The account does not have permission to impersonate the requested user.
This error indicates that the specified administrative account does not have permissions to impersonate users and log in to their mailboxes for migration purposes.
When migrating to Office 365, we automatically execute remote PowerShell commands to grant the admin account impersonation rights. However, those PowerShell commands can time out before they complete. In this scenario, you will need to manually grant permission using remote PowerShell. There is no need to install any additional software.
Note: The remote PowerShell commands below can take several minutes to complete.
Resolution:
- Make sure the admin account is a global admin.
- Click the Windows Start button.
- Search for Windows PowerShell (PowerShell should already be installed).
- Start PowerShell under an administrator context (right-click -> run as administrator).
- Run the following PowerShell commands one at a time:
Set-ExecutionPolicy Unrestricted$LiveCred = Get-Credential$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirectionImport-PSSession $SessionEnable-OrganizationCustomizationNew-ManagementRoleAssignment -Role "ApplicationImpersonation" -User admin@domain.com
- Enable-OrganizationCustomization command can take a long time to run.
- Ignore any errors such as "This operation is not available in current service offer."
- Ignore any errors such as "The assignment of the management role 'ApplicationImpersonation' [...] won't take effect until user is migrated."
- Make sure to replace "admin@domain.com" in the last PowerShell command above with the global admin account used for migration.