M365: How To Enable Application Impersonation
Log on to Exchange Admin Center (EAC): https://admin.exchange.microsoft.com/
Note: some forums mention that some features of EAC work better in an Edge browser than in Chrome.
Go to Roles > Admin roles > Add role group
Give the new role group a meaningful name
Under Permissions, choose Application Impersonation
Choose the user you'd like to assign this permission to
Note: the user you are choosing will be able to access the mailboxes of every mail-enabled user in the organization BUT only through the protocol EWS: the user will not be able to view emails by logging into the account of the other users, but if configured inside an application, that application will be able to e.g. download emails by impersonating the other users. (Hence the name Application Impersonation.)
Always try to limit the access rights of such users to the bare minimum (e.g. by not using a global admin as an Application Impersonation user.)
Review your settings and Finish the wizard.
Sometimes (more often than not), you can run into the below errors when trying to save the new role group:
In this case, you need to run the Enable-OrganizationCustomization cmdlet from PowerShell.
If you don't have the ExchangeOnline module installed run:
Install-Module -Name ExchangeOnlineManagement
If prompted, type Y to install the repository.
Import-Module -Name ExchangeOnlineManagement
A new window will open, like when you are logging into O365 through a browser.
Give your username and password (and enter your MFA data) to authenticate.
The cmdlets will be imported and the connection is made to the organization where the authenticated user lives.
There might be a case that you'll get the error that Customization is already enabled.
You can safely ignore this, most organizations are not enabled for customization, the error is on the side of O365.
After this, (according to KB articles) within 30 minutes, but more often, after 1-2 hours, the role assignment should work.
In case it does not work, run:
Get-OrganizationConfig | fl IsDehydrated
The IsDehydrated flag needs to be False.
If it's set to True, try to enable customization again, wait again, and sooner or later, it will work.
At this point, you might ask: "Is assigning roles in O365 really like a game of chance?"
Yes. Unfortunately, there are some bugs in Exchange Online and Microsoft stubbornly ignores them, and does nothing to fix them, so we can only live with them and try to find work arounds.