Exchange Impersonation error. Unable to open user mailbox due to impersonation error. Please make sure impersonation is set properly. (11021)

Question

This has been asked and answered before. And while some people said the answer fixed the problem, many others including me cannot get this fix to work.

This is the error I get inside Google when I set up and execute a migration of an account.

Exchange Impersonation error. Unable to open user mailbox due to impersonation error. Please make sure impersonation is set properly. (11021)

I login to the Exchange Admin Center using the global admin account and this is in Microsoft 365 purchased through Comcast Business (which was a huge mistake, Comcast support has no clue how to admin Microsoft 365.)

I did the steps outlined below realizing the menu choices have changed since 2019 and 2022. But the general steps are the same.

When I attempt to create and assign the admin roles to the Global Admin account I get the following error:

Error executing request. You don't have access to create, change, or remove the "xx-xx.onmicrosoft.com\ApplicationImpersonation-GSuiteMigration" management role assignment. You must be assigned a delegating role assignment to the management role or its parent in the hierarchy without a scope restriction.

How do you assign a delegating role to global admin or is the problem something else and this is a less than-helpful or inaccurate error message?

Here is the link that is often posted in other answers from 2019 and 2022.

https://answers.microsoft.com/en-us/msoffice/forum/all/exchange-impersonation-error-unable-to-open-user/834c4ea9-6cb5-4df4-9011-433ba501f6d2

The problem is the menu options and choices have changed. Even following the expected new steps, it still doesn't work.

1. Log into to ECP e.g. https://outlook.office365.com/ecp
2. Select the Permissions menu, then Admin Roles
3. Create a new role by clicking on the + sign
4. Give it a name e.g. GSuiteMigration
5. Click on the + under roles and add the ApplicationImpersonation & ViewOnly-Configuration
6. Click the + sign under members and add the admin that requires the impersonation role
7. Save and rerun the migration steps

sp

Answer 1

Hi @lost,

<<When I attempt to create and assign the admin roles to the Global Admin account I get the following error:

“Error executing request. You don't have access to create, change, or remove the "xx-xx.onmicrosoft.com\ApplicationImpersonation-GSuiteMigration" management role assignment. You must be assigned a delegating role assignment to the management role or its parent in the hierarchy without a scope restriction”.

<<How do you assign a delegating role to global admin?

please try the following and try again.

open the Organization management role and under Permissions, make sure the checkbox next to Role management is ticked.

You could add your own user as member of the role.

Refer link: ‎ApplicationImpersonation permission on new admin role group - Microsoft Q&A

Regards

Shaofan

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

Answer 2

The above was half a solution.

You need to ensure you add your user under both:

• Organization Management, AND
• View-Only Organization Management

Once I did this, I was able to add the Group.