Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Assigning Application Impersonation permissions in Exchange Online (Office 365)

Some 3rd-party applications require you to provide them with a user account that has got the permission to impersonate other user accounts. This is also the case whenever you use PowerShell e.g. whenever you try to make some changes to another user’s calendar (EWS).
This article will show you how to configure an account with such rights.

IMPORTANT Remember that you will have to connect to your Exchange Online environment first!

$session = New-PSSession –AllowRedirection –Authentication Basic –ConfigurationName Microsoft.Exchange –ConnectionUri –Credential (Get-Credential)

Import-PSSession $session

Granting permissions through Role Based Access Control (RBAC)

just as with Exchange On-Premise, the Application Impersonation permissions are granted through an existing Management Role, cleverly called “ApplicationImpersonation”:


In order to grant the permission, you need to create a new Management Role Assignment which will “bind” the Management Role to an account:


Executing the cmdlet will output a warning. In my experience, this warning can safely be ignored. However; if you experience any issues due to the warning it’s always a good idea to contact MS Online Support. Feel free to keep me posted if you ever encounter an issue.

Note: It is possible that – while executing the cmdlet - you will also get the following error:

This operation is not allowed for the organization with disabled customizations. To enable this operation, you need to execute Enable-OrganizationCustomization task first.

If that is the case, you will need to enable Organization Customization, by running the following cmdlet:


Posted 01-16-2012 10:46 by Michael Van Horenbeeck
Filed under: ,