Tips and Tricks
M365: How To Enable Application Impersonation
Log on to Exchange Admin Center (EAC): https://admin.exchange.microsoft.com/
Note: some forums mention that some features of EAC work better in an Edge browser than in Chrome.
Go to Roles > Admin roles > Add role group
Give the new role group a meaningful name
Under Permissions, choose Application Impersonation
Choose the user you'd like to assign this permission to
Note: the user you are choosing will be able to access the mailboxes of every mail-enabled user in the organization BUT only through the protocol EWS: the user will not be able to view emails by logging into the account of the other users, but if configured inside an application, that application will be able to e.g. download emails by impersonating the other users. (Hence the name Application Impersonation.)
Always try to limit the access rights of such users to the bare minimum (e.g. by not using a global admin as an Application Impersonation user.)
Review your settings and Finish the wizard.
Sometimes (more often than not), you can run into the below errors when trying to save the new role group:
In this case, you need to run the Enable-OrganizationCustomization cmdlet from PowerShell.
If you don't have the ExchangeOnline module installed run:
Install-Module -Name ExchangeOnlineManagement
If prompted, type Y to install the repository.
Import-Module -Name ExchangeOnlineManagement
A new window will open, like when you are logging into O365 through a browser.
Give your username and password (and enter your MFA data) to authenticate.
The cmdlets will be imported and the connection is made to the organization where the authenticated user lives.