Prerequisites for the Exchange Mailbox Agent User Mailbox Hybrid Environment

Before you install the Exchange package, make sure that your on-premises environment meets the prerequisites.

Assigning Permissions to On-Premises Service Accounts

Microsoft Outlook requirements
Assign full access to service accounts

The service account must have full access rights to all the mailboxes on the server.
If you locate the agent on an off-host access node, the service account must be in the Local Administrator Group on the access node server.
Disabling the throttling policy
Disabling MAPI Over HTTP

If you are using basic authentication, you must perform the following prerequisite tasks:

Note

Multi-Factor Authentication (MFA) is supported only when the App password is set for the service account in the Azure portal.
Azure tenants with default security enabled are not supported as the default security setting does not permit configuration of MFA App password for service accounts.

If you are using modern authentication, you must perform the following prerequisite tasks:

Port Requirements
Configuring Support for Office 365 with Exchange in China or Germany
Register the Application for Modern Authentication
When you upgrade to Feature Release 20, if you move from basic authentication to modern authentication and you are using a manually created app, you must have the Group.Write.All permission under Microsoft Graph and the full_access_as_app permission under Under Supported Legacy API in the Azure portal.

Note

Modern authentication requires only one service account. The service account can be an unlicensed Exchange admin user.
Azure tenants with default security enabled are not supported as the default security setting does not permit configuration of MFA App password for service accounts.