Problem description
During the backup of the Microsoft 365 data for Exchange Public Folder inSync shows an error “The account does not have permission to impersonate the requested user”
This article discusses the scenario where public folders backups are failed with the above error
Cause
The global admin account to configure the M365 SaaS app would require Application impersonation rights in M365 Console.
Traceback
📝 Note
[2021-01-11 0639:06,527] [ERROR] Sync Folder failed for id: %sAAEuAAAAAADZ2UgoNvxYQLQr2Aa+v4aqAQCsmen5H9D4RbwqArW0MO+SAAAB1em5AAA=[2021-01-11 06:39:06,777] [WARN] All retry 6 failed. API HttpError 500 when requesting https://outlook.office365.com/EWS/Exchange.asmx
for user CloudBackup@amideast.org returned 'Response :OrderedDict([('s:Envelope', OrderedDict([('@xmlns:s', ' http://schemas.xmlsoap.org/soap/envelope/' ), ('s:Body', OrderedDict([('s:Fault', OrderedDict([('faultcode', OrderedDict([('@xmlns:a', ' http://schemas.microsoft.com/exchang...es/2006/types'
), ('#text', 'a:ErrorImpersonateUserDenied')])), ('faultstring', OrderedDict([('@xml:lang', 'en-US'), ('#text', 'The account does not have permission to impersonate the requested user.')])), ('detail', OrderedDict([('e:ResponseCode', OrderedDict([('@xmlns:e', ' http://schemas.microsoft.com/exchang...s/2006/errors'
), ('#text', 'ErrorImpersonateUserDenied')])), ('e:Message', OrderedDict([('@xmlns:e', ' http://schemas.microsoft.com/exchang...s/2006/errors
' ), ('#text', 'The account does not have permission to impersonate the requested user.')]))]))]))]))]))])'
Resolution
Add Application Impersonation permissions from Exchange Admin Console to Global Admin account used to configure M365 SaaS App:
From the Exchange Admin Console, either Click on Permissions on the left-hand navigation and make sure you are under Admin Roles Tab at the top or Click on Admin Roles below Permissions on the Home page of EAC
Check if you already have a Role Group created with Application Impersonation Role. If not, create a New Role Group by clicking on the + sign.
In the New Role Group window, give a name for this New Role Group. For easy to remember, you can name is App Impersonation. Give any description of your choice in the Description Box. Click + on Roles. Select Application Impersonation and Click Add and OK.
Click on + sign below the Members, add the Service Account as the Member of this Role Group, click on Add and OK.
Once it’s done, click on Save in the New Role Group Window.
It can sometimes take several minutes (generally 30-60 minutes) or these changes to become active and get replicated across all the directories.