Granting Impersonation Rights

ARCHIVE uses PowerShell over EWS in order to communicate with Exchange and Exchange Online in Office 365. The archive job logs in to each specified account using a single administrative account. This account must have access rights to all of the accounts it needs to archive. This is done through the use of impersonation rights (also called application impersonation), which gives a single user the ability to access all other accounts or individually specified accounts.

ARCHIVE requires an administration account. This account can be a global administrator or it can be a standard user account, as long as it has been granted impersonation rights to other accounts and is a member of the "Exchange Management Group" Full or Read/Only.

How to Grant Impersonation Rights on Office 365

  • To grant impersonation rights, use one of the following workstations: Windows 10, Windows 8.1, Windows Server 2016, Windows Server 2012 / 2012R2, Windows 7SP1 or Windows Server 2008R2 SP1.
  • NOTE
    Microsoft .NET Framework 4.5 or later and Windows Management Framework 3.0 or 4.0 is required and should be present on Windows Server 2012 and higher.
  • Run Windows PowerShell as Administrator by right-clicking on the menu. Enter the following commands in the PowerShell window:
  • PS>Set-ExecutionPolicy RemoteSigned
  • PS>$UserCredential = Get-Credential
  • This allows entry of O365 global admin user.
  • PS>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
  • A remote PowerShell session with O365 is created.
  • PS>Import-PSSession $Session
  • Exchange PowerShell commands are imported.
  • PS>New-ManagementRoleAssignment -Name:NMArchiveImpersonation -Role:ApplicationImpersonation -User "Globaladmin@tenant.onmicrsoft.com"
  • This gives the user access to all accounts on the tenant.
  • PS>Remove-PSSession $Session
  • The remote PowerShell session closes.

How to Grant Impersonation Rights On-Premise

  • To grant impersonation rights, log in to one of your Exchange servers.
  • If you don’t already have a service account/mailbox that can be used, create a Mailbox in Exchange before proceeding.
  • Open an Exchangement Shell.
  • Run the command below with the appropriate changes:
  • PS>New-ManagementRoleAssignment -Name:NMArchiveImpersonation -Role:ApplicationImpersonation -User "theServiceAccountMailbox@mydomain.com"

This gives the user access to all accounts in the Exchange Organization.