Database Backup

Granting Impersonation Rights

Global administrators must have appropriate impersonation rights to backup and restore Office 365 exchange mailboxes.

You can assign impersonation rights from:
Assign Exchange impersonation rights for Office 365 Exchange Global administrator from Office 365 Exchange Admin:

To assign impersonation rights,

  1. Login to as a Global Administrator.
  2. Click and go to 'Admin’.
  3. Click 'Admin centers’ in the left navigation bar, and then click 'Exchange’.
  4. In the 'Exchange admin center' page, click 'Admin Roles' under 'Permissions'.
  5. To add a new role, click .
  6. Enter the name as 'Impersonationbackup' in the 'new role group' window.
  7. To add a role, click under 'Roles'.
  8. Select 'ApplicationImpersonation', and click 'add'. Click 'OK'.
  9. Click under 'Members' to add a new member to the role group.
  10. Select your admin account, and click 'add'. Click 'OK'.
  11. Click 'Save'.
  12. Once done, click 'Admin' -> 'Azure Active Directory'.
  13. Click the 'Properties' menu and go to 'Manage Security Defaults'.
  14. To disable 'Security Defaults', click 'No'.
  15. Click 'Save' to save the changes made.

Note: Additionally with impersonation rights, we recommend you to assign discovery management rights to the global administrator. For information on assigning discovery management rights, refer discovery management FAQ.

Assign Exchange impersonation rights for Office 365 Exchange Global administrator from Windows Powershell:

Before granting impersonation rights, you must first connect to the Office 365 exchange server.

To assign impersonation rights,

  1. In the Administrator privilege mode, open ‘Windows Powershell’.
  2. Change the execution policy to remote-signed by executing the following command,:
    C:\Windows\system32> Set-ExecutionPolicy RemoteSigned
  3. Connect to exchange online server by executing the following command:

    C:\Windows\system32>$O365Cred = Get-Credential

    Note: Assign global administrator login credentials to a variable to ensure that the credentials are included in the connection command.

  4. Create a PSSession to Office 365 by executing the following command:

    C:\Windows\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $O365cred -Authentication Basic -AllowRedirection

  5. To import PSSession execute the following commands:

    C:\Windows\system32> Import-PSSession $Session

    C:\Windows\system32> Enable-OrganizationCustomization

  6. Assign the exchange impersonation rights to a global administrator, in the following format:
    New-ManagementRoleAssignment –Name: –Role:ApplicationImpersonation –User:

    For Example:

    C:\Windows\system32> New-ManagementRoleAssignment –Name:backupimpersonation –Role:ApplicationImpersonation –User: ""
  7. Assign discovery management rights in the following format:

    Add-RoleGroupMember -Identity "Discovery Management" -Member ""

The overall command format is as follows:

PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

PS C:\Windows\system32> $O365Cred = Get-Credential

PS C:\Windows\system32> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $O365cred -Authentication Basic -AllowRedirection

PS C:\Windows\system32> Import-PSSession $Session

PS C:\Windows\system32> Enable-OrganizationCustomization

PS C:\Windows\system32> New-ManagementRoleAssignment –Name:backupimpersonation –Role:ApplicationImpersonation –User: ""

PS C:\Windows\system32>Add-RoleGroupMember -Identity "Discovery Management" -Member ""