Setting Impersonation Scope when Migrating to and from Exchange Online

When using MigrationWiz and Exchange Web Services (EWS) to migrate to or from Exchange Online, you should use impersonation (not delegation) when accessing user mailboxes. Using impersonation not only solves some potential throttling issues, but more importantly, allows you to scope the impersonation to a specific set of user mailboxes.

The objective is to limit the scope of mailboxes that are migrated using the impersonation rights. You accomplish this by implementing an impersonation scope filter. This is a common requirement in migrations where only a subset of an organization's mailboxes are scheduled for migration, for example, in migrations related to mergers and acquisitions.

Setting impersonation scope is a three-step process:

  1. Create a Mail Enabled Security Group
  2. Create a Management Scope
  3. Create the Management Role Assignment

Note: While you can accomplish this task using either the Office 365 Management Console or PowerShell, the instructions that follow use the PowerShell approach.


Create a Mail Enabled Security Group

To create an impersonation scope filter, you first create a special distribution group that defines the filter scope.

  1. Connect to Exchange Online using PowerShell.
  2. Create a new Office 365 mail enabled security Group and name it in a recognizable fashion.
  3. Add to the new security Group all of the user mailbox accounts that you intend to migrate.

Note: If this group is being used only for scoping impersonation, we recommend hiding the group from the Global Address list.

Retrieve the DistinguishedName property of the Group by using the Get-DistributionGroup command:

Get-DistributionGroup -Identity "YourGroupName" |fl name, dist*

This PowerShell command returns the group name (name) and DistinguishedName (in this instance using the wild card format, dist*), which enables creating the management scope. Where you see "YourGroupName", insert the name you have assigned to your distribution group.


Create a Management Scope

Using the DistinguishedName property retrieved in the previous step, along with the RecipientRestrictionFilter and MemberOfGroup filtering parameters, create a management scope by running the following PowerShell command:

Note: To run the following command, you may need to enable the Organization customization on your Office 365 tenant.

New-ManagementScope "YourScopeName" -RecipientRestrictionFilter {MemberOfGroup -eq '"YourGroupDistinguisedName"'}

Where you see "YourScopeName", provide the name you've assigned to your management scope; and, where you see "YourGroupDistinguisedName", provide the group's DistinguisedName value, for example:

CN=AllowImpersonationDistributionGroup,,OU=Microsoft Exchange Hosted Organizations,DC=EURP193A002,DC=PROD,DC=OUTLOOK,DC=COM


Create the Management Role Assignment

The final step is to create a management role assignment and then associate it with the migration account that has administrative privileges.

Create the management role assignment by issuing the following PowerShell command:

New-ManagementRoleAssignment -Name "YourMigrationProject" -Role "ApplicationImpersonation" -User "YourAdminAccountName" -CustomRecipientWriteScope "YourManagementScope"

where the follow values are provided or returned:

-Name is the name of your migration project YourMigrationProject

-Role is the value ApplicationImpersonation.

-User is the migration account that has administrative privilege. YourAdminAccountName

-CustomRecipientWriteScope is the name you assigned to the management scope you created YourManagementScope



Was this article helpful?
1 out of 2 found this helpful