Setting Permissions for Migrating to Office 365 via MigrationWiz

This article outlines setting required permissions in Office 365 for the accounts used in migrating mail data with MigrationWiz to Office 365.

It is important to note that when migrating to Office 365 from Office 365 (or Exchange on premise) that the source and destination migration administrator accounts be configured with application impersonation. If they are not, MigrationWiz will report an error and the migration task will fail. This means that these specific accounts must have an Office 365 mailbox and the account must be a global administrator in Office 365; or, if migrating from Exchange on premise, assigned as a member of the Organization Management group.



Via Exchange Online Admin Center…

In this section, we will create a new Admin Role through the Exchange Admin Center (EAC).

NOTE: The following method used is based on past issues with not being able to add a fully populated new Admin Role. The steps first create a new Admin Role, then assign a role to the Admin Role and finally add a member to the Admin Role.

Login to the Office 365 Exchange Admin Center. Once logged in (as an O365 administrator), select Permissions and click on Admin Roles. To add a new Admin Role, click on the + icon (plus sign).


In the new Role Group window, assign a name and description.  Click Save to complete the creation of the Admin Role Group.


A message stating “The items you’re trying to open couldn’t be found.” might display. It can be safely ignored. Click on the Refresh icon to confirm successful creation of the new Admin Role Group. If it doesn’t appear right away, have patience.


Edit the new Admin Role Group by clicking on the Edit icon (pencil) to add a role.

Click on the + icon (plus sign) to add the specific role.


Highlight ApplicationImpersonation from the list of available roles, click Add, and then click OK.


Confirm the role has been added to the Roles section and click Save.


Confirm the assigned role has been added. If it does not show up immediately, click the Refresh icon. Have patience.


Again, edit the new Admin Role Group by clicking on the Edit icon (pencil) to add members to the Admin Role. For MigrationWiz, it is important to remember that the member of this group must be an Office 365 global administrator.

Click the + icon (plus sign) to add a new member.


Select the account from the list, click Add and then click OK.


Confirm the account has been added to the Members section and click Save.


Confirm the selected member has been added to the new Admin Role Group. If it does not show immediately, click the Refresh icon.


Remember to make this change in both the source and destination environments. After both environments have been configured, it should be safe to proceed with the migration of mail data via MigrationWiz.

Via Azure AD PowerShell Module …

If you prefer to set application impersonation settings via PowerShell instead of using the steps above, first, go to Manage Windows Azure AD using Windows PowerShell to review the software requirements to connect to and manage your Office 365 tenant from PowerShell on premise.  This PowerShell module is specific to managing Office 365 (and Windows Azure) resources, and is not the same as Windows PowerShell or the Exchange Management Shell.

Next, install “Microsoft Online Services Sign-In Assistant for IT Professionals BETA” (64-bit version).  A restart of the workstation (or server) this tool is being installed on may be required.

Then, install “Windows Azure Active Directory Module for Windows PowerShell (64-bit version)”.  If a restart was not required after installing the Sign-In Assistant, it is highly recommended that the machine be restarted before proceeding to the next steps.

Finally, follow the instructions provided by MigrationWiz support to set up a global administrator account for impersonation in Office 365 or the ones below.

1.  Open “Windows Azure Active Directory Module for Windows PowerShell” as administrator

2.  Run the following commands…

Set-ExecutionPolicy Unrestricted
$CRED = Get-Credential
$S = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $CRED -Authentication Basic -AllowRedirection
Import-PSSession $S

NOTE: After running the Enable-OrganizationCustomization command you may receive an error/warning stating “This operation is not required. Organization is already enabled for customization.” It is okay to safely ignore the warning and proceed to the next command.

New-ManagementRoleAssignment -Role "ApplicationImpersonation" -User

NOTE: Modify the user name in the command above for your specific organization.

3.  At this point in time, wait approximately 30 minutes for the new permission setting to take place.

4.  Proceed with the migration of mail data via MigrationWiz.

Good luck.

Todd (@oddytee)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s