Glenn S Diner New-Managementroleassignment

How to set impersonation rights manually


How to manually manage impersonation rights for the administrator account.


Add impersonation rights to your admin account via:

  •  Windows PowerShell - click this link,
  • EAC (Exchange Admin Center) - click here for details (applies to Exchange 2013, 2016 and Office 365 only).

Add impersonation rights using PowerShell

  1. Run  Windows PowerShell.
  2. Check the PowerShell version by typing the following cmdlet:

    • An empty response means you are using version 1.0.
    • For versions 2.0 and newer you should see a detailed answer.
    • We recommend to keep PowerShell updated to avoid compatibility problems. To download the newest version of PowerShell please visit this Microsoft website.
  3. If Exchange Server is in a remote location (for example hosted) or you are connecting to Office 365, learn how to connect to remote Exchange via PowerShell. To manage permissions locally (MS Exchange Server on-premises or when logged on to remote Exchange via Remote Desktop, etc.) execute the commands below in Exchange Management Shell.
  4. Check if the account in question already has impersonation rights assigned:

    Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user
    • where <account name> is the name of the administrator account on the target server you want to check.
  5. Add impersonation rights:

    New-ManagementRoleAssignment –Name:<impersonation Assignment Name> –Role:ApplicationImpersonation –User: "<account name>"
    • where <impersonation Assignment Name> is the name of your choice for this assignment. Be aware that each assignment should have a unique name. You can omit the Name switch and a unique assignment name will be created automatically.
  6. If necessary, you can also restrict these impersonation rights so that they apply to a specific group of users. To do so, you first need to define a management scope that will include your AD group:

    $ADGroup = Get-DistributionGroup -Identity "<group name>" New-ManagementScope "<scope name>" -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"
    • where <group name> is the name of your AD group object, and <scope name> is the name of your choice for the new management scope.

    Now, modify the existing assignment by using the following cmdlet:

    Set-ManagementRoleAssignment "<impersonation Assignment Name>" -CustomRecipientWriteScope "<scope name>"
  7. You can remove impersonation rights with this command, if necessary:

    Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment

Add impersonation rights using EAC (Exchange Admin Center)

  1. Log on to Office 365 using the admin account or log on to Exchange Admin Center (https://localhost/ecp). In Office 365, access the Exchange tab:


    Fig. 1. Exchange Admin Center in Office 365.
  2.  Next, go to Permissions, then admin roles and choose Discovery Management by double-clicking it:

    Fig. 2. Discovery Management.
  3. Add the Role ApplicationImpersonation and add your admin user as the group member:

    Fig. 3. Add correct roles and users.

Please note that according to Microsoft, Office 365 Small Business plans cannot assign impersonation rights manually. The default built-in admin account is the only one who can hold such a permission.

See also:

Last modified: May 05, 2014

Applies to: EWS Managed API | Exchange Online | Exchange Server 2013 | Office 365

In this article
Configuring the ApplicationImpersonation role
Next steps
Additional resources

Impersonation enables a caller, such as a service application, to impersonate a user account. The caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions associated with the caller’s account.

Exchange Online, Exchange Online as part of Office 365, and versions of Exchange starting with Exchange 2013 use role-based access control (RBAC) to assign permissions to accounts. Your Exchange server administrator will need to grant any service account that will be impersonating other users the ApplicationImpersonation role by using the New-ManagementRoleAssignment cmdlet.

When you or your Exchanger server administrator assigns the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet:

  • Name — The friendly name of the role assignment. Each time that you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.

  • Role — The RBAC role to assign. When you set up impersonation, you assign the ApplicationImpersonation role.

  • User — The service account.

  • CustomRecipientScope — The scope of users that the service account can impersonate. The service account will only be allowed to impersonate other users within the specified scope. If no scope is specified, the service account is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes by using the New-ManagementScope cmdlet.

Before you can configure impersonation, you need:

  • Administrative credentials for the Exchange server.

  • Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.

  • Exchange management tools. These are installed on the computer from which you will run the commands.

To configure impersonation for all users in an organization

  1. Open the Exchange Management Shell. From the Start menu, choose All Programs > Microsoft Exchange Server 2013.

  2. Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user. The following example shows how to configure impersonation to enable a service account to impersonate all other users in an organization.

    New-ManagementRoleAssignment –name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount

To configure impersonation for specific users or groups of users

  1. Open the Exchange Management Shell. From the Start menu, choose All Programs > Microsoft Exchange Server 2013.

  2. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.

    The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use the properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."

  3. Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure a service account to impersonate all users in a scope.

    New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName

After your administrator grants impersonation permissions, you can use the service account to make calls against other users’ accounts. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.


Leave a Reply

Your email address will not be published. Required fields are marked *