Office365 Service Accounts Setup or Exchange Online
Role Propagation Delay
Depending on the configuration of an Exchange server's "Information Cache", adding the Service Account (Impersonation) role to an account can take up to two hours to update.
-
Sign in to your Office365 administrator account.
-
Navigate to the Admin center.
-
Expand the Users section.
-
Select Active users.
-
Click Add a user.
-
Fill in the details for this user.
-
Select Let me create the password and uncheck Require this user to change their password when they first sign in.
-
(Optional) Assign a license to the new user. The user doesn't need a license as long as the account the user is linking through has a license.
-
On the Optional settings screen, you can leave the settings as they are.
Give Account Permissions
-
If Admin Centers is not visible in the sidebar, click Show all.
-
Click Exchange.
-
The Exchange admin center will open in a new window.
-
Click permissions.
-
Click on the
+
icon to add a new role group and a pop-up window will appear. -
Click the
+
icon next to Roles to add a new role to the role group. -
In the new window that pops up, select ApplicationImpersonation and then add ->.
-
You new role group should match the following:
-
Click "+" and add a Member.
-
Search for the account you want to give permissions to.
-
Click add ->
-
Click OK.
-
You're done!
Authenticate Office 365 Users
Aliases and Service Accounts
Authenticating users with service accounts requires the original account instead of an alias. The domain names for the service account and the user must match. For example, if the service account credential was created under @contoso.com
but the user account is @bravo.com
, authentication will fail.
OAuth or Microsoft Modern Authentication
To authenticate [email protected]
using a service account's credentials, pass the service account's refresh token in the settings
object. Be sure to indicate that the credentials belong to a service account by including the service_account: true
field. In the example below, email_address
contains the email of the user account that will be authenticated. The settings
object contains the service account's credentials.
Learn how to get a refresh token and when refresh tokens expire.
curl -X POST https://api.nylas.com/connect/authorize -d '{
"client_id": "nylas_client_id",
"name": "Nyla the Cheetah",
"email_address": "[email protected]", # Account to authenticate
"provider": "exchange",
"settings": {
"microsoft_client_id": "{microsoft_client_id}",
"microsoft_client_secret": "{microsoft_client_secret}",
"microsoft_refresh_token": "{microsoft_refresh_token}", # Service account refresh token!
"redirect_uri": "https://example.com/redirect",
"service_account": true,
"eas_server_host": "server.host.com" #optional if autodiscovery fails. Specify the eas host.
},
"scopes": "calendar"
}'
Password Authentication or Microsoft Basic Authentication
As of October 1, 2022 Microsoft has deprecated Basic Authentication support for all Exchange Online accounts.
Learn more through our Microsoft Exchange Online and Basic Auth Changes guide.
To authenticate [email protected]
using a service account's credentials, pass the service account's credentials in the settings object. Be sure to indicate that the credentials belong to a service account by including the service_account: true
field. In the example below, email_address
contains the email of the user account that will be authenticated. The settings
object contains the service account's credentials.
curl -X POST https://api.nylas.com/connect/authorize -d '{
"client_id": "nylas_client_id",
"name": "Nyla the Cheetah",
"email_address": "[email protected]", # Account to authenticate
"provider": "exchange",
"settings": {
"username": "username", # Service account username
"password": "password", # Service account password
"service_account": true,
"eas_server_host": "server.host.com" #optional if autodiscovery fails. Specify the eas host.
}
"scopes": "calendar.read_only"
}'
Keep in Mind
Authenticating every account in your application may take a long time if a service account doesn't have an associated mailbox. Monitor your application's logs through HttpProxy/Ews
.
Office365 accounts with a business standard license and Azure Information Protection aren't compatible with Nylas.