Only show these results:

Office 365 Service Accounts Setup or Exchange Online

Role Propagation Delay

Depending on the configuration of an Exchange server's "Information Cache", adding the Service Account (Impersonation) role to an account can take up to two hours to update.

  1. Sign in to your Office365 administrator account.

  2. Navigate to the Admin center.

    Office 365 Admin Center

  3. Expand the "Users" section.

  4. Select "Active users".

  5. Click "Add a user".

  6. Fill out the details for this user.

    Office 365 Admin Center Add User

  7. Make sure to select Let me create the password and uncheck Require this user to change their password when they first sign-in.

    Office 365 Admin Center Let me create the password

  8. (Optional) Assign a license to the new user. The user does not need a license assigned as long as the account the user is linking through has a license.

    Office 365 Admin Center assign license to user

  9. In the "Optional settings" screen, you can leave the settings as they are.

Office 365 Admin Center optional settings

Give Account Permissions

  1. If Admin Centers is not visible in the sidebar. Click Show all.

  2. Select Exchange.

  3. A new window will open to the Exchange admin center. Select permissions.

    Exchange admin center permissions

  4. Click on the + icon to add a new role group.

  5. A pop-up window for new role group will appear.

  6. Click the + icon by Roles to add a new role to the role group.

  7. In the new window that pops up, select ApplicationImpersonation and then add ->.

  8. You new role group should look like the following image:

    Exchange admin center permissions Application Impersonation

  9. Now click "+" and add a Member.

  10. Search for the account you want to give permissions to. Click "add ->", then click "OK". And you're done!

    Exchange admin center permissions add member

Authenticate Office 365 Users

Aliases and Service Accounts

Authenticating users with service accounts requires the original account instead of an alias. The domain names for the service account and the user must match. For example, if the service account credential was created under @contoso.com but the user account is @bravo.com, it will fail.

OAuth or Microsoft Modern Authentication

To authenticate [email protected] using a service account's credentials, pass the service account's refresh token in the settings object and be sure to indicate that the credentials belong to a service account by including the "service_account": true field. In the example below, email_address contains the email of the user account that will be authenticated. The settings object contains the service account's credentials.

curl -X POST https://api.nylas.com/connect/authorize -d '{ 
    "client_id":     "nylas_client_id",
    "name":          "Nyla the Cheetah",
    "email_address": "[email protected]",   # Account to authenticate
    "provider":      "exchange",
    "settings": {
        "microsoft_client_id":     "{microsoft_client_id}",
        "microsoft_client_secret": "{microsoft_client_secret}",
        "microsoft_refresh_token": "{microsoft_refresh_token}", # Service account refresh token!
        "redirect_uri":            "https://example.com/redirect",
        "service_account": true,
        "eas_server_host": "server.host.com" #optional if autodiscovery fails. Specify the eas host.
    },
    "scopes": "calendar"
}'

Password Authentication or Microsoft Basic Authentication

Microsoft will be deprecating Basic Authentication support for all Exchange Online accounts as of October 1, 2022.

Learn more through our Microsoft Exchange Online and Basic Auth Changes guide.

To authenticate [email protected] using a service account's credentials, pass the service account's credentials in the settings object, and be sure to indicate that the credentials belong to a service account by including the "service_account": true field. In the example below, email_address contains the email of the user account that will be authenticated. The settings object contains the service account's credentials.

curl -X POST https://api.nylas.com/connect/authorize -d '{
    "client_id": "nylas_client_id",
    "name": "Nyla the Cheetah",
    "email_address": "[email protected]", # Account to authenticate
    "provider": "exchange",
    "settings": {
        "username": "username", # Service account username
        "password": "password", # Service account password
        "service_account": true,
        "eas_server_host": "server.host.com" #optional if autodiscovery fails. Specify the eas host.
    }
    "scopes": "calendar.read_only"
}'

Keep in Mind

Authenticating every account in your application may take a long time if a service account doesn't have an associated mailbox. Monitor your application's logs through HttpProxy/Ews.

Office365 accounts with a business standard license and Azure Information Protection aren't compatible with Nylas.