Assigning Full Access to Service Accounts Access to Mailboxes in Exchange Online (Through Azure Active Directory)

Applies to: Office 365 with Exchange, User Mailbox

In an Office 365 with Exchange environment, you must configure the Exchange Online service account to discover, archive, clean up, and restore data for user mailboxes, group mailboxes, and all public folders.

  • Local system account (Windows user)

Before You Begin

The Office 365 with Exchange (Exchange Online) administrator account must have the following service accounts configured:

  • Exchange Online service account, which must meet the following requirements:
    • Must be an online mailbox or a shared mailbox.
  • Local system account (Windows user), which must meet the following requirements:
    • Must be a member of the local administrator group.
    • Must be a domain user.

For the Exchange Online service account, a license is not required. Convert the user mailbox to a shared mailbox, and remove the Office 365 license for the Exchange Online service account.

To back upand restore public folders, the service account must have owner permissions at the root level and at the sub-folder level. You must convert the shared mailbox to a user mailbox, assign the owner permissions, and then convert it back to a shared mailbox.

Enable multi-factor authentication (MFA) for the Exchange Online service account. You must provide the service account email address and the app password, which must be created so that the app can connect to Office 365. For more information, see Set up multi-factor authentication in the Office 365 admin center and Create an app password for Office 365.

  • You must assign the Exchange administrator role or the global administrator role to the Exchange Online service account so that the Exchange administrator or the global administrator can discover and protect Office365 Group mailboxes. For more information, see Assign admin roles in Office 365.


  1. Open Windows PowerShell and create a remote PowerShell session to Office 365 with Exchange.
  2. To assign impersonation and view-only recipient permissions, type the following command:

    New-RoleGroup -Name "ExchangeOnlineBackupRoleGroup" -Roles "ApplicationImpersonation", "View-Only Recipients" -Members serviceaccount1,serviceaccount2


    • ExchangeOnlineBackupRoleGroup is a unique name for the new role group.
    • serviceaccount1 and serviceaccount2 are Exchange Online service accounts.

What to Do Next

Running Application Check Readiness for the Exchange Mailbox Client

Last modified: 3/3/2020 6:56:44 PM