When you are migrating from Exchange/Office 365, there may be a requirement to only have the Application Impersonation permissions only apply to a segment of the user list. Examples of this are restricted environments, divestitures and hosted Exchange.
First step is to determine how you will separate the users you will give access to from your general population. For example you can use the Company attribute is set to something specific for these users.
If you you are using Active Directory Connect to sync your users to Office 365, set the attribute in Active Directory. Otherwise, you should set the attribute in the Office 365 Admin Portal, or via Powershell.
You can test your recipient filter and create your custom management scope:
Recipients are any object that can receive mail (mail users, mail contacts, mailboxes, groups)
Now you can create your new admin role group with the admin roles required, add the specified migration admin user , and the custom write scope you created above.
You can now use the user specified in this command as the Admin user within CloudMigrator.