new managementroleassignment applicationimpersonation

Application Impersonation Management Role (Office 365) & Complete Guide - alishaaleart/office365 GitHub Wiki

Office 365 provides a role/ right named as application impersonation. This feature allows admin to impersonate another user in an organization to perform any task in his place. When one with a single user account needs to manage multiple user accounts, it becomes essential to have Office 365 application impersonation rights (if you are not an admin).

Impersonation role allows a user, such as an application engineer, to grant certain rights of the admin to a user account. Using this feature, a user can perform any operations that are granted to impersonated account, instead of the permission granted to their own account. This post is a complete guide for the ones who want to explore about this feature. In the further sections, why there is need to impersonate Office 365 user mailboxes and different methods to set and remove impersonation rights in Office 365 and how to grant application impersonation rights in Office 365 are discussed.

Need to Impose Office 365 Application Impersonation Rights

Microsoft Office 365 Impersonation management role is a great feature that allows the admin to represent a user account like an admin and perform any task based on as an authenticated user (but does not provide all the rights of the admin). Below mentioned are the reasons and benefits of impersonating a user’s account:

• Allow a single user account to manage or handle two or more user accounts.
• A user is allowed to export multiple mailboxes from Office 365 simultaneously with the help of impersonation role.
• In a large organization, it becomes really difficult for admin to handle everything individually, in this case there is a need to impose the impersonation role to reduce the workload from a single person.
• It is completely an admin managed feature i.e, other than admin no one can remove/ set impersonation rights in Office 365.
• It is originally designed to access one-to-many mailboxes that decrease the complexity and overhead of managing new users that are to be added to the application scope.

How to Grant Application Impersonation Rights in Office 365

**There are various benefits of application impersonation management role (Office 365) available. Below mentioned are the methods that a user can use to set application impersonation rights in Office 365: **

By using Powershell

By using Exchange Admin Centre

Grant Application Impersonation Rights in Office 365 using Powershell To add application impersonation rights in Office 365 using Powershell, a user need to follow the below mentioned steps:

** First, you need to run the Powershell and check its latest version by typing:** cmdlet:$PSVersionTable

*** If the response is empty that means you are using version 1.0.** *** See the detailed answer for newer versions**

To avoid the issues related compatibility, keep the Powershell updated always

If you wants to handle the roles or permissions locally then, you need to execute the commands in Exchange Management Shell (EMS)

To check the impersonation roles are granted or not, execute the command:

Get-ManagementRoleAssigment-RoleAssignee “”-Role ApplicationImpersonation -Role ApplicationImpersonation- RoleAssigneeType user

here, means name of administrator account that you want to check on the target server

Now, to add mailbox impersonation role, you need to write the following command:

New-ManagementRoleAssignment -Name: -Role:ApplicationImpersonation -User: “”

Here, is the name of user’s choice that must be unique

• Remove Impersonation Rights in Office 365 Using Powershell If a user wants to remove the impersonation roles, a user need to write the following command:

Get-ManagementRoleAssignment -RoleAssignee “” -Role Applicationimpersonation -Role AssigneeType user | Remove- ManagementRoleAssignment

• Set Impersonation Rights In Office 365 Using Exchange Admin Centre (EAC)

To assign application impersonation management role in Office 365, you need to follow the stepwise instruction mentioned below:

• Using Exchange Admin Center or an admin account, log in to your Microsoft Office 365 account
• Now, on Office 365 access the Exchange tab and go to Permissions in the left pane under Dashboard
• After that click on admin roles and then select Discovery management by double-clicking it in the right pane
• In Discovery Management Window, click on + button to set application impersonation
• Now, from the drop down list select “ApplicationImpersonation” and click on add button then, click on OK button
• To verify, check ApplicationImpersonation has been added under the roles or not
• Now, go to Members section and click on + option, a new Window get appears
• Choose the user name and click on add button --> click OK
• To verify, check the Member section for the user name, if user name is in the list click on Save button, otherwise go to step 7

Note: For a small scale business, according to Microsoft Office 365 one can not grant impersonation rights manually. All such permissions are managed by the default admin only.

Conclusion Office 365 application impersonation rights are basically used to represent any user as an admin in his absence. There are various benefits of impersonating rights in office 365 that we have discussed. Now, to solve the problems how to assign application impersonation management role manually, we have discussed two procedures; one is using Powershell and other is by using Exchange Admin Centre. A user can use any of them of the two according to their preference.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Microsoft Exchange 2016 - ApplicationImpersonation

I want an application (e.g. application123) to write a mail on behalf of all users. For this purpose a user is configured within the application (e.g. myImpersoUser).

I want to realize this via ApplicationImpersonation, unfortunately it does not work yet. If I assign the "send_As" permission manually, it works (so SMTP and authentication on the part of the application seems to be ok).

Current setting:

• AD Security Group (universal) -> App_Mailsender (is a mail-enabled AD group, the same game already tested with a distribution list).

-Management Scope created, which refers to the AD group

-then RoleAsignment performed

Unfortunately I get the message "550 5.7.60 SMTP; Client does not have permissions to send as this sender" .

Where is the error?

Please check if you have configured your application in order to identify the account to impersonate after configuring impersonation for the specific user: Identify the account to impersonate

However, when I tried to get a list of the dynamic distribution group "DDG02", the output didn't show any results:

Based on the test result, it seems that the MemberOfGroup is not valid in the recipient filter.

If your application has identified the account to impersonate, I think you could add a custom attribute to all members which locate in the group, and use the custom attributes to add these members in the recipient filter of your custom management scope, then create a management scope to include these members and run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope:

After that, try using the application to write a mail on behalf of all users and see if there is any difference.

• thanks for your post. Why doesn't the "MemberOfGroup" function work if Microsoft intended it to? Or in which constellations does it work? I don't want to go the way you described, because otherwise I would have to build another script, which regularly checks if new mailboxes exist and have / don't have the attribute. I would prefer a central place (AD group etc.), which regulates the function. –  user612985 Jan 19, 2021 at 7:29
• Hi, based on my knowledge and research, the parameters "-RecipientRestrictionFilter"( docs.microsoft.com/en-us/powershell/module/exchange/… ) and "-RecipientFilter"( docs.microsoft.com/en-us/powershell/module/exchange/… ) use the same OPath filter syntax and filterable properties, I just to use another command to preview the members in group and see if I could get the group members. –  Ivan_Wang Jan 19, 2021 at 9:29
• Hello, thank you. But how can I realize this in my way? Without having to resort to the AD attributes (as you described). –  user612985 Jan 19, 2021 at 10:00
• Hi, @user612985, please use the same account that you used to post the question, it's misleading to see two accounts from the same person to interact in the same question. If you need help for your account let me know. –  yagmoth555 ♦ Jan 19, 2021 at 18:54

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged exchange microsoft ..

• The Overflow Blog
• Would you board a plane safety-tested by GenAI?
• An open-source development paradigm
• Featured on Meta
• Testing a new version of Stack Overflow Jobs
• What deliverables would you like to see out of a working group?

Hot Network Questions

• How to straighten new coiled Ethernet cord?
• Best Latin translation of "Onwards and Upwards"
• What are those little pieces for on the C27J?
• Is this puzzle solvable? Choose 6 five-letter words to get maximum score
• Do moving charges still generate an electrostatic field?
• Is the uptake in grounding-talk, in modern analytic metaphysics, a carryover from the notion of a ground-state in physics?
• R squared in logistic regression adjusted for number of predictors
• Understanding standard basis of the tangent space
• Weight controls when boarding TGV InOUI trains
• When travelling to Turkey my passport was scanned and then the immigration official called someone. Why could that be?
• A SF story about a piece of art: a few objects stuck inside a box
• Was the appearance of the sand worms in David Lynch's Dune (1984) completely original to that film?
• A Sea of Mist and Steam? How would boats move?
• Seamless cliff mesh with array
• Enforce non-unique combination of columns, where combination is required
• What’s the best way to fix this drainage hole?
• A simple Python class designed to facilitate investment portfolio analysis
• How would a considerably advanced civilization do agriculture?
• Hilbert's Satz 90 for real simply-connected groups?
• Is there any evidence to back up David Starkey's claim that infanticide of mixed-race children was integral to the Ottoman slave trade?
• How to deal as a PhD student with a working colleague who is doing private business during working hours?
• Is belief in abiogenesis justified under evidentialism and process reliabilism?
• How can I learn the intuition behind the proofs of theorems in Graph Theory? They all seem like random algorithms that just happen to work
• How to say "it is thought" in German?

• Knowledge Base

For Admins: How do I configure the Impersonation Role for Exchange Calendar Sync?

The following information was sourced from Microsoft's how-to guide here:

Microsoft - How to: Configure impersonation

Impersonation enables a caller, such as a service application, to impersonate a user account. The caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions associated with the caller’s account.

Exchange Online, Exchange Online as part of Office 365, and versions of Exchange starting with Exchange 2013 use role-based access control (RBAC) to assign permissions to accounts. Your Exchange server administrator will need to grant any service account that will be impersonating other users the ApplicationImpersonation role by using the New-ManagementRoleAssignment cmdlet.

Configuring the Application Impersonation role

When you or your Exchanger server administrator assigns the ApplicationImpersonation role, use the following parameters of the New-ManagementRoleAssignment cmdlet:

• Name — The friendly name of the role assignment. Each time that you assign a role, an entry is made in the RBAC roles list. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.
• Role — The RBAC role to assign. When you set up impersonation, you assign the ApplicationImpersonation role.
• User — The service account.
• CustomRecipientScope — The scope of users that the service account can impersonate. The service account will only be allowed to impersonate other users within the specified scope. If no scope is specified, the service account is granted the ApplicationImpersonation role over all users in an organization. You can create custom management scopes by using the New-ManagementScope cmdlet.

Before you can configure impersonation, you need:

• Administrative credentials for the Exchange server.
• Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.
• Exchange management tools. These are installed on the computer from which you will run the commands.

To configure impersonation for all users in an organization:

• Open the Exchange Management Shell. From the Start menu, choose All Programs > Microsoft Exchange Server 2013.

Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user. The following example shows how to configure impersonation to enable a service account to impersonate all other users in an organization.

Windows PowerShell

New-ManagementRoleAssignment –name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount 

To configure impersonation for specific users or groups of users:

• Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. The following example shows how to create a management scope for a specific group.

Windows PowerShell   New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use the properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."

Windows PowerShell   Name –eq "john"

Run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. The following example shows how to configure a service account to impersonate all users in a scope.

Windows PowerShell   New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName

After your administrator grants impersonation permissions, you can use the service account to make calls against other users’ accounts. You can verify role assignments by using the Get-ManagementRoleAssignment cmdlet.

Related Articles

For Admins: How do I upgrade my org to the new Cirrus Insight?

The new Cirrus Insight brings all the best features from Cirrus Insight 2019 into a more refined, reliable, and easy-to-use offering that reduces CRM friction and helps close deals.

January 2021 Release Notes

In order to maintain performance and stability while also reducing customer resource drain, the default sync interval will be increased from 5 minutes to 2 hours as of 4/21/2021.

For Admins: Why are users missing from the Admin-Managed Sync list?

What sales tax will I be charged?

Based on your address, you may be charged local/state sales tax on Cirrus Insight purchases.

For Admins: How do I access payment history to download receipts?

Learn how to access payment history and download receipts.

• Account Management
• Add to Salesforce
• Book Meeting
• Calendar Sync
• Specifications

Microsoft Learn Q&A needs your feedback! Learn More

May 20, 2024

Microsoft Learn Q&A needs your feedback!

Want to earn $25 for telling us how you feel about the current Microsoft Learn Q&A thread experience? Help our research team understand how to make Q&A great for you.

Find out more!

Contribute to the Microsoft 365 and Office forum! Click  here  to learn more  💡

April 9, 2024

Contribute to the Microsoft 365 and Office forum!

Click  here  to learn more  💡

Subscription, account, billing Forum Top Contributors: VincentChoy  -  NoOneCan  -  Stefan Blom   ✅

May 10, 2024

Subscription, account, billing Forum Top Contributors:

VincentChoy  -  NoOneCan  -  Stefan Blom   ✅

• Search the community and support articles
• Microsoft 365 and Office
• Subscription, account, billing
• Search Community member

Ask a new question

unable to execute New-ManagementRoleAssignment-Role in Exchange online Powershell

Hi, I'm unable to execute the following command in Exchange online Powershell: New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup "Organization Management" -Name "Import Export Org Management" I've already done the Enable-OrganizationCustomization

Report abuse

Reported content has been submitted​

• Microsoft Agent |

Dear Memo it ,

Good day! Thank you for posting to Microsoft Community. We are happy to help you!

The permissions required to perform tasks to configure management roles vary depending on the procedure being performed or the cmdlet you want to run. For more information about management roles, see  Understanding Management Roles .

To find out what permissions you need to perform the procedure or run the cmdlet, do the following:

In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet you want to run.

Next, look at the permissions required for the feature. You must be assigned one of those role groups, an equivalent custom role group, or an equivalent management role. You can also click on a role group to see its management roles. If a feature lists more than one role group, you only need to be assigned one of the role groups to use the feature. For more information about role groups and management roles, see  Understanding Role Based Access Control .

Now, run the  Get-ManagementRoleAssignment  cmdlet to look at the role groups or management roles assigned to you to see if you have the permissions that are necessary to manage the feature.

Please pay attention to this: You must be assigned the Role Management management role to run the  Get-ManagementRoleAssignment  cmdlet. If you don't have permissions to run the  Get-ManagementRoleAssignment  cmdlet, ask your Exchange administrator to retrieve the role groups or management roles assigned to you.

In addition, based on your description, I would like to collect more information to narrow down the scope of question:

If your organization has the other admin account, please kindly use different global administrator accounts in the tenant to run it and check the result.

If you create a new global admin, does the issue persist?

If you run other commands (for example: get-mailbox), do you have the same issue? Here is for your reference: Connect to Exchange Online PowerShell and Get-Mailbox

If you remove global admin permissions from a user and assign them back, does issue persist?

If you got some error information and error code, please kindly share them with me so that I can do further research.

Thanks in advance for your understanding! Your patience and cooperation will be highly appreciated. Hope you all the best!

Kerry Chen | Microsoft Community Moderator

1 person found this reply helpful

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Replies (1) 

Question info.

• For business
• Accounts, groups management, and sign in
• Norsk Bokmål
• Ελληνικά
• Русский
• עברית
• العربية
• ไทย
• 한국어
• 中文(简体)
• 中文(繁體)
• 日本語

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

‎ApplicationImpersonation permission on new admin role group

I am attempting to create a new role group with ApplicationImpersonation permissions per https://answers.microsoft.com/en-us/msoffice/forum/all/exchange-impersonation-error-unable-to-open-user/834c4ea9-6cb5-4df4-9011-433ba501f6d2 .

When I do so in https://admin.exchange.microsoft.com/#/adminRoles I click Add role group, then name it CloudMigratorImpersonation with default write scope.

Next I add ApplicationImpersonation and Mailbox Import Export permissions, and attempt to assign myself (global admin) to the new role group.

When I click Add Role Group, I get:

Error executing request. You don't have access to create, change, or remove the "professionalartists.onmicrosoft.com\ApplicationImpersonation-CloudMigratorImpersonation" management role assignment. You must be assigned a delegating role assignment to the management role or its parent in the hierarchy without a scope restriction.

Microsoft 365 Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line. 3,981 questions Sign in to follow

Microsoft Exchange Online A Microsoft email and calendaring hosted service. 1,479 questions Sign in to follow

Azure Role-based access control An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs. 687 questions Sign in to follow

Microsoft Exchange Online Management Microsoft Exchange Online: A Microsoft email and calendaring hosted service. Management: The act or process of organizing, handling, directing or controlling something. 4,260 questions Sign in to follow

Seems like someone has played with the default role group assignments in your tenant. On the same page, open the Organization management role and under Permissions, make sure the checkbox next to Role management is ticked. While you're there, wouldn't hurt to also add your own user as member of the role.

I think that did the trick, thanks! The checkbox for Role mgmt was already ticked, but I added my account explicitly to the role and that allowed me to create the new role group I wanted. (Or it was a transient error.)

Ryan is correct. Even though our admin account is a member of the Exchange Administrators and Global Administrators, we had to explicitly add the USER (not Group) the Organization Management in order to have privileges to create new Admin Role Groups. Looks like another bug to me!

0 additional answers