Assigning Application Impersonation Role to the User Account Specified for the Backup

This section provides information about how to add the backup account to the Discovery Management role group and assign the Application Impersonation permission.

To add the required role and group, perform one of the following:

Method 1: Using Office 365 portal

Follow these steps:

  1. Log into the Office 365 portal as an Administrator or with an account that has Global Admin permissions.
  2. The Exchange admin center page appears.
  3. Go to permissions and from the Add drop-down, double-click Discovery Management.
  4. The Discovery Management dialog box appears.
  5. Note: Member of the Discovery Management role group can search mailboxes in the Exchange organization for data that meets specific criteria.
  6. Under Roles, click + to add the ApplicationImpersonation role.
  7. The Select a Role dialog box appears.
  8. From the Display Name drop-down, select ApplicationImpersonation.
  9. Note: The ApplicationImpersonation role enables applications to impersonate users in an organization to perform tasks on behalf of the user.
  10. Click Add to add the ApplicationImpersonation role, and then click OK.
  11. On the Discovery Management dialog box, under Members, click + to add the backup account as a member.
  12. The Select Members dialog box appears.
  13. From the Name drop-down, select the backup account, click Add to add the member, and then click OK.
  14. The selected backup account is displayed under Members on the Discovery Management dialog.
  15. Click Save.

Method 2: Using Remote PowerShell

Follow these steps:

  1. Connect to the Exchange Online tenant using remote PowerShell. For more information, see Connect to Exchange Online PowerShell.
  2. Once connected, to add the backup account as a member of Discovery Management role group, use the following:
    3. "Add-RoleGroupMember" cmdlet

    For example: Add-RoleGroupMember "discovery management" -member userName@domain.onmicrosoft.com.

  3. To assign application impersonation role to the backup account, use the following:
    4. "New-ManagementRoleAssignment" cmdlet

    For example: New-ManagementRoleAssignment -Name: impersonationAssignmentName -Role:ApplicationImpersonation - User: "username@domain.onmicrosoft.com"

The ApplicationImpersonation role and Members group are added to the Exchange Online backup account.