Grant impersonation rights using PowerShell

Grant impersonation rights using PowerShell


This post will explain how you can provide impersonation rights to an administrator account using P


  • To provide impersonation rights to an administrator of your Office 365 environment or Exchange server that is hosted in a remote location, connect to remote Exchange via PowerShell. 
  • To provide impersonation rights to an administrator of your on-premises Exchange, make sure the system in which you open PowerShell and the Exchange server are on the same domain. If the system and the Exchange servers are on different domains, make sure a trust has been established between the domains.


  • Open Windows PowerShell.
  • Check if the administrator account has already been assigned impersonation rights using the following cmdlet.

Get-ManagementRoleAssignment -RoleAssignee "$account_name" -Role ApplicationImpersonation -RoleAssigneeType user

Replace $account_name with the name of the Exchange administrator account. 

  • If the administrator account has not been provided with impersonation rights, execute the following cmdlet to assign those rights.

New-ManagementRoleAssignment -Name:$impersonation_Assignment_Name -Role:ApplicationImpersonation -User: "$account_name"

Replace $impersonation_Assignment_Name with a unique name for this operation. 

Note: You can exclude the $impersonation_Assignment_Name section of the cmdlet and a unique assignment name will be generated automatically.


The administrator account has now been provided with impersonation rights for all users. You can also limit the administrator’s impersonation rights to users of any AD group by defining a new management scope.

To limit an administrator’s impersonation rights to a specific set of users, follow the steps below. 

  • Create a new management scope. 

$ADGroup = Get-DistributionGroup -Identity "$group_name"

New-ManagementScope "$scope_name" -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"

Replace $group_name with the name of the AD group and $scope_name with a unique name of your choice for the scope. 

  • ​Modify the impersonation rights to only apply for the created scope. 

Set-ManagementRoleAssignment "$impersonation_Assignment_Name" -CustomRecipientWriteScope "$scope_name"

The administrator has now been provided impersonation rights to the member of the selected AD group. 

Revoking impersonation rights:

To remove the impersonation rights provided to an administrator at any point, execute this cmdlet. 

Get-ManagementRoleAssignment -RoleAssignee "$account_name" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment



                  New to ADSelfService Plus?