange-server, you need to set up a remote PowerShell session. See below for more information on how to accomplish this.

For Office365, you need to run the following command before assigning the management role:

Enable-OrganizationCustomization

After that, assign the management role for application impersonation to the user(s) that need it:

New-ManagementRoleAssignment –Name "CloudMigratorImpersonation" –Role "ApplicationImpersonation" –User Administrator@domain

Replace Administrator@domain with whatever user needs the application impersonation management role.

Additional information