Loading...

Assigning Full Access to Service Accounts Access to Mailboxes in Exchange Online (Through Azure Active Directory)

Applies to: Office 365 with Exchange, User Mailbox

In an Office 365 with Exchange environment, you must configure the Exchange Online service account to discover, archive, clean up, and restore data for user mailboxes, group mailboxes, and all public folders.

  • Local system account (Windows user)

Before You Begin

The Office 365 with Exchange (Exchange Online) administrator account must have the following service accounts configured:

  • Exchange Online service account, which must meet the following requirements:
    • Must be an online mailbox or a shared mailbox.
    • Must have multi-factor authentication enabled. You must provide the service account email address and the app password, which must be created so that the app can connect to Office 365. For more information, see Set up multi-factor authentication in the Office 365 admin center and Create an app password for Office 365 on the Microsoft documentation website. If MFA is enabled using the conditional access policy, then the app password cannot be configured.
    • Must have either the Exchange administrator role or the global administrator role assigned so that the Exchange administrator or the global administrator can discover and back up Office365 group mailboxes. For more information, see Assign admin roles in Office 365 on the Microsoft documentation website.
    • If you use more than one access node, the service account must have local logon rights.
    • For public folders, you must have owner permissions at the root level and the sub-folder level. Convert the shared mailbox to a user mailbox, assign assign the owner permissions, and then convert the mailbox back to a shared mailbox.
    • For the Exchange Online service account, a license is not required. Convert the user mailbox to a shared mailbox, and remove the Office 365 license for the Exchange Online service account.
  • Local system account (Windows user), which must meet the following requirements:
    • Must be a member of the local administrator group.
    • Must be a domain user.

Procedure

  1. Open Windows PowerShell and create a remote PowerShell session to Office 365 with Exchange.
  2. To assign impersonation and view-only recipient permissions, type the following command:

    New-RoleGroup -Name "ExchangeOnlineBackupRoleGroup" -Roles "ApplicationImpersonation", "View-Only Recipients" -Members serviceaccount1,serviceaccount2

    where:

    • ExchangeOnlineBackupRoleGroup is a unique name for the new role group.
    • serviceaccount1 and serviceaccount2 are Exchange Online service accounts.

What to Do Next

Running Application Check Readiness for the Exchange Mailbox Client

Last modified: 7/8/2020 5:46:21 PM