Should I use delegation or impersonation when performing my migration?

This article covers the following:

  • What does delegation and impersonation mean in reference to migrations?
  • Which approach is best suited to various migration scenarios?
  • How are impersonation and delegation enabled and configured?

 

What does delegation and impersonation actually mean in reference to migrations?

  • Delegation means that a mailbox user has been set up with delegated full access rights to each user mailbox. MigrationWiz will then use delegated rights to log in to individual user mailboxes when performing their migration. See the steps required to set up and migrate using delegation below.
  • Impersonation means that the admin account will actually impersonate each mailbox user when performing the migration. This will result in faster migration, since the admin account will not be restricted by having to share the throttling quota and connection limits associated with a single administrative account. Instead, the throttling quota of each user is used to log in to each user mailbox.

    Note: Go a step further and disable the throttling quota of each user. This will result in even faster migrations. See the steps required to set up and enable impersonation and to migrate using impersonation below.

 

Which approach is best suited to various migration scenarios?

  • If the migration Source is Exchange, then we recommend using delegation. This requires fewer steps to configure, and migration speeds are very similar. Setting up delegation is straightforward, as you simply set up the administrator account, disable throttling on the account, and then add the administrator account to the MigrationWiz project.
  • If the Destination is Exchange, then the above also applies. We recommend using delegation rather than impersonation.
  • If the Source is Office 365, we recommend using impersonation. The steps to enable impersonation on Office 365 are much more straightforward, plus you don't have the ability to disable throttling against the admin account on Office 365, so delegation would result in very poor migration speeds.
  • If the Destination is Office 365, the above also applies. We recommend using impersonation rather than delegation.

 

Using impersonation on Office 365 provides advantages, including the following:

  • Eliminate most "Connection did not succeed" errors.
  • Allow migration of more mailboxes concurrently.
  • Reduce the impact of throttling and connection limits.
  • Use an admin account without assigning a license to it.

 

The table below outlines the recommendations for delegation or impersonation, based on Source and Destination endpoints.

Email System Recommendation 
Exchange/Source Delegation
Office 365/Source Impersonation
Exchange/Destination Delegation
Office 365/Destination Impersonation

 

Enable and Configure Delegation and Impersonation

Delegation

  1. Set up the 'admin' account to be used for migration, and apply the necessary permissions so that the account has full access to each mailbox. Read the How do I migrate to Office 365 or Exchange 2007, 2010, 2013, or 2016 using delegation? article for more information.

    Note: Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes, no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration.

  2. Disable throttling against this account – as described in Option 1 of the How do I disable the throttling policy on Exchange? article.

    Note: This step is not required with Exchange 2003 or Exchange 2007, since those versions do not support throttling.

  3. Set up the MigrationWiz project, and select Use admin credentials. Enter the username and password of the account that was set up under Step 1 above.

 

Impersonation

  1. Set up the administrator account to be used for migration, and then apply the necessary permissions so that the account has full access to each mailbox on the source. See the Help Center article How do I create an administr​ator account for login? for guidance.
    • Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration.
    • This Knowledge Base article talks about delegation, but the steps to grant the necessary permissions are the same as what are required to set up the account for impersonation. Once this first step has been completed, it will be necessary to complete the steps below in order to use impersonation during the migration.
  2. Under your MigrationWiz project Advanced Options, select the check box to use impersonation, then complete the following:
    1. Make sure to be using admin credentials at the Destination.
    2. Sign in to the MigrationWiz account.
    3. Edit the Project and click on Advanced Options.
    4. If migrating from Office 365, under Source, select the check box Use impersonation to authenticate.
    5. If migrating to Office 365, under Destination, select the check box Use impersonation to authenticate.
    6. Click Save Options.
    • Notes:
      • This option is under both Source and Destination. Refer to the section "Which should be used for different migration scenarios?" above to determine if you should be using impersonation at the Source and/or Destination.
      • If the above Advanced Options are set to use impersonation on a project, these settings will only become effective for those migrations that are started after saving the settings. Migrations that are already running will be unaffected by any such changes.
  3. Enable ApplicationImpersonation role for the admin account. (This step is only required if enabling impersonation on Exchange; it is not required for Office 365.)
    • If using impersonation against Office 365 (either at Source or Destination), then when mailboxes are submitted we automatically run a PowerShell script to enable applicationimpersonation role against this account. Therefore, it is unnecessary to run any scripts yourself.
    • Following is the remote PowerShell command (on Office 365) that we execute when you submit a mailbox for migration:
      Enable-OrganizationCustomization
      New-ManagementRoleAssignment -Role ApplicationImpersonation -User

      To learn how to run these commands manually, see the Help Center article The account does not have permission to impersonate the requested user. This is useful if there are delays from Microsoft, and this PowerShell command does not run immediately.

    • If using impersonation against Exchange (either at Source or Destination), an extra step is required since on-premises PowerShell is not available for access over the internet, and thus the impersonation cmdlets cannot be run. Therefore, it is necessary to run this script against the on-premises Exchange environment, using an admin account:
      New-ManagementRoleAssignment -Role ApplicationImpersonation -User
  4. Disable throttling against all mailboxes, in order to improve the speed of migration. (This step is only required if using impersonation from/to Exchange 2010+; it is not required for Office 365.)
    1. On a computer that hosts the Microsoft Exchange Management Shell, open the Microsoft Exchange Management Shell and type the following command, then press Enter.
      New-ThrottlingPolicy MigrationWizPolicy
    2. Type the following command and press Enter:
      Set-ThrottlingPolicy MigrationWizPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null -CPAMaxConcurrency $null -CPAPercentTimeInCAS $null -CPAPercentTimeInMailboxRPC $null -CPUStartPercent $null
    3. Type the following command and press Enter:
      Get-Mailbox | Set-Mailbox -ThrottlingPolicy MigrationWizPolicy

    Note: Here is a link to a Microsoft TechNet article that presents an alternative cmdlet that can also be used to change the throttling policy association: Set-ThrottlingPolicyAssociation.

  5. Set up the MigrationWiz project, and checkmark the box to use admin credentials. Enter the username and password of the account that was set up under Step 1 above.
Was this article helpful?
1 out of 1 found this helpful