Configuring Exchange Impersonation Rights

The EdgeWave Incident Response Global Remediation feature requires specific rights to your Exchange server. As messages are being removed, and replaced as necessary, directly from a user’s Inbox, you must configure the EdgeWave Postdelivery service account with Exchange impersonation rights.

Please follow the instructions below to configure Exchange impersonation rights.

How to set impersonation rights manually


How to manually manage impersonation rights for an administrator account.


Use the links below to learn how to add impersonation rights to your admin account via:

Add impersonation rights in ps PowerShell

  1. Run ps Windows PowerShell.
  2. Check your PowerShell version by typing the following cmdlet:
    • An empty response means that you are using version 1.0.
    • For versions 2.0 and newer, you should see a detailed answer.
    • We recommend that you keep PowerShell updated to avoid compatibility problems. To download the newest version of PowerShell, please visit this Microsoft website.
  3. If your Exchange server is in a remote location (for example, it is hosted) or you are connecting to Office 365 (Exchange Online), learn how to connect to remote Exchange via PowerShell. To manage permissions locally (if you have an on-premises Exchange server or if you are logged on to a remote Exchange server via Remote Desktop, etc.) execute the commands below in ems Exchange Management Shell.
  4. Check if the account in question already has impersonation rights assigned by executing this cmdlet:
    Get-ManagementRoleAssignment -RoleAssignee "" -Role ApplicationImpersonation -RoleAssigneeType user
    where is the name of the administrator account (on the target server) that you want to check.
  5. Add impersonation rights:
    New-ManagementRoleAssignment –Name: –Role:ApplicationImpersonation –User: ""
    where is the name of your choice for this assignment. Be aware that each assignment should have a unique name. You can omit the Name switch, and a unique assignment name will be created automatically.
  6. If necessary, you can also restrict these impersonation rights so that they apply to a specific group of users. To do so, you first need to define a management scope that includes your AD group:
    $ADGroup = Get-DistributionGroup -Identity ""
    	New-ManagementScope "" -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'"
    where is the name of your AD group object, and is the name of your choice for the new management scope.

    Now, modify the existing assignment by using the following cmdlet:
    Set-ManagementRoleAssignment "" -CustomRecipientWriteScope ""
  7. You can remove impersonation rights with this command, if necessary:
    Get-ManagementRoleAssignment -RoleAssignee "" -Role ApplicationImpersonation -RoleAssigneeType user | 

Add impersonation rights in Exchange admin center (EAC)

  1. Open Exchange admin center:
    • in Office 365: log in to your Microsoft Office 365 admin center (Office 365 admin center) as an admin and choose Admin centers > Exchange from the menu on the left.
    • in Exchange 2013 and 2016: log in to Exchange admin center (https://localhost/ecp).
  2. Go to Permissions admin roles (Fig. 1.) and edit the Discovery Management role by double-clicking it:
    Fig. 1. The Discovery Management role in EAC.
  3. Add the role ApplicationImpersonation and add your admin user as the group member (Fig. 2.).
    Fig. 2. How to add the right roles and users.

Get In Touch

Business Hours: Monday through Friday 5:00 am PST – 5:00 pm PST

After business hours technical support is for Severity 1 and 2 issues and only by phone.*  Customer is responsible for calling the EdgeWave support number to receive technical support after business hours. All non-critical reported issues will be responded to the next business day.

* iPrism customers are required to use their Procare 24x7 number if they have purchased that entitlement for after business hours support. Otherwise iPrism support requests will be responded to the next business day.

Severity Levels

Severity 1: Business is severely impacted, and no viable workaround is available.
Severity 2: Business is disrupted but functioning.
Non-Critical: Business is not affected but symptoms exist or requests for information or guidance.

Call us

North America: 1-800-782-3762
UK: +44-20-33554107

Severity 1: 24x7x365
Severity 2: 24x7x365
Non-Critical: Business Hours Only

Open a ticket

You will be transferred over to the GoSecure website to complete your request.

Have a question or a problem?
Send us a ticket and we'll start working on it.

Business Hours Only

Email us to resolve an issue.

Business Hours Only