Support
Contact
Sign In
How to Add Exchange Impersonation Rights
- This article is for Windows only
Summary:
Exchange Impersonation is used in scenarios in which a single account needs to access many accounts. For Carbonite Safe Server Backup, Exchange Impersonation is used to access mailboxes for backup and restore.
When setting up an Exchange Mailbox backup within CSSB, an administrator account must be provided by the user in order to access Exchange. CSSB will attempt to assign impersonation rights automatically to the chosen administrator user. This is true for both Exchange Local Mailbox backups and for Exchange Online Mailbox backups.
If CSSB cannot automatically assign the impersonation rights, an error will appear. The error states: Could not add the Exchange Impersonation role for <account name>.
If this error appears, the Exchange Impersonation Rights must be added to the account manually with Powershell.
Please choose the scenario that applies to your situation.
Solution:
The sections below are collapsed. Please click the section title to open / close a particular section.
Step 1: Open Powershell
Open Powershell by typing Powershell in the Start menu.
Step 2: Assign the Exchange Impersonation Rights
Now that you're logged into the Exchange Server, add the Impersonation rights to the account of your choosing.
In the following command, <account name> is the username for the administrator account which will be assigned to the Impersonation role. The account name will almost always be in the format of an email address, such as "bob@company.com".
New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User: "<account name>"
You must connect to the remote Exchange server before Impersonation rights can be granted. Once a connection is established, you must assign the Impersonation role.
Steps 2 and 3 below describe one way to connect to your Exchange Online server. Other methods may be used if necessary.
Step 1: Open Powershell
Open Powershell by typing Powershell in the Start menu.
Step 2: Determine if Powershell can run the connection commands under the current Execution Policy
The Execution Policy determines which commands and scripts can be run with Powershell. The following command will return the current Execution Policy.
Get-ExecutionPolicy
If Get-ExecutionPolicy returns Restricted, you must change the Execution Policy. If it returns anything else, no change is required.
To change the Execution Policy, run the following command.
Set-ExecutionPolicy RemoteSigned
Step 3: Connect to Exchange Online
First, assign login credentials to a variable, so the credentials can be included in the connection command.
$ExchCred = Get-Credential
Next, connect to Exchange Online. Please replace <Exchange Address> with the URI or IP address of your Exchange Online server.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://<Exchange Address>/ -Credential $ExchCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Step 4: Assign the Exchange Impersonation Rights
Now that you are connected to the Exchange Server, add the Impersonation rights to the account of your choosing. In the following command, <account name> is the username for the administrator account which will be assigned to the Impersonation role. The account name will almost always be in the format of an email address, such as "bob@company.com".
New-ManagementRoleAssignment -Name:impersonationAssignmentName -Role:ApplicationImpersonation -User: "<account name>"
To remove the Impersonation role from an account, run the following command. For Exchange Online, you must first establish a connection to the remote Exchange server.
Remember, it is required that an administrator account have the Exchange Impersonation role for Exchange Mailbox backups. This applies to both local Exchange servers and for Exchange online. Only remove the Impersonation role if you assign it to the wrong account, need to switch accounts, or otherwise no longer plan to use an account for backup purposes.
Get-ManagementRoleAssignment -RoleAssignee "<account name>" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment
Feedback