Articles in this section

See more

The account does not have permission to impersonate the requested user

Avatar
BitTitan Triage
  • Updated
Follow

The account does not have permission to impersonate the requested user.

This error indicates that the specified administrative account does not have permissions to impersonate users and log in to their mailboxes for migration purposes.

When migrating to Office 365, we automatically execute remote PowerShell commands to grant the admin account impersonation rights. However, those PowerShell commands can time out before they complete. In this case, it will be necessary to manually grant permission using remote PowerShell. There is no need to install any additional software in order to do this. Please be patient; the remote PowerShell commands below can take several minutes to complete.

Resolution:

  1. Make sure the admin account is a global admin.
  2. Click on the Windows Start button.
  3. Search for Windows PowerShell (PowerShell should already be installed).
  4. Start PowerShell under an administrator context (right-click -> run as administrator)
  5. Run the following PowerShell commands (one at a time):
    Set-ExecutionPolicy Unrestricted
    $LiveCred = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    Enable-OrganizationCustomization
    New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User admin@domain.com

Notes:

  • Enable-OrganizationCustomization command can take a very long time to run.
  • Ignore any error such as "This operation is not available in current service offer."
  • Ignore any error such as "The assignment of the management role 'ApplicationImpersonation' [...] won't take effect until user is migrated."
  • Make sure to replace "admin@domain.com" in the last PowerShell command above with the global admin account used for migration.

Related articles

Comments

10 comments

Sort by Date Votes
  • Avatar
    NU-Telecom IT Field Serice Tech

    These directions don't make sense for Office 365. It is a web site, I don't have a Windows Start Button in Office 365

    -10
    Permalink
  • Avatar
    robert najjar

    These directions make complete sense, as you are using Windows PowerShell to remotely connect to Office 365 services. Followed them completely, and worked w/o issue.

    6
    Permalink
  • Avatar
    Mike Monks
    I'm still getting an ErrorImpersonateUserDenied message, even though I've given my service account management role assignments (with the instructions above) and also given it FullAccess to every destination mailbox with New-MailboxPermission.
    1
    Permalink
  • Avatar
    Nicholas Humaciu

    Hello Mike,

    There is a bit of propagation that takes place once the permissions are applied. If you have waited 20-30 minutes after applying the permissions and the error is still happening, you would need to create a support ticket here. 

    Our technicians can investigate the matter further for you.

     

    Regards,

    Nicholas

    0
    Permalink
  • Avatar
    Tahir Ahmed

    Followed the information above but get the following notice:
    Enable-OrganizationCustomization : The term 'Enable-OrganizationCustomization' is not recognized as the name of a
    cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
    that the path is correct and try again.
    At line:1 char:1
    + Enable-OrganizationCustomization
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Enable-OrganizationCustomization:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    0
    Permalink
  • Avatar
    Nicholas Humaciu

    Hello Tahir,

    That error can mean that the admin account you are using to connect to the tenant does not have the proper permissions levels to make the ''Enable-OrganizationCustomization' change. Please make sure the admin you are connecting to the tenant with is a global admin and try again. Another factor that can cause this error would be the credentials being provided in the '$LiveCred = Get-Credential' command had a typo or are incorrect.

    If you have any further issues with these commands, please open a support ticket here.

    Regards,

    Nicholas

    0
    Permalink
  • Avatar
    Cedric Shaw
    • Edited

    After running the final script, I receive the error -

    Multiple user objects match the identity "admin@domain.com". Please specify a unique value. And I did input my username in place of admin@domain.com. Any idea?

    I found this thread at Microsoft. https://support.microsoft.com/en-us/help/3001960/there-are-multiple-recipients-matching-the-identity-error-message-when

    So, it looks like I need to rename my global admin username to something else.

    Yep! That solved the issue.

    0
    Permalink
  • Avatar
    Nicholas Humaciu

    Hello Cedric,

    Great! We are happy to hear that you were able to get the issue resolved on your end!

    If you get stumped by any other issues with your project, please reach out to our support team here and we will be happy to help you get back on track.

    Take care,

    Nicholas

    0
    Permalink
  • Avatar
    Support KS

    Hi Support.

     

    I have followed the instructions and all worked fine. Although, its only giving me the option of importing 1 user from 365. And this is the account I have used to setup the endpoint.

     

    Any help with this?

    0
    Permalink
  • Avatar
    Nicholas Humaciu

    Hello KS,

    There could be a few different issues happening here. I would encourage you to open up a support ticket here if you already haven't and letting our technicians assist you with investigating the problem!

    Regards,

    Nicholas

    0
    Permalink

Please sign in to leave a comment.