Error message: The account does not have permission to impersonate the requested user.
This error indicates that the specified administrative account does not have permission to impersonate users and login to their mailboxes for migration purposes.
When migrating to Office 365, we automatically execute remote PowerShell commands to grant the admin account impersonation rights. However, those PowerShell commands can time out before they are complete. In this scenario, wait up to one hour and resubmit again, after that, if the error persists, you will need to manually grant permission using remote PowerShell. There is no need to install any additional software.
Note: The remote PowerShell commands below can take several minutes to complete.
- Make sure you are using a global admin account to perform these steps
- Click the Windows Start button.
- Search for Windows PowerShell (PowerShell should already be installed).
- Start PowerShell under an administrator context (right-click -> run as administrator).
- Run the following PowerShell commands one at a time:
$LiveCred = Get-Credential
Install-Module -Name ExchangeOnlineManagement
Import-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred
The Enable command may take a long time to run and may error out. If so, wait a few minutes and run it again.
New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User firstname.lastname@example.org
- Make sure to replace "email@example.com" in the PowerShell command above with the admin account being used for migration.
- Ignore any errors such as "This operation is not available in current service offer."
- Ignore any errors such as "The assignment of the management role 'ApplicationImpersonation' [...] won't take effect until user is migrated."
- If connecting to GCC High with powershell, use Connect-ExchangeOnline -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -ExchangeEnvironmentName O365USGovGCCHigh