Granting Impersonation Rights
Granting Impersonation Rights
Global administrator should have proper impersonation rights to perform Microsoft 365 exchange mailbox backup and restore.
Impersonation rights can be assigned from:
Assign Exchange impersonation rights for Microsoft 365 Exchange Global administrator from Microsoft 365 Exchange Admin:
To assign impersonation rights,
- Login to https://portal.office.com as a Global Administrator.
- Click
and go to 'Admin’.
- On the left navigation bar, click 'Admin centers’ and then click 'Exchange’.
- In the 'Exchange admin center' page, click 'Admin Roles' under 'Permissions'.
- Click
to add a new role.
- In the 'new role group' window, enter the name as 'Impersonationbackup'.
- Under 'Roles' click to add a role.
- Select 'ApplicationImpersonation', click 'add' and then click 'OK'.
- Under 'Members', click to add a new member to the role group.
- Select your admin account, click 'add', and then click 'OK'.
- Click 'Save'.
- Once done, click 'Admin' -> 'Azure Active Directory'.
- Click the 'Properties' menu and go to 'Manage Security Defaults'.
- To disable 'Security Defaults', click 'No'.
- Click 'Save' to save the changes made.
Note: Additionally with impersonation rights, we recommend you to assign discovery management rights to the global administrator. For information on assigning discovery management rights, refer discovery management FAQ.
Assign Exchange impersonation rights for Microsoft 365 Exchange Global administrator from Windows Powershell:
You must connect to the Microsoft 365 exchange server before granting impersonation rights.
To assign impersonation rights,
- Open Windows Powershell in Administrator privilege mode.
- Change the execution policy to remote-signed by executing the following command:
C:\Windows\system32> Set-ExecutionPolicy RemoteSigned
- Connect to exchange online server by executing the following command:
C:\Windows\system32>$O365Cred = Get-Credential
Note: Assign global administrator login credentials to a variable, so that the credentials can be included in the connection command.
- Create a PSSession to Microsoft 365 by executing the following command:
C:\Windows\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $O365cred -Authentication Basic -AllowRedirection
- Execute the below commands to import PSSession:
C:\Windows\system32> Import-PSSession $Session
C:\Windows\system32> Enable-OrganizationCustomization
- Assign the exchange impersonation rights to global administrator, in the following format:
New-ManagementRoleAssignment –Name:
–Role:ApplicationImpersonation –User: For Example:
C:\Windows\system32> New-ManagementRoleAssignment –Name:backupimpersonation –Role:ApplicationImpersonation –User: "[email protected]" - Assign the discovery management rights in the following format:
Add-RoleGroupMember -Identity "Discovery Management" -Member "[email protected]"
Following is the overall command format:
PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned
PS C:\Windows\system32> $O365Cred = Get-Credential
PS C:\Windows\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $O365cred -Authentication Basic -AllowRedirection
PS C:\Windows\system32> Import-PSSession $Session
PS C:\Windows\system32> Enable-OrganizationCustomization
PS C:\Windows\system32> New-ManagementRoleAssignment –Name:backupimpersonation –Role:ApplicationImpersonation –User: "[email protected]"
PS C:\Windows\system32>Add-RoleGroupMember -Identity "Discovery Management" -Member "[email protected]"
Protect your organization's data with secure online server backups
Starts at $99.50/year $74.62 for first year