Home /Platform Considerations /M365 Authentication Options

EWS Basic Authentication (Impersonation)

Assign the ApplicationImpersonation role to your migration account using theExchange Admin Center, or use Exchange PowerShell. Impersonation allows you tomigrate user accounts with the migration account’s credentials so you do nothave to provide user passwords.

Requirements:

Prior to setting up ApplicationImpersonation, we recommend you confirm you’reusing the primary SMTP email address of each account (including youradministrative account).

  1. All mailboxes (including the admin account) must be active andlicensed mailboxes in M365.
  2. All shared mailboxes must be set up as licensed mailboxes (not aliases,distribution lists or groups). After migration you may convert them to sharedmailboxes and remove the license (shared mailboxes don’t require licenses).
  3. Transend can only migrate data into a primary email address, and cannotconnect to an alias.

Learn how to identify the primary SMTP address of amailbox.

Set up Impersonation in New Exchange Admin Center

We recommend creating a cloud-only service account with a licensed mailbox fromMicrosoft 365 Admin Portal > Users. Make sure you firstDisable Multi-factor authenticationfor this account.

  • Create a user account (i.e. [email protected]) and assignApplicationImpersonation role.
  • Use the primary SMTP email address of the migration account and user accountsto connect to M365 mailboxes.
  • For Exchange (on-prem) the login can be one of the following:
    • Email address
    • Domain\user name
    • UPN
  • The account (i.e. [email protected]) must be a licensedmailbox in M365.

Log in to the Microsoft Admin Center:

  1. Click Roles > Admin roles in the side navigator.

  2. Click Add role group button.

    Alt text

  3. Enter Role Name and Description. Click Next.

    Alt text

  4. Select ApplicationImpersonation and click Next.

    Alt text

  5. Add the migration account and click Next.

    Alt text

  6. Click Add role group.

    Alt text

  7. In Transend Migration Console, navigate to the Configuration Settings >Required screen, expand the Authentication Options section and selectImpersonation.

  8. Add the account (i.e. [email protected]) and Password intothe Admin account and Admin password fields.

  9. Click Verify to validate the connection is working using EWS Impersonation.

    Alt text

Setting up Impersonation with PowerShell

  1. Open the Exchange Management Shell.
  2. Run the New-ManagementRoleAssignment cmdlet to add the permission toimpersonate to the specified user.
  3. Change “ServiceAccount” to the account you are assigning impersonation to.

The following example shows how to configure Application Impersonation to enablean administrator account to impersonate all other users in an organization:

Example:

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:serviceAccount

Debug Application Impersonation Rights

Click onService Account Accessand perform the login test for the migration account.