Issue
The Office 365 Module uses Exchange Web Services (EWS) in order to ingest data into mailboxes and Personal Archives. If this is not configured correctly the following may be seen in the Office 365 Module log file:

   2019-06-18 16:18:24Z|5748| 19|ERROR|Ingest|Error during ingest  Void ProcessWebException(System.Net.WebException)
   The account does not have permission to impersonate the requested user.
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ProcessWebException(WebException webException)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request)
   at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.ValidateAndEmitRequest(IEwsHttpWebRequest& request)
   at Microsoft.Exchange.WebServices.Data.SimpleServiceRequestBase.InternalExecute()
   at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute()
   at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder(FolderId folderId, PropertySet propertySet)
   at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder[TFolder](FolderId folderId, PropertySet propertySet)
   at Microsoft.Exchange.WebServices.Data.Folder.Bind(ExchangeService service, WellKnownFolderName name, PropertySet propertySet)
   at ArchiveShuttle.Module.Office365.ExchangeServiceWrapper.GetOrCreateFolder(String pathInArchive)
   at ArchiveShuttle.Module.Office365.ExchangeServiceWrapper.Ingest(ExchangeItem item, PerformanceLogging performanceLogging)

Solution
Additional permissions must be granted to the Admin account which is used for Office 365 ingestion. This is a role called Application Impersonation. The steps to grant this role are as follows:

  1.      Login to a server which has Windows PowerShell installed
  2.      Issue the following commands in PowerShell, comments and responses are noted below each command:
$UserCredential = Get-Credential

Supply values for the following parameters:

Credential

A pop-up will appear asking for a username and password. The Global Administrator which needs to have Application Impersonation granted to them, should be input

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic –AllowRedirection

This connects a PowerShell session to Office 365 using the credentials which were just entered.

Import-PSSession $Session

This activates the above session. It may take a few seconds for this to return to the command prompt.

New-ManagementRoleAssignment –Name:VaultAdminImpersonation –Role:ApplicationImpersonation –User:<upn>

Note: If multiple service accounts are being used (for example to increase performance) then the Application Impersonation role must be granted to each account.

Print Friendly, PDF & Email