Using Impersonation with Exchange & M365

Note

Microsoft is in the process of deprecating the ApplicationImpersonation role in M365 at the time of this writing (see here for details). If you are planning to use Impersonation on M365 and receive an error along the lines of “The management role “ApplicationImpersonation” is in the process of being deprecated. New role assignments referring this role aren’t allowed.”, you can use App-only Authentication instead:

Using App-only Authentication with M365

Forensic Email Collector (FEC) allows you to acquire end-user mailboxes using centralized credentials. This makes it possible to preserve emails from a large number of custodians in an organization without having to track each user down for authentication. FEC provides three options for Exchange / M365:

1. Delegation
2. Impersonation (currently, mainly useful for on-prem Exchange or hosted Exchange outside of M365)
3. App-only Authentication (applies to M365 only)

Delegate Access vs. Impersonation

The following article from the MSDN archive summarizes the differences between delegation and impersonation:

Exchange Impersonation vs. Delegate Access ↗

Perhaps the most important distinction is that delegate access is configured at the mailbox level. That is, the centralized account is given full access rights to the target mailboxes. If a new mailbox is created, it needs to be configured for delegate access.

On the other hand, Impersonation is configured once by creating a service account and giving it the ApplicationImpersonation role.

Setting up Impersonation

You can configure Impersonation as follows:

1. Visit the Exchange Admin Center ↗

2. Create a new service account

3. Create a new role group (Roles ➫ Admin roles ➫ Add role group)

   

4. Add the ApplicationImpersonation role to the role group

   

5. Add the service account you created in #2 above to the new role group

Note

If you recently assigned the ApplicationImpersonation role, the new role may take some time to take effect—especially in large organizations. If you receive an error during authentication along the lines of “The account does not have permission to impersonate the requested user”, we recommend waiting for half an hour and trying again.

When acquiring target mailboxes in FEC, you can activate impersonation as follows:

1. Enter the target email address (i.e., the email address of the end-user).

2. If using legacy authentication, enter the credentials of the service account on the connection settings page. This typically applies to on-premises Exchange only—for M365, we recommend using OAuth (see Important Note below).

3. Check the Use Impersonation checkbox. If you do not check the checkbox, FEC will use delegation instead.

4. If you plan to use modern authentication, check the Use OAuth checkbox and authenticate as the service account.

Important Note

Most M365 tenants currently do not allow legacy authentication. Therefore, if you do not use modern authentication (i.e., have the Use OAuth option enabled), you would receive a 401 error.

In the above example, we started the acquisition by entering the target account, [email protected], as the target email address. In subsequent steps, a web browser will open for modern authentication and we will authenticate as the service account with the ApplicationImpersonation role.

Note

If you use a service account without a mailbox for authentication, do not enter that account as your target or include it in your list of acquisition targets. Use the service account during authentication.