How to enable impersonation in Microsoft 365 or Exchange Server on-premises? (2022 version)

Impersonation is a way of granting a single Microsoft 365 (formerly Office 365) or Exchange on-premises account domain-wide access to perform actions on behalf of other users. This is extremely useful when developing an organization-level calendar, contact, or task integration both within a tenant or between two tenants.

SyncPenguin uses impersonation for domain-wide access in its two-way, one-way, one-to-many, and many-to-one syncs. For example, you can sync user calendars between two tenants, or push public folder contacts to all users in the organization. In this article, we explain how to grant user impersonation permission on both Office 365 and Exchange on-premises.

Microsoft 365 (Office 365)

Currently, the best place to configure impersonation in MS 365 is through the Classic Exchange admin center, which can be directly accessed using this link: https://outlook.office365.com/ecp. Please make sure you are signed in as an admin user.

Classic Exchange admin center

Once there, head to the permissions section and open the admin roles tab.

Admin roles

You need to either create a new role or modify an existing one. It’s important that the role has the ApplicationImpersonation permission and the designated user account added (see the image below).

Add the ApplicationImpersonation role and the designated user

Then click Save and you’re all done. Please note that the change usually takes up to an hour to take effect.

Exchange on-premises

If you have access to the Exchange admin center, you can configure the impersonation in the same way as above. Otherwise, it can be done using a PowerShell command.

In the Exchange management shell run the following command:

New-ManagementRoleAssignment -Name:ROLE_NAME -Role:ApplicationImpersonation -User:ACCOUNT_NAME

As with Office 365, please note that the change usually takes up to an hour to take effect.