Configuring an Impersonation Account

Updated 4 years ago by admin

This article describes how to configure an Impersonation Account for Office 365, Exchange 2013 & 2016.

Why do I need an Impersonation Account ?

An impersonation account has elevated rights to impersonate users on mail servers.  The Email Archive system will use this account to download “legacy” data (mail already in user mailboxes) or Outlook folder structure for selected users or to simplify the restoration of emails back into user accounts.  It can also be used for “stubbing” mails – removal of large attachments and replacing them with a URL link to the copy in the archive.

In essence, any service that can log-in using the Impersonation Account can then switch identity to each user mailbox as required.  Once done, all actions are allowed on the impersonated user: Read, Update, Insert and Delete items. 

It is very important to treat an Impersonation Account very carefully and retain the password in a secure location.   Any user account can be elevated to have impersonation rights – not just mail accounts.

How do I create an Impersonation Account ?

The following steps will show you how to create an impersonation account on Exchange 2013, 2016 and Office 365 using the ECP centre.

  1. Please log in to your Exchange ECP / Office365 console and create a user account under Recipients (for Office 365 customers – the account does not require a mailbox, as such you will not need to pay for a license). We recommend calling the new account with a suitable name to ensure you can recognise the account when assigning rights. The account will also need to have the password policy set to never expire for ongoing tasks.
  2. Next, navigate to the Permissions tab on the left-hand side of the console and remain on the admin roles section. Here you will need to create a new role.
  3. In the new role window, please name the role (we recommend Archive Impersonation), add a description (optional), add ApplicationImpersonation as the role and finally add the impersonation account under the Members section.
  4. Click Save.

How do I configure the Email Archive system to use the Impersonation Account ?

Now that you have an impersonation account created with the required permissions, you will need to configure the Email Archiving feature(s) to use the account.

There are 3 services that can utilise an Impersonation Account:

  1. Mailbox Reader – for importing mail in user mailboxes
  2. Folder Replication – for copying the folder-tree structure of the user’s outlook.  Please note that this greatly increases database size of the Email Archive.
  3. Restore and Authentication – for restoring emails from the Email Archive back to user mailboxes as easily as possible.

 For details on how to configure the above, see the specific documentation for each feature.

How did we do?