Menu

Granting Mailbox Rights

Global administrator should have proper impersonation rights to perform Office 365 exchange mailbox backup and restore.

Impersonation rights can be assigned from:





Assign Exchange impersonation rights for Office 365 Exchange Global administrator from Office 365 Exchange Admin:

To assign impersonation rights,

  1. Login to https://portal.office.com as an Admin.
  2. Click and go to 'Admin’.
  3. On the left navigation bar, click 'Admin centers’ and then click 'Exchange’.
  4. In the 'Exchange admin center' page, click 'Admin Roles' under 'Permissions'.
  5. Click to add a new role.
  6. In the 'new role group' window, enter the name as 'Impersonationbackup'.
  7. Under 'Roles' click to add a role.
  8. Select 'ApplicationImpersonation', click 'add' and then click 'OK'.
  9. Under 'Members', click to add a new member to the role group.
  10. Select your admin account, click 'add', and then click 'OK'.
  11. Click 'Save'.

Note: Additionally with impersonation rights, we recommend you to assign discovery management rights to global administrator. For information on assigning discovery management rights, refer discovery management FAQ.


Assign Exchange impersonation rights for Office 365 Exchange Global administrator from Windows Powershell:

You must connect to the Office 365 exchange server before granting impersonation rights.

To assign impersonation rights,

  1. Open Windows Powershell in Administrator privilege mode.
  2. Change the execution policy to remote-signed by executing the following command:

    C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

  3. Connect to exchange online server by executing the following command:

    C:\Windows\system32>$O365Cred = Get-Credential

    Note: Assign global administrator login credentials to a variable, so that the credentials can be included in the connection command.

  4. Create a PSSession to office 365 by executing the following command:

    C:\Windows\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $O365cred -Authentication Basic -AllowRedirection

  5. Execute the below commands to import PSSession:

    C:\Windows\system32> Import-PSSession $Session

    C:\Windows\system32> Enable-OrganizationCustomization

  6. Assign the exchange impersonation rights to global administrator, in the following format:
    New-ManagementRoleAssignment –Name: –Role:ApplicationImpersonation –User:

    For Example:

    C:\Windows\system32> New-ManagementRoleAssignment –Name:backupimpersonation –Role:ApplicationImpersonation –User: "admin@domain.com"
  7. Assign the discovery management rights in the following format:

    Add-RoleGroupMember -Identity "Discovery Management" -Member "Shane@domain.com"

Following is the overall command format:

PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

PS C:\Windows\system32> $O365Cred = Get-Credential

PS C:\Windows\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $O365cred -Authentication Basic -AllowRedirection

PS C:\Windows\system32> Import-PSSession $Session

PS C:\Windows\system32> Enable-OrganizationCustomization

PS C:\Windows\system32> New-ManagementRoleAssignment –Name:backupimpersonation –Role:ApplicationImpersonation –User: "admin@domain.com"

PS C:\Windows\system32>Add-RoleGroupMember -Identity "Discovery Management" -Member "Shane@domain.com"