The account does not have permission to impersonate the requested user.
This error indicates that the specified administrative account does not have permissions to impersonate users and log in to their mailboxes for migration purposes.
When migrating to Office 365, we automatically execute remote PowerShell commands to grant the admin account impersonation rights. However, those PowerShell commands can time out before they complete. In this scenario, you will need to manually grant permission using remote PowerShell. There is no need to install any additional software.
Note: The remote PowerShell commands below can take several minutes to complete.
Resolution:
- Make sure the admin account is a global admin.
- Click the Windows Start button.
- Search for Windows PowerShell (PowerShell should already be installed).
- Start PowerShell under an administrator context (right-click -> run as administrator).
- Run the following PowerShell commands one at a time:
Set-ExecutionPolicy Unrestricted$LiveCred = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirectionImport-PSSession $SessionEnable-OrganizationCustomizationNew-ManagementRoleAssignment -Role "ApplicationImpersonation" -User admin@domain.com
Notes:
- Enable-OrganizationCustomization command can take a long time to run.
- Ignore any errors such as "This operation is not available in current service offer."
- Ignore any errors such as "The assignment of the management role 'ApplicationImpersonation' [...] won't take effect until user is migrated."
- Make sure to replace "admin@domain.com" in the last PowerShell command above with the global admin account used for migration.
Comments
13 comments
These directions don't make sense for Office 365. It is a web site, I don't have a Windows Start Button in Office 365
These directions make complete sense, as you are using Windows PowerShell to remotely connect to Office 365 services. Followed them completely, and worked w/o issue.
Hello Mike,
There is a bit of propagation that takes place once the permissions are applied. If you have waited 20-30 minutes after applying the permissions and the error is still happening, you would need to create a support ticket here.
Our technicians can investigate the matter further for you.
Regards,
Nicholas
Followed the information above but get the following notice:
Enable-OrganizationCustomization : The term 'Enable-OrganizationCustomization' is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:1
+ Enable-OrganizationCustomization
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Enable-OrganizationCustomization:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Hello Tahir,
That error can mean that the admin account you are using to connect to the tenant does not have the proper permissions levels to make the ''Enable-OrganizationCustomization' change. Please make sure the admin you are connecting to the tenant with is a global admin and try again. Another factor that can cause this error would be the credentials being provided in the '$LiveCred = Get-Credential' command had a typo or are incorrect.
If you have any further issues with these commands, please open a support ticket here.
Regards,
Nicholas
After running the final script, I receive the error -
Multiple user objects match the identity "admin@domain.com". Please specify a unique value. And I did input my username in place of admin@domain.com. Any idea?
I found this thread at Microsoft. https://support.microsoft.com/en-us/help/3001960/there-are-multiple-recipients-matching-the-identity-error-message-when
So, it looks like I need to rename my global admin username to something else.
Yep! That solved the issue.
Hello Cedric,
Great! We are happy to hear that you were able to get the issue resolved on your end!
If you get stumped by any other issues with your project, please reach out to our support team here and we will be happy to help you get back on track.
Take care,
Nicholas
Hi Support.
I have followed the instructions and all worked fine. Although, its only giving me the option of importing 1 user from 365. And this is the account I have used to setup the endpoint.
Any help with this?
Hello KS,
There could be a few different issues happening here. I would encourage you to open up a support ticket here if you already haven't and letting our technicians assist you with investigating the problem!
Regards,
Nicholas
The URL to connect stated is wrong.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirectionThis is what I am getting I have I am at a loss for why the migration will not start
can any one enlighten me? I have tried 3 GA accounts and verified that the globals have full access to the test emails.
I am confused and on a time crunch please help!
Tim,
I see you opened a ticket for this issue and were able to resolve the issue. I would recommend removing the screenshots from your post.
Thank you
Kyle
Please sign in to leave a comment.