Documentation forAccess Rights Manager

Prepare Exchange resources

ARM reads information from the Exchange server via a remote PowerShell connection.

An Exchange scan can be performed by any collector.

The connection is established using a client access server (CAS) or a database availability group (DAG).


Prepare the PowerShell website

The steps described in this section are required for Exchange on-premise only - not for Exchange Online.

The Exchange Client Access Server (CAS) hosts a site within the IIS, that allows users to access the Exchange Server. It is called "Default Web Site" (2010) or "Exchange Back End" (2013 and higher) and includes the sub-site "PowerShell". This must be configured to allow ARM access to Exchange.

Screenshots property of © 2020 Microsoft.

Start the IIS Manager on the CAS.


As of version 2020.2.7, the PSLanguageMode FullLanguage in no longer needed.

Screenshots property of © 2020 Microsoft.

Navigate to "Powershell". In Exchange 2010 this can be found under "Default Web Site". In Exchange 2013 it is found under "Exchange Back End". Double-click "Application Settings".


Screenshots property of © 2020 Microsoft.

  1. Select "PS LanguageMode"
  2. Click "Edit"
  3. Enter the value "FullLanguage".

As of version 2020.2.7, the PSLanguageMode FullLanguage in no longer needed.

Please note that cumulative Exchange updates may reset this setting!


Screenshots property of © 2020 Microsoft.

Activate the desired authentication method.

You must later select the same authentication method in the Exchange configuration that you activate here.

For additional information see the article IIS for Beginners Part 4: Authentication and Authorization with the IIS (© 2020 Microsoft,, obtained on January 29, 2020).


Alternatively you can activate the authentication with PowerShell.

For example: Activate Windows-authentication (Kerberos)

Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -WindowsAuthentication $true


You must restart the IIS in order to apply any changes.


For example in the command prompt or PowerShell:



Set up required permissions

The service account that is used to scan Exchange requires the following access rights:

  1. Administrator privileges on the collector server
  2. Membership in the Exchange security group "View-Only Organization Management"
  3. Read permissions in Active Directory (During the scan distinguished names are resolved and access rights are partially read from the mailbox user)
  4. Impersonation rights to scan deputy rules, mailbox folders. See the section: Exchange Web Service - impersonation
  5. Its own mailbox to scan public folders


The service account that you want to use to modify Exchange requires additional different rights:

  1. Membership in the Exchange security group "Organization Management"

Deny rights applied to mailbox content may hinder successful scans.


For Exchange Online, create a user (with an email address) that is "Global Administrator" on the server and does not need to be licensed. Add the user to the group "View-Only Organization Management" for read only access, "Organization Management" for modify access.

If the account for scanning Exchange Online is newly created, please make sure that you have logged in to the Office365 environment with this account at least once before using it.

MFA (multi-factor authentication) is not supported for scanning or modifying Exchange.


Exchange Web Services - Impersonation

PowerShell allows you to load administrative information from Exchange, such as the structure and permissions of objects, e.g. mailboxes and public folders. The Exchange Web Service allows you to access their content. Substitution rules can only be read via the Exchange Web Service.

Before you decide to read and view mailbox folders, you should ensure that this adheres to your company data security policy. You may be able to view sensitive information by only viewing mailbox folder structures.

Access to the Exchange Web Service always happen in context with the mailbox user. This requires that the scan account (service account) has the right to impersonate.

Impersonation only works with active Active Directory accounts.


Examples for the configuration of impersonations via PowerShell can be found here:


Alternatively to the process described by Microsoft you can use the GUI of the Exchange Admin Center:

Screenshots property of © 2021 Microsoft.

  1. Log in to the Exchange admin center.

  2. Select Admin roles.

  3. Click Add role group.


Screenshots property of © 2021 Microsoft.

  1. Give the new role an appropriate name and description. Select the new role.

  2. Click Assigned.

  3. Assign the account to be used for Exchange scanning to the role.


Screenshots property of © 2021 Microsoft.

  1. Click Permissions.

  2. Enable the ApplicationImpersonation permission for the new role.


Test the connection to Exchange PowerShell

Use the following process to test the connection to PowerShell:

  1. Start a power shell console with the credentials that are also used for the remote session. (CTRL+SHIFT+right-click on the PowerShell-Icon -> "Run as different user")
  2. Create a credential object:
    $cred = get-credential
  1. Create a SessionOption object (turn off all checks for the test):
    $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
  1. Create a session. Adjust the URI, Authentication (authentication mechanism) and encryption http(s):
    $session = New-PSSession -configurationname Microsoft.Exchange -connectionURI https://srv-ex01/PowerShell/ -Credential $cred -SessionOption $so -Authentication Default
  1. Enter the session. You can execute cmdlets (which ones, depends on their rights):
    Enter-PSSession $session