Articles in this section

See more

Configuring Application Impersonation used with NovaBACKUP Granular Restore (Office 365 and Exchange 2007 or higher)

Avatar
Jon
  • Updated
Follow

Configuring Application Impersonation

Application Impersonation is used where a single account needs to access many mailboxes. It allows an application (e.g. NovaBACKUP Granular Restore) to use a dedicated service account, to access multiple users' mailboxes and access their respective data. This guide describes how to configure Application Impersonation in your environment, to allow us to access your mailboxes as a named user.

Exchange 2016 / 2013 / 2010

For Exchange 2016 / 2013 / 2010 the user selected as the master mailbox must be:

  • Mailbox enabled.
  • Have the Application Impersonation Management Role. To configure this permission:
  1. Open an Exchange Management Shell with a logon containing the Organization Management role.
  2. Run the following command: 
    New-ManagementRoleAssignment -Name:exchangeImpersonation -Role:ApplicationImpersonation -User:User1
    Where User1 is the user account selected to run the Mimecast Synchronization Engine or Sync & Recover service.
  3. Check the user is successfully added to the Management role by running the following command: 
    Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers | Where { $_.EffectiveUserName -Eq "User1" }
    Where the same User1 and the same 'name' value (exchangeImpersonation) is used from Step 2.

Exchange 2007

For Exchange 2007 the user selected as the Master Mailbox must be mailbox-enabled and have the following permissions:

  • Exchange Web Services Impersonation permission over the Client Access Server(s) in the Exchange Organization.
  • The "May Impersonate Extended Active Directory" right for all mailbox databases.

These permissions can be configured by:

  • Configuring the Exchange Web Services Impersonation permission on all Client Access servers.
  • Configuring the May Impersonate Extended Active Directory Right on all Mailbox databases.

Configuring the Exchange Web Services Impersonation Permission on all Client Access Servers

To configure the Exchange Web Services Impersonation permission on all Client Access servers in the Organization:

  1. Open an Exchange Management Shell with a logon containing the Organization Management role.
  2. Run this command: 
    Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User - Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
    Where User1 is the user account selected to run the Mimecast Synchronization Engine service, or Sync & Recover service.
    This applies the permissions for your existing Client Access Servers, in the event where you need to add new Client Access Servers you will need to re-run this command to apply the permission to the newly added server.

Configuring the May Impersonate Extended Active Directory Right on all Mailbox Databases

To configure the May Impersonate Extended Active Directory Right on all Mailbox databases:

  1. Open an Exchange Management Shell with a logon containing the Organization Management role.
  2. Run this command: 
    Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User User1 -ExtendedRights ms-Exch-EPI-May-Impersonate}
    Where User1 is the user account selected to run the Mimecast Synchronization Engine service, or Sync & Recover service.
    This applies the permissions for your existing mailbox databases, in the event where you add new mailbox databases you will need to re-run this command to apply the permission to the newly added database.

Office 365

For Office 365 the user that is selected as the master mailbox needs to have an application Impersonation management role. This role can be configured by following these steps:

  1. Log on to the Office 365 Admin Center.
  2. Select Exchange from the admin list in the navigation bar on the left of the screen to launch the Exchange Admin Center.
  3. Select Permissions from the navigation bar on the left of the screen.
  4. While on the Admin Roles page select the + icon to add a new role.
  5. Enter a Name for the new role.
  6. In the Roles section select the + icon and add the Application Impersonation role.
  7. Click OK.
  8. In the Members section select the + icon and add the user that you want to enable the role for.
  9. Click Save. This completes the configuration.

Office 365 Hybrid Environments

In Office 365 hybrid environments the master mailbox will need impersonation rights to both the On-Premises and Office 365 hosted mailboxes. Consider using a mailbox hosted On-Premises for this to simplify the configuration and ensure that you apply the Application Impersonation role in both the On-Premises environment and Office 365.

--------------------------------------------------------------------------------------------------------------------

For more help, we have alternate instructions for Office 365 with screenshots here:

1) How To Configure Application Impersonation in Office 365 Using Exchange Admin Portal?

Application Impersonation feature is available on Microsoft Exchange Server 2007 or higher and Microsoft Office 365 plan E3. In order to setup Application Impersonation using Office 365 Exchange Admin Portal, the following steps should be carried out.

    1. Login to the Office 365 Exchange Admin Portal (Skip 2nd step you login with this link.)
    2. Go to Admin center and select Exchange.

archive-11

    1. Now go to permissions > Click on “+” icon to create a new role group > Provide name & description of the role group > Select ApplicationImpersonation by clicking on “+” icon from the Roles > Click on Add button then Press Ok button.

how to grant application impersonation rights in office 365

    1. Now Click on “+” icon from Members and select admin mailbox > Click on Add then Press Ok.

step-3

    1. After setting up roles and members click on save button.

 

step-4

The above steps will allow you to grant Application Impersonation rights in Office 365, for the admin users that need it. If you are planning to perform migration and backup of all users’ mailboxes at once with impersonation using NovaBACKUP Granular Restore application then you have to give a few more permissions as shown below.

Provide Full Access Permission To Admin Mailbox

Go to recipients from Exchange Admin center > Double click on each mailbox > Click on Mailbox Delegation > Give  Full Access permissions to the Admin mailbox > Finally, click on Save button. That’s it.

step-5

 

step-6

Note: In the above screenshots, I have given permission for one mailbox so in this way you can give the full access permission to each mailbox do you want to backup of migrate using Impersonate Export.

2) Setting Up The Application Impersonation Role In Office 365 (Exchange Online) Using Windows PowerShell

Pre-requirements:

  1. Administrative credentials for the Exchange server.
  2. Domain Administrator credentials, or other credentials with the permission to create and assign roles and scopes.
  3. Exchange management tools. These are installed on the computer from which you will run the commands.

How To Configure Impersonation For All Users In An Organization?

If you are familiar with the Windows PowerShell commands and you want to know how to grant application impersonation rights in office 365 using PowerShell? below steps will show how you can easily give impersonation rights to all office 365 users of your organization with the following commands:

  1. In the very first step, Open the Exchange Management Shell > Choose All Programs from the Start menu > Microsoft Exchange Server 2013.
  2. Run the New-ManagementRoleAssignment cmdlet to configure the impersonation permission to the required user. The following example will show you how to grant Application impersonation to enable a service account to impersonate all other users in an organization.

New-ManagementRoleAssignment –name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount

How To Set Up Impersonation For Specific Users Or Groups Of Users?

To assign the application impersonation role for the specific users or groups of users, you have to run the following commands.

      • 1) As same as above.
      • 2) Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. You can skip this step if an existing scope is available. The following example shows how to create a management scope for a specific group.

New-ManagementScope –Name:scopeName –RecipientRestrictionFilter:recipientFilter

      • 3) Run the New-ManagementRoleAssignment cmdlet to configure the permission to impersonate the users of the specified scope.

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount –CustomRecipientWriteScope:scopeName

 

Note: The NovaBACKUP Support Team cannot assist with the setup or configuration of Application Impersonation used by the NovaBACKUP Granular Restore application, outside of the help provided in this and linked articles.

 

Assign Impersonation Right in Exchange Online (YouTube video, using Powershell and Exchange Admin Center)

Configure impersonation (at Microsoft Docs)

Configuring Exchange Impersonation in Exchange 2010 (Microsoft Docs)

Exchange Impersonation vs. Delegate Access (at Microsoft Docs)

Related articles

Powered by Zendesk