Please refer to the section that applies to the appropriate Destination. This article refers to the use of delegation to log in to individual user mailboxes using an "admin" account that has full access rights to each mailbox.
Note: We strongly recommend using impersonation, rather than just delegation, when migrating to Office 365. However, when migrating to Exchange, rather than Office 365, either delegation or impersonation can be used. Refer to KB005004 for more information on this decision, and the exact steps to set these up.
Having administrative access to the Microsoft Office 365 control panel to manage users does not necessarily mean that the same account has permissions to access all mailboxes for migration. In order to have administrative permissions to migrate mailbox data, it is necessary to grant the account permissions on each mailbox.
To manually grant administrative access for migration, execute the following remote PowerShell command:
$cred = Get-Credential
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection
Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -Automapping $false -User MigrationWiz
- The above command needs to be applied each time a new mailbox is created, as permissions are set directly on the mailbox. The administrative account will not have access until the permissions are applied.
- The global admin account does have the necessary rights for delegation. However, again, we recommend using impersonation for migrations from and/or to Office 365.
This is a two-step process:
- Create an account with full access rights to each Exchange user by following the directions in KB004725, for your version of Exchange.
- Important: Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration. Note: This does not apply to Exchange Online (Office 365).