MigrationWiz Error - The account does not have permission to impersonate the requested user

Error Message

The account does not have permission to impersonate the requested user.

Cause

This error indicates that the specified administrative account does not have permission to impersonate users and log in to their mailboxes for migration purposes.

Resolution

When migrating to Office 365, we automatically execute remote PowerShell commands to grant the admin account impersonation rights. However, those PowerShell commands can time out before they are complete. In this scenario, wait up to one hour and resubmit again, after that, if the error persists, you will need to grant permission using remote PowerShell manually. There is no need to install any additional software.

Important

The remote PowerShell commands below can take several minutes to complete.

  1. Make sure you are using a global admin account to perform these steps
  2. Click the Windows Start button.
  3. Search for Windows PowerShell (PowerShell should already be installed).
  4. Start PowerShell under an administrator context (right-click -> run as administrator).
  5. Run the following PowerShell commands one at a time:
    Set-ExecutionPolicy Unrestricted$LiveCred = Get-Credential

    Install-Module -Name ExchangeOnlineManagement
    Import-Module -Name ExchangeOnlineManagement
    Connect-ExchangeOnline -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred

    Enable-OrganizationCustomization

The Enable command may take a long time to run and may error out. If so, wait a few minutes and run it again.
New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User admin@domain.com

Please consider the following information when running the commands for the second time:

  • Make sure to replace "admin@domain.com" in the PowerShell command above with the admin account being used for migration.
  • Ignore any errors such as "This operation is not available in current service offer."
  • Ignore any errors such as "The assignment of the management role 'ApplicationImpersonation' [...] won't take effect until user is migrated."
  • If connecting to GCC High with Powershell, use:
    Connect-ExchangeOnline -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -ExchangeEnvironmentName O365USGovGCCHigh
Was this article helpful?
45 out of 212 found this helpful