Tips and Tricks

M365: How To Enable Application Impersonation

Log on to Exchange Admin Center (EAC): https://admin.exchange.microsoft.com/

Note: some forums mention that some features of EAC work better in an Edge browser than in Chrome.

Go to Roles > Admin roles > Add role group

image-1689002319983.png

 Give the new role group a meaningful name

image-1689002349039.png

Under Permissions, choose Application Impersonation

image-1689002365029.png

Choose the user you'd like to assign this permission to

Note: the user you are choosing will be able to access the mailboxes of every mail-enabled user in the organization BUT only through the protocol EWS: the user will not be able to view emails by logging into the account of the other users, but if configured inside an application, that application will be able to e.g. download emails by impersonating the other users. (Hence the name Application Impersonation.)

Always try to limit the access rights of such users to the bare minimum (e.g. by not using a global admin as an Application Impersonation user.)

image-1689002374909.png

 

Review your settings and Finish the wizard.

image-1689002383822.png

 

Troubleshooting

Sometimes (more often than not), you can run into the below errors when trying to save the new role group:

image-1689002404159.png

Or:

image-1689003983020.png

In this case, you need to run the Enable-OrganizationCustomization cmdlet from PowerShell.

Open PowerShell.

Optional

If you don't have the ExchangeOnline module installed run:

Install-Module -Name ExchangeOnlineManagement 

If prompted, type Y to install the repository.

image-1689003516071.png

Run

Import-Module -Name ExchangeOnlineManagement

Then

Connect-ExchangeOnline

A new window will open, like when you are logging into O365 through a browser.

Give your username and password (and enter your MFA data) to authenticate.

image-1689003407647.png

The cmdlets will be imported and the connection is made to the organization where the authenticated user lives.