Using Impersonation with Exchange & Office 365

Microsoft is in the process of deprecating the ApplicationImpersonation role in M365 at the time of this writing (see here for details). If you are planning to use Impersonation on M365 and receive an error along the lines of "The management role "ApplicationImpersonation" is in the process of being deprecated. New role assignments referring this role aren't allowed.", you can use App-only Authentication instead:

Using App-only Authentication with M365

Forensic Email Collector allows you to acquire end-user mailboxes using centralized credentials. This makes it possible to preserve emails from a large number of custodians in an organization without having to track each user down for authentication. FEC provides three options for Exchange / M365:

  1. Delegation (you can read more about delegation here)
  2. Impersonation
  3. App-only Authentication (applies to M365 only)

The following article from the MSDN archive summarizes the differences between delegation and impersonation:

Exchange Impersonation vs. Delegate Access

Perhaps the most important distinction is that delegate access is configured at the mailbox level. That is, the centralized account is given full access rights to the target mailboxes. If a new mailbox is created, it needs to be configured for delegate access.

On the other hand, Impersonation is configured once by creating a service account and giving it the ApplicationImpersonation role as follows:

1. Visit the Exchange Admin Center

Creating a new role group

2. Create a new service account

3. Create a new role group (Roles ➫ Admin roles ➫ Add role group)

4. Add the ApplicationImpersonation role to the role group

5. Add the service account you created in #2 above to the new role group

Adding the ApplicationImpersonation role to the role group

NOTE: If you recently assigned the ApplicationImpersonation role, the new role may take some time to take effect—especially in large organizations. If you receive an error during authentication along the lines of "The account does not have permission to impersonate the requested user", we recommend waiting for half an hour and trying again.

When acquiring target mailboxes in FEC, you can activate impersonation as follows:

1. Enter the target email address (i.e., the email address of the end-user).

2. If using legacy authentication, enter the credentials of the service account on the connection settings page. This typically applies to on-premises Exchange only—for M365, we recommend using OAuth (see Important Note 1 below).

3. Check the Use Impersonation checkbox. If you do not check the checkbox, FEC will use delegation instead.

4. If you plan to use OAuth authentication, check the Use OAuth 2.0 checkbox and authenticate as the service account.

Important Note 1: Most M365 tenants currently do not allow legacy authentication. Therefore, if you do not use modern authentication (i.e., Use OAuth 2.0), you would receive a 401 error.

Important Note 2: If you use a service account without a mailbox for authentication, do not enter that account as your target or include it in your list of acquisition targets. Use the service account during authentication.

In the above example, we started the acquisition by entering the target account, enduser@metaspike.com, as the target email address. In subsequent steps, a web browser will open for modern authentication and we will authenticate as the service account with the ApplicationImpersonation role.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us