Skip to main content

M365: How To Enable Application Impersonation

Log on to Exchange Admin Center (EAC): https://admin.exchange.microsoft.com/

Note: some forums mention that some features of EAC work better in an Edge browser than in Chrome.

Go to Roles > Admin roles > Add role group

image-1689002319983.png

 Give the new role group a meaningful name

image-1689002349039.png

Under Permissions, choose Application Impersonation

image-1689002365029.png

Choose the user you'd like to assign this permission to

Note: the user you are choosing will be able to access the mailboxes of every mail-enabled user in the organization BUT only through the protocol EWS: the user will not be able to view emails by logging into the account of the other users, but if configured inside an application, that application will be able to e.g. download emails by impersonating the other users. (Hence the name Application Impersonation.)

Always try to limit the access rights of such users to the bare minimum (e.g. by not using a global admin as an Application Impersonation user.)

image-1689002374909.png

 

Review your settings and Finish the wizard.

image-1689002383822.png

 

Troubleshooting

Sometimes (more often than not), you can run into the below errors when trying to save the new role group:

image-1689002404159.png

Or:

image-1689003983020.png

In this case, you need to run the Enable-OrganizationCustomization cmdlet from PowerShell.

Open PowerShell.

Optional

If you don't have the ExchangeOnline module installed run:

Install-Module -Name ExchangeOnlineManagement

If prompted, type Y to install the repository.

image-1689003516071.png

Run

Import-Module -Name ExchangeOnlineManagement

Then

Connect-ExchangeOnline

A new window will open, like when you are logging into O365 through a browser.

Give your username and password (and enter your MFA data) to authenticate.

image-1689003407647.png

The cmdlets will be imported and the connection is made to the organization where the authenticated user lives.

image-1689004686044.png

Run 

Enable-OrganizationCustomization

There might be a case that you'll get the error that Customization is already enabled.

image-1689004276463.png

You can safely ignore this, most organizations are not enabled for customization, the error is on the side of O365.

After this, (according to KB articles) within 30 minutes, but more often, after 1-2 hours, the role assignment should work. 

In case it does not work, run:

Get-OrganizationConfig | fl IsDehydrated

The IsDehydrated flag needs to be False.

image-1689004317905.png

If it's set to True, try to enable customization again, wait again, and sooner or later, it will work.

At this point, you might ask: "Is assigning roles in O365 really like a game of chance?"

Yes. Unfortunately, there are some bugs in Exchange Online and Microsoft stubbornly ignores them, and does nothing to fix them, so we can only live with them and try to find work arounds.

No Comments
Back to top