In Microsoft Office 365 Dedicated/ITAR, a user is a member of one of the following role groups but cannot impersonate Microsoft Exchange users:
- EWS Impersonation role group in Exchange Server 2010
- SSA-ApplicationImpersonation baseline role group or another role group that's associated with the SSA_ApplicationImpersonation management role in Exchange Server 2013
This issue occurs if the custom application is set up incorrectly.
To resolve this issue, use EWSEditor to make sure that the roles in the O365 Dedicated/ITAR environment enable Exchange Web Service (EWS) impersonation. To do this, follow these steps:
- Download EWSEditor from http://ewseditor.codeplex.com, and then extract the application.
- Open EWSEditor.exe.
- On the File menu, click New Exchange Service.
- By default, this prompts for your SMTP address. Use Autodiscover to determine the correct URL to connect to. If you know the EWS URL, you can clear the Use Autodiscover to get the Exchange Web Services URL check box and then enter the URL manually.
- Select the correct version of Exchange or the most recent version if your version isn't listed.
- Select the Use the following credentials instead of the default Windows credentials check box, and then enter the account credentials that have impersonation rights. If you logged on to Windows through this account, this step isn't necessary.
- Make sure that the Use impersonation to log on to another mailbox using the credentials specified on the credentials tab by identifying the mailbox Id below check box is selected, specify the criteria for the target user, and then click OK.
- You should be prompted by a "Do you want to automatically add the mailbox root to the tree view?" message. Click Yes.
- Expand the tree view. If you can see folders or content, impersonation rights are working.
- If you receive a "The account does not have permissions to…" error, contact Microsoft Online Services Support by online submission or by telephone .
Article ID: 2932679 - Last Review: 29 Mar 2016 - Revision: 1