Streamline Exchange Migrations by using Impersonation

Streamline Exchange Migrations by using Impersonation

If you’ve been asked to manage a tenant-to-tenant Exchange migration, you’ll want to know how to use impersonation. Impersonation allows someone with administrative access to perform operations on multiple mailboxes so the migration can be completed quickly and efficiently. This article provides an overview of when to use this impersonation, how to prepare, and step-by-step procedures for both bulk and individual impersonations.

When to use impersonation

Impersonation is used when a service application, like MigrationWiz, needs access to multiple mailboxes. When used during a migration, it gives you the ability to “act as” the mailbox owners, using the permissions associated with each user’s account. This way you can perform necessary operations on all mailboxes at once.

Microsoft Exchange impersonation can be used with Exchange Online, Exchange Online as part of Office 365, and versions of Exchange starting with Exchange 2013. In Exchange, you will create a new administrator role to perform the migration with impersonation, and when you’re finished with the migration you can delete the role.

Preparing for impersonation

Before getting started with your migration, there are a few things to check off your list. Add these tasks to your migration plan so you’re not slowed down during implementation:

  • Be sure Exchange management tools are installed on the computer from which you will run commands.
  • Obtain administrative credentials for the Exchange server as well as domain administrator credentials. Make sure you have the correct permissions to create and assign roles and scopes.
  • Verify that management scope is set to limit impersonation to specified accounts. Without these limits, the account impersonation role is granted to all accounts in an organization. Service accounts should be created in line with the security requirements of the organization.

Before getting started, it’s important to understand how the following terms are used in impersonation:

  • Name: The name of the role assignment
  • User: The service account
  • Role: The role to be assigned using role-based access control (RBAC)
  • ApplicationImpersonation role: The role that lets a caller impersonate all users
  • New-ManagementScope: This cmdlet allows you to create custom management scopes
  • Get-ManagementAssignment: Use this cmdlet to verify role assignments

Impersonate all users

For most tenant-to-tenant migration projects, it’s likely you’ll need to impersonate all users. Follow these steps:

  1. Open the Exchange Management Shell. From the Start menu, choose All Programs > Microsoft Exchange Server.
  2. Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user.

Here’s an example:

New-ManagementRoleAssignment -name:impersonationAssignmentName -Role:ApplicationImpersonation -User:serviceAccount

Impersonate a group or individual

There are times when you’ll only need to impersonate a specific group or an individual. When that’s the case, there’s an added step in which you will create or identify a management scope:

  1. Open the Exchange Management Shell. From the Start menu, choose All Programs > Microsoft Exchange Server.
  2. Run the New-ManagementScope cmdlet to create a scope to which the impersonation role can be assigned. If an existing scope is available, you can skip this step. Here’s an example for creating a management scope for a specific group:
New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:recipientFilter

The RecipientRestrictionFilter parameter of the New-ManagementScope cmdlet defines the members of the scope. You can use the properties of the Identity object to create the filter. The following example is a filter that restricts the result to a single user with the user name "john."

Name -eq "john"
  1. Once you’ve defined or identified the scope, run the New-ManagementRoleAssignment cmdlet to add the permission to impersonate the members of the specified scope. Here’s an example of how to configure a service account to impersonate users within a specific scope:
New-ManagementScope -Name:scopeName -RecipientRestrictionFilter:recipientFilter

For more tips to streamline your migrations, check out our extensive free resources. If you need help with a specific migration, contact BitTitan support.

*Official Microsoft documentation was referenced in the writing of this article.

Share this Post: