top of page
  • Writer's picturekhal

EOL Scoped impersonation

When migrating a large number of users in Exchange or Office 365, log-in credentials are required for each user. This is a slow and error-prone process, especially for very large migrations.

Impersonation and delegation offer an easier system for bulk user migrations. Impersonation allows for the use of a single administrative account - created specifically for the migration process - to impersonate and access the user accounts. Delegation is a process where the user grants their authentication credentials to that administrative account.

In short: Impersonation allows for the collection of user information without user input, while delegation collects the data through user input. Both methods allow the migration manager to significantly reduce the time and redundancy necessary to prepare users for migration.

Delegation means that a mailbox admin user has been set up with delegated full access rights to each user mailbox. Migration tools such as MigrationWiz will then use delegated rights to log in to individual user mailboxes when performing their migration.

Impersonation means that the admin account will actually impersonate each mailbox user when performing the migration. This produces a faster migration, since the admin account will not be restricted by having to share the throttling quota and connection limits associated with a single administrative account. Instead, the throttling quota of each user is used independently on each user mailbox. You can also disable the throttling quota of each user. This will result in even faster migrations.

Which process should I use?

If the migration source or destination is Exchange, then we recommend using delegation. This requires fewer steps to configure, and migration speeds are very similar. Setting up delegation is straightforward, as you simply set up the administrator account, disable throttling on the account, and then add the administrator account to the Migration app or solution such as MigrationWiz project.

If the source or destination is Office 365, we recommend using impersonation. The steps to enable impersonation on Office 365 are much more straightforward, plus you don't have the ability to disable throttling against the admin account on Office 365, so delegation would result in very poor migration speeds.

Using impersonation on Office 365 also provides the following advantages:

  • Eliminates most "Connection did not succeed" errors.

  • Allows migration of more mailboxes concurrently.

  • Reduces the impact of throttling and connection limits.

  • Uses an admin account without assigning a license to it.

Scoped Impersonation with EWS

When using MigrationWiz and Exchange Web Services (EWS) to migrate to or from Exchange Online, you should use impersonation (not delegation) when accessing user mailboxes. Using impersonation not only solves some potential throttling issues, but more importantly, allows you to scope the impersonation to a specific set of user mailboxes.

The objective is to limit the scope of mailboxes that are migrated using the impersonation rights. You accomplish this by implementing an impersonation scope filter. This is a common requirement in migrations where only a subset of an organization's mailboxes are scheduled for migration, for example, in migrations related to mergers and acquisitions.

Setting impersonation scope is a three-step process:

  1. Create a Mail Enabled Security Group

  2. Create a Management Scope

  3. Create the Management Role Assignment

While you can accomplish this task using either the Office 365 Management Console or PowerShell, the instructions that follow use the PowerShell approach.

Create a Mail Enabled Security Group

To create an impersonation scope filter, you first create a special distribution group that defines the filter scope.

  1. Connect to Exchange Online using PowerShell.

  2. Create a new Office 365 mail enabled security Group and name it in a recognizable fashion.

  3. Add to the new security Group all of the user mailbox accounts that you intend to migrate. If this group is being used only for scoping impersonation, we recommend hiding the group from the Global Address list.

Retrieve the DistinguishedName property of the Group by using the Get-DistributionGroup command:

Get-DistributionGroup -Identity "YourGroupName" |fl name, dist*

This PowerShell command returns the group name (name) and DistinguishedName (in this instance using the wild card format, dist*), which enables creating the management scope. Where you see "YourGroupName", insert the name you have assigned to your distribution group.

Create a Management Scope

Using the DistinguishedName property retrieved in the previous step, along with the RecipientRestrictionFilter and MemberOfGroup filtering parameters, create a management scope by running the following PowerShell command:

Note: To run the following command, you may need to enable the Organization customization on your Office 365 tenant.

New-ManagementScope "YourScopeName" -RecipientRestrictionFilter {MemberOfGroup -eq '"YourGroupDistinguisedName"'}

Where you see "YourScopeName", provide the name you've assigned to your management scope; and, where you see "YourGroupDistinguisedName", provide the group's DistinguisedName value, for example:

CN=AllowImpersonationDistributionGroup,,OU=Microsoft Exchange Hosted Organizations,DC=EURP193A002,DC=PROD,DC=OUTLOOK,DC=COM

Create the Management Role Assignment

The final step is to create a management role assignment and then associate it with the migration account that has administrative privileges.

Create the management role assignment by issuing the following PowerShell command:

New-ManagementRoleAssignment -Name "YourMigrationProject" -Role "ApplicationImpersonation" -User "YourAdminAccountName" -CustomRecipientWriteScope "YourManagementScope"

where the follow values are provided or returned:

-Name is the name of your migration project YourMigrationProject

-Role is the value ApplicationImpersonation.

-User is the migration account that has administrative privilege. YourAdminAccountName

-CustomRecipientWriteScope is the name you assigned to the management scope you created YourManagementScope

Example scoped impersonation process:

1. Create a mail enable group in O365 I.e.

2. Create an Migration admin account Migration wiz admin (migrationwadmin)

3. Log into Exchange Online Powershell

4. $group = Get-DistributionGroup -Identity "MigrationWizUser" |fl name, dist*

5. Make note of distinguished name

6. New-ManagementScope "MigrationWizScope" -RecipientRestrictionFilter {MemberOfGroup -eq '$($group.DistinguishedName)'}

7. New-ManagementRoleAssignment -Name "MigrationWizAssignment" -Role "ApplicationImpersonation" -User "MigrationWAdmin" -CustomRecipientWriteScope "MigrationWizScope"

99 views0 comments


bottom of page