Configuring Exchange Impersonation Rights
The EdgeWave Incident Response Global Remediation feature requires specific rights to your Exchange server. As messages are being removed, and replaced as necessary, directly from a user’s Inbox, you must configure the EdgeWave Postdelivery service account with Exchange impersonation rights.
Please follow the instructions below to configure Exchange impersonation rights.
How to set impersonation rights manually
How to manually manage impersonation rights for an administrator account.
Use the links below to learn how to add impersonation rights to your admin account via:
- Run Windows PowerShell.
- Check your PowerShell version by typing the following cmdlet:
- An empty response means that you are using version 1.0.
- For versions 2.0 and newer, you should see a detailed answer.
- We recommend that you keep PowerShell updated to avoid compatibility problems. To download the newest version of PowerShell, please visit this Microsoft website.
- If your Exchange server is in a remote location (for example, it is hosted) or you are connecting to Office 365 (Exchange Online), learn how to connect to remote Exchange via PowerShell. To manage permissions locally (if you have an on-premises Exchange server or if you are logged on to a remote Exchange server via Remote Desktop, etc.) execute the commands below in Exchange Management Shell.
- Check if the account in question already has impersonation rights assigned by executing this cmdlet:
Get-ManagementRoleAssignment -RoleAssignee "where
" -Role ApplicationImpersonation -RoleAssigneeType user is the name of the administrator account (on the target server) that you want to check.
- Add impersonation rights:
–Role:ApplicationImpersonation –User: " " is the name of your choice for this assignment. Be aware that each assignment should have a unique name. You can omit the Name switch, and a unique assignment name will be created automatically.
- If necessary, you can also restrict these impersonation rights so that they apply to a specific group of users. To do so, you first need to define a management scope that includes your AD group:
$ADGroup = Get-DistributionGroup -Identity "where
" New-ManagementScope " " -RecipientRestrictionFilter "MemberOfGroup -eq '$($ADGroup.DistinguishedName)'" is the name of your AD group object, and is the name of your choice for the new management scope.
Now, modify the existing assignment by using the following cmdlet:
" -CustomRecipientWriteScope " "
- You can remove impersonation rights with this command, if necessary:
Get-ManagementRoleAssignment -RoleAssignee "
" -Role ApplicationImpersonation -RoleAssigneeType user | Remove-ManagementRoleAssignment
- Open Exchange admin center:
in Office 365: log in to your Microsoft Office 365 admin center (Office 365 admin center) as an admin and choose Admin centers > Exchange from the menu on the left.
in Exchange 2013 and 2016: log in to Exchange admin center (https://localhost/ecp).
- Go to Permissions > admin roles (Fig. 1.) and edit the Discovery Management role by double-clicking it:
- Add the role ApplicationImpersonation and add your admin user as the group member (Fig. 2.).
Get In Touch
Business Hours: Monday through Friday 5:00 am PST – 5:00 pm PST
After business hours technical support is for Severity 1 and 2 issues and only by phone. Customer is responsible for calling the EdgeWave support number to receive technical support after business hours. All non-critical reported issues will be responded to the next business day.
Severity 1: Business is severely impacted, and no viable workaround is available.
Severity 2: Business is disrupted but functioning.
Non-Critical: Business is not affected but symptoms exist or requests for information or guidance.
North America: 1-800-782-3762
Severity 1: 24x7x365
Severity 2: 24x7x365
Non-Critical: Business Hours Only
Business Hours Only
Business Hours Only