. . Assign the Exchange ApplicationImpersonation Permission
Enterprise Microsoft 365 subscriptions support
to a single user andThere are two methods to assign the Exchange "ApplicationImpersonation" role:
. . Assign the Exchange ApplicationImpersonation Role in the online Exchange Admin Console. (Recommended.)Follow this procedure in the to assign the Exchange user mailbox (service account for the Riva connection) to an admin role that will grant the impersonation access permissions.
; and in the drop-down, select . . window, provide a name and optionally supply a description. Select . role. Select , and add the Riva connection user to the list. . .
Administrators can use Windows Powershell and connect to their Exchange Online subscription to issue PowerShell cmdlets to assign Application Impersonation role to the Riva connection user with a default scope of all user mailboxes except the admin user.
.Create a new PowerShell session with Microsoft 365:
There are two methods to assign these permissions:
. . Assign Delegate Full Access Permissions in the Exchange Admin Console. (Recommended.)Follow this procedure in the Microsoft 365 Exchange Admin Console to assign the Delegate Full Access permissions from the user being synced by Riva to the Exchange user mailbox for the service account used in the Riva EWS connection.
. Select the that will grant delegate access, then select . . In the list of mailboxes, select the mailbox to grant access to (the ), and select on the next pane that appears, click . Use Powershell to Grant Delegate Full Access Permissions
Administrators can use Windows Powershell and connect to their Exchange Online subscription to issue PowerShell cmdlets to assign permissions.
When security policies dictate that full access permissions can be granted only to specific mailboxes, use the cmdlet. This is an Exchange permission that is restricted to mailboxes.
.
When security policies dictate that full access permissions can be granted to all users, use the Get-Mailbox | Add-MailboxPermission cmdlet to bulk assign the permission to all target user mailboxes except the admin mailbox.
.Some customers have reported difficulties with RBAC roles and Exchange Impersonation.
Full support using to assign Exchange Impersonation using RBAC steps are described in . Microsoft 365 Enterprise also supports assigning .
. . . . . We recommend using custom attributes. Group membership may be used as the basis for a Management Scope's RecipientRestrictionFilter property with Exchange Online/Office 365. However, the MemberOfGroup attribute relies on distinguished names. Microsoft does not currently guarantee that a cloud-hosted organization's distinguished name will remain static. For example, the forest may change. The custom attributes are listed here for client use:
Microsoft has provided documentation on how to use custom attributes, application impersonation, and adding roles to users or universal security groups.
: Our client was using Riva to synchronize Exchange Web Service (EWS) with their CRM.
: EWS synchronization suddenly stopped.
: Impersonation had ceased for the affected users, which caused the sync service to stop.
Furthermore, the client was using a hard-coded value in the RecipientFilter for an attribute controlled by Microsoft.
Set-ManagementScope had the recipient filter scope set to RecipientFilter: MemberOfGroup -eq 'CN=Riva Sync Users,OU=mycompany.com,OU=Microsoft Exchange Hosted Organizations,DC=eurprd07,DC=prod,DC=outlook,DC=com'
In this specific case, the problem surfaced due to a change that Microsoft had implemented in their backend. The change was related to the affected users' organization, which had been relocated to a different forest.
The client resolved the issue by fixing the OPATH filter for the RecipientFilter to use the new forest where the user is located (DC=EURPR07A002).
--> This article was: | Thank you for your feedback! -->This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
Use the Get-ManagementRoleAssignment cmdlet to retrieve management role assignments.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax .
You can retrieve role assignments in a variety of ways including by assignment type, scope type, or name, and whether the assignment is enabled or disabled. You can also view a list of role assignments that provide access to a specified recipient, server, or database.
For more information about management role assignments, see Understanding management role assignments .
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet .
This example retrieves the Denver Help Desk role assignment using the Get-ManagementRoleAssignment cmdlet and pipes the output to the Format-List cmdlet. For more information about the Format-List cmdlet, see Working with command output .
This example retrieves all the role assignments that are enabled and have been designated as delegating role assignments.
This example retrieves all the role assignments that include the MyGAL recipient-based scope restriction type.
This example retrieves all the role assignments associated with the Mail Recipients management role.
This example retrieves a list of all the users and the role assignments that can modify the recipient Bob.
This example retrieves a list of all exclusive scopes that can modify server objects that match Redmond Executive Servers. The command also lists the users who are effectively assigned the role assignments through role groups or USGs.
This example retrieves all the role assignments that can modify the database Contoso Sales.
The AssignmentMethod parameter specifies the type of role assignment to include in the results returned by the cmdlet. You can specify one or more of the following values:
If you provide more than one value, separate each value with a comma.
You must specify a value with the RoleAssignee parameter if you use the AssignmentMethod parameter.
Type: | AssignmentMethod[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The ConfigWriteScope parameter specifies the type of management configuration scope to include in the results returned by the cmdlet. The valid values are None, OrganizationConfig, CustomConfigScope, and ExclusiveConfigScope.
Type: | ConfigWriteScopeType |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
This parameter is available only in on-premises Exchange.
The CustomConfigWriteScope parameter returns only the regular role assignments that include the specified configuration-based regular scope.
This parameter can only be used to retrieve regular configuration-based scopes. To retrieve a list of exclusive configuration-based scopes, use the ExclusiveConfigWriteScope parameter instead.
If the scope name contains spaces, enclose it in quotation marks (").
Type: | ManagementScopeIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 |
The CustomRecipientWriteScope parameter returns only the regular role assignments that include the specified recipient-based regular scope.
This parameter can only be used to retrieve regular recipient-based scopes. To retrieve a list of exclusive recipient-based scopes, use the ExclusiveRecipientWriteScope parameter instead.
Type: | ManagementScopeIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The Delegating parameter specifies whether delegating or regular role assignments should be returned.
By default, both delegating and regular scopes are returned. To return only delegating role assignments, specify a value of $true. To return only regular role assignments, specify a value of $false.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.
Type: | Fqdn |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 |
The Enabled parameter specifies whether enabled or disabled role assignments should be returned. To return enabled role assignments, specify a value of $true. To return disabled role assignments, specify a value of $false.
The Exclusive parameter specifies whether exclusive or regular role assignments should be returned.
By default, both exclusive and regular scopes are returned. To return only exclusive role assignments, specify a value of $true. To return only regular role assignments, specify a value of $false.
The ExclusiveConfigWriteScope parameter returns only the exclusive role assignments that include the specified configuration-based exclusive scope.
This parameter can only be used to retrieve exclusive configuration-based scopes. To retrieve a list of regular configuration-based scopes, use the CustomConfigWriteScope parameter instead.
The ExclusiveRecipientWriteScope parameter returns only the exclusive role assignments that include the specified recipient-based exclusive scope.
This parameter can only be used to retrieve exclusive recipient-based scopes. To retrieve a list of regular recipient-based scopes, use the CustomRecipientWriteScope parameter instead.
The GetEffectiveUsers switch specifies that the command should show the list of users in the role groups, role assignment policies, or USGs that are associated with the role assignment. You don't need to specify a value with this switch.
Effectively, users are associated with the role assignment through their role group, role assignment policy, or USG memberships.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The Identity parameter specifies the name of the role assignment to retrieve. If the name of the role assignment contains spaces, enclose it in quotation marks ("). If the RoleAssignee parameter is used, you can't use the Identity parameter.
Type: | RoleAssignmentIdParameter |
Position: | 1 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
This parameter is functional only in the cloud-based service.
The RecipientAdministrativeUnitScope parameter returns only the role assignments that include the specified administrative unit.
Administrative units are Microsoft Entra containers of resources. You can view the available administrative units by using the Get-AdministrativeUnit cmdlet.
Type: | AdministrativeUnitIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
This parameter is available only in the cloud-based service.
The RecipientGroupScope parameter returns only the role assignments that are scoped to groups. You can use any value that uniquely identifies the group: Name, DistinguishedName, GUID, DisplayName.
Type: | GroupIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Exchange Online Protection |
The RecipientOrganizationalUnitScope parameter returns only the role assignments that include the specified organizational unit (OU). If the OU tree contains spaces, enclose it in quotation marks (").
Type: | OrganizationalUnitIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The RecipientWriteScope parameter returns only the role assignments associated with the recipient scope restriction type specified. The valid values are None, MyGAL, Self, OU, CustomRecipientScope, MyDistributionGroups and ExclusiveRecipientScope.
Type: | RecipientWriteScopeType |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The Role parameter returns only the role assignments associated with the specified management role. If the name of the role contains spaces, enclose it in quotation marks (").
Type: | RoleIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The RoleAssignee parameter specifies the role group, assignment policy, user, or universal security group (USG) for which you want to view role assignments. If the RoleAssignee parameter is used, you can't use the Identity parameter.
By default, the command returns both direct role assignments to the role assignee and indirect role assignments granted to a role assignee through role groups or assignment policies.
If the name of the user or USG contains spaces, enclose it in quotation marks (").
Type: | RoleAssigneeIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The RoleAssigneeType parameter specifies the type of role assignee to return. The valid values are User, SecurityGroup, RoleAssignmentPolicy, ForeignSecurityPrincipal, RoleGroup, LinkedRoleGroup and Computer.
Type: | RoleAssigneeType |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The WritableDatabase parameter specifies the database object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. You can use any value that uniquely identifies the database. For example:
If you use this parameter with the GetEffectiveUsers switch, all the users who can modify the database object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users and USGs directly assigned the role assignment are returned.
Type: | DatabaseIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 |
The WritableRecipient parameter specifies the recipient object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment. If the recipient name contains spaces, enclose it in quotation marks (").
If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the recipient object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users and USGs directly assigned the role assignment are returned.
Type: | GeneralRecipientIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection |
The WritableServer parameter specifies the server object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment.
You can use any value that uniquely identifies the server. For example:
If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the server object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users and USGs directly assigned the role assignment are returned.
Type: | ServerIdParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 |
Input types
To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types . If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.
Output types
To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types . If the Output Type field is blank, the cmdlet doesn't return data.
Was this page helpful?
COMMENTS
Configure impersonation
Get-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers . Update: You can also use the sample ApplicationImpersonation reporting script that is posted on GitHub here. This script produces a report of Microsoft 365 3rd party EWS applications using accounts that have the ApplicationImpersonation RBAC role assigned.
To create a new impersonation role, use the following cmdlet: New-ManagementRoleAssignment -Role:ApplicationImpersonation `. -User: [email protected]. Creating a new impersonation role using PowerShell. Now you can further restrict the permissions of the service user with the RecipientTypeDetails parameter, in this example ...
To grant ApplicationImpersonation rights via PowerShell: Login to Office 365 via PowerShell. Use the following sample PowerShell cmdlet to apply ApplicationImpersonation rights directly to your migration admin user account (s): New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User [email protected]. Repeat the ...
Some parameters and settings may be exclusive to one environment or the other. Use the New-ManagementRoleAssignment cmdlet to assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). For information about the parameter sets in the Syntax section below, see Exchange cmdlet ...
where <account name> is the name of the administrator account (on the target server) that you want to check. Add impersonation rights: New-ManagementRoleAssignment -Name:<impersonation Assignment Name> -Role:ApplicationImpersonation -User: "<account name>". where <impersonation Assignment Name> is the name of your choice for this assignment.
The easy way: No management scope. The service account will have access to all calendars, regardless of type. 1. In the Exchange management shell, run the command: New-ManagementRoleAssignment -Role:ApplicationImpersonation -User: YOURSERVICEACCOUNTUSERNAMEHERE. Remember to replace the "User" in the command to match your service account.
To apply the Application Impersonation role to your admin account, run the following command in a PowerShell session on your Exchange server. Replace ADMIN with the email address of your admin user. New-ManagementRoleAssignment -Name "CloudMMigrateImpersonation" -Role "ApplicationImpersonation" -User ADMIN.
New-ManagementRoleAssignment -Name: -Role:ApplicationImpersonation -User: "" Here, is the name of user's choice that must be unique. Remove Impersonation Rights in Office 365 Using Powershell If a user wants to remove the impersonation roles, a user need to write the following command:
When you modify a role assignment, you can specify a new predefined or custom management scope or provide an organizational unit (OU) to scope the existing role assignment. You can create custom management scopes using the New-ManagementScope cmdlet and can view a list of existing scopes using the Get-ManagementScope cmdlet. If you choose not to specify an OU, predefined scope, or custom scope ...
The term 'New-ManagementRoleAssignment' is not recognized as the name of a cmdlet, function, script file, or operable According to my friend that this might be the problem of not using the exchange server using the Admin, but I am logging to the windows serving using the admin account.
New-ManagementRoleAssignment -Name: "R_Mailsend" -Role:ApplicationImpersonation -CustomRecipientWriteScope: "S_Mailsend" -User: "[email protected]" Unfortunately I get the message "550 5.7.60 SMTP; Client does not have permissions to send as this sender". Where is the error?
MigrationWiz Impersonation and Delegation for Microsoft ...
I tried to create an New-ManagementRoleAssignment New-ManagementRoleAssignment -Name "ImpersonationRole" -Role ApplicationImpersonation -User "Administrator@domain" Next i tried to set/change
Microsoft Exchange Server 2010 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can use the New-ManagementRoleAssignment Exchange Management Shell cmdlet to assign the ApplicationImpersonation role to users in the organization. For more information about this cmdlet, see New-ManagementRoleAssignment on Microsoft TechNet.
Run the New-ManagementRoleAssignment cmdlet (as shown below) to grant the service account permission to impersonate all the users in the organization. Note: The Name parameter specifies the name of the new role assignment. The Role parameter indicates that the ApplicationImpersonation role is assigned to the user specified by the User parameter.
New-ManagementRoleAssignment -Role "View-Only Configuration" -User "Anna White". You can check if the assignment was successful via the following cmdlet: Get-ManagementRoleAssignment -RoleAssignee "<UserName>". You can also use this cmdlet to see all the roles assigned to any user. By default, each Exchange user is assigned some roles that ...
Important. A process or application that's a member of the ApplicationImpersonation role can access the contents of a user's mailbox and act on behalf of that user, even if the user's account is disabled. This might let users access their mailboxes if you have applications, like Blackberry Enterprise Server, that use the ApplicationImpersonation role. . Third-party products that don't use the ...
To configure impersonation for all users in an organization: Open the Exchange Management Shell. From the Start menu, choose All Programs > Microsoft Exchange Server 2013. Run the New-ManagementRoleAssignment cmdlet to add the impersonation permission to the specified user. The following example shows how to configure impersonation to enable a ...
New-ManagementRoleAssignment -Role ApplicationImpersonation -User [email protected] Optional steps 1 and 2: Limit impersonation access to specific mailboxes. Here we create a new management scope that is filtered to a subset of mailboxes, then apply the management scope to the impersonation role.
To assign a management role after the assignment policy has been created, use the New-ManagementRoleAssignment cmdlet. For more information, see Manage role assignment policies. For more information about assignment policies, see Understanding management role assignment policies. You need to be assigned permissions before you can run this cmdlet.
(not found cmdlet: New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User) Sign In Required You need to be signed in and under a current maintenance contract to view premium knowledge articles.
Get-ManagementRoleAssignment -WritableDatabase "Contoso Sales" This example retrieves all the role assignments that can modify the database Contoso Sales. Parameters-AssignmentMethod. The AssignmentMethod parameter specifies the type of role assignment to include in the results returned by the cmdlet. You can specify one or more of the ...