The account does not have permission to impersonate the requested user

The account does not have permission to impersonate the requested user.

This error indicates that the specified administrative account does not have permissions to impersonate users and log in to their mailboxes for migration purposes.

When migrating to Office 365, we automatically execute remote PowerShell commands to grant the admin account impersonation rights. However, those PowerShell commands can time out before they complete. In this scenario, you will need to manually grant permission using remote PowerShell. There is no need to install any additional software.

Note: The remote PowerShell commands below can take several minutes to complete.

Resolution:

  1. Make sure the admin account is a global admin.
  2. Click the Windows Start button.
  3. Search for Windows PowerShell (PowerShell should already be installed).
  4. Start PowerShell under an administrator context (right-click -> run as administrator).
  5. Run the following PowerShell commands one at a time:
    Set-ExecutionPolicy Unrestricted
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    Enable-OrganizationCustomization
    New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User admin@domain.com

Notes:

  • Enable-OrganizationCustomization command can take a long time to run.
  • Ignore any errors such as "This operation is not available in current service offer."
  • Ignore any errors such as "The assignment of the management role 'ApplicationImpersonation' [...] won't take effect until user is migrated."
  • Make sure to replace "admin@domain.com" in the last PowerShell command above with the global admin account used for migration.

Was this article helpful?
19 out of 81 found this helpful