Office 365 Service Accounts Setup or Exchange Online
Role Propagation Delay
Depending on the configuration of an Exchange server's "Information Cache", adding the Service Account (Impersonation) role to an account can take up to two hours to update.
-
Sign in to your Office365 administrator account.
-
Navigate to the Admin center.
-
Expand the "Users" section.
-
Select "Active users".
-
Click "Add a user".
-
Fill out the details for this user.
-
Make sure to select Let me create the password and uncheck Require this user to change their password when they first sign-in.
-
(Optional) Assign a license to the new user. The user does not need a license assigned as long as the account the user is linking through has a license.
-
In the "Optional settings" screen, you can leave the settings as they are.
Give Account Permissions
-
If Admin Centers is not visible in the sidebar. Click Show all.
-
Select Exchange.
-
A new window will open to the Exchange admin center. Select permissions.
-
Click on the
+
icon to add a new role group. -
A pop-up window for new role group will appear.
-
Click the
+
icon by Roles to add a new role to the role group. -
In the new window that pops up, select ApplicationImpersonation and then add ->.
-
You new role group should look like the following image:
-
Now click "+" and add a Member.
-
Search for the account you want to give permissions to. Click "add ->", then click "OK". And you're done!
Authenticate Office 365 Users
Aliases and Service Accounts
Authenticating users with service accounts requires the original account instead of an alias. The domain names for the service account and the user must match. For example, if the service account credential was created under @contoso.com
but the user account is @bravo.com
, it will fail.
OAuth or Microsoft Modern Authentication
To authenticate [email protected]
using a service account's credentials, pass the service account's refresh token in the settings
object and be sure to indicate that the credentials belong to a service account by including the "service_account": true
field. In the example below, email_address
contains the email of the user account that will be authenticated. The settings
object contains the service account's credentials.
curl -X POST https://api.nylas.com/connect/authorize -d '{
"client_id": "nylas_client_id",
"name": "Nyla the Cheetah",
"email_address": "[email protected]", # Account to authenticate
"provider": "exchange",
"settings": {
"microsoft_client_id": "{microsoft_client_id}",
"microsoft_client_secret": "{microsoft_client_secret}",
"microsoft_refresh_token": "{microsoft_refresh_token}", # Service account refresh token!
"redirect_uri": "https://example.com/redirect",
"service_account": true,
"eas_server_host": "server.host.com" #optional if autodiscovery fails. Specify the eas host.
},
"scopes": "calendar"
}'
Password Authentication or Microsoft Basic Authentication
Microsoft will be deprecating Basic Authentication support for all Exchange Online accounts as of October 1, 2022.
Learn more through our Microsoft Exchange Online and Basic Auth Changes guide.
To authenticate [email protected]
using a service account's credentials, pass the service account's credentials in the settings object, and be sure to indicate that the credentials belong to a service account by including the "service_account": true
field. In the example below, email_address
contains the email of the user account that will be authenticated. The settings
object contains the service account's credentials.
curl -X POST https://api.nylas.com/connect/authorize -d '{
"client_id": "nylas_client_id",
"name": "Nyla the Cheetah",
"email_address": "[email protected]", # Account to authenticate
"provider": "exchange",
"settings": {
"username": "username", # Service account username
"password": "password", # Service account password
"service_account": true,
"eas_server_host": "server.host.com" #optional if autodiscovery fails. Specify the eas host.
}
"scopes": "calendar.read_only"
}'
Keep in Mind
Authenticating every account in your application may take a long time if a service account doesn't have an associated mailbox. Monitor your application's logs through HttpProxy/Ews
.
Office365 accounts with a business standard license and Azure Information Protection aren't compatible with Nylas.