Only show these results:

Office 365 Service Accounts Setup or Exchange Online

Role Propagation Delay

Depending on the configuration of an Exchange server's "Information Cache", adding the Service Account (Impersonation) role to an account can take up to two hours to update.

  1. Sign in to your Office365 administrator account.

  2. Navigate to the Admin center.

    Office 365 Admin Center

  3. Expand the Users section.

  4. Select Active users.

  5. Click Add a user.

  6. Fill in the details for this user.

    Office 365 Admin Center Add User

  7. Select Let me create the password and uncheck Require this user to change their password when they first sign in.

    Office 365 Admin Center Let me create the password

  8. (Optional) Assign a license to the new user. The user doesn't need a license as long as the account the user is linking through has a license.

    Office 365 Admin Center assign license to user

  9. On the Optional settings screen, you can leave the settings as they are.

Office 365 Admin Center optional settings

Give Account Permissions

  1. If Admin Centers is not visible in the sidebar, click Show all.

  2. Click Exchange.

  3. The Exchange admin center will open in a new window.

  4. Click permissions.

    Exchange admin center permissions

  5. Click on the + icon to add a new role group and a pop-up window will appear.

  6. Click the + icon next to Roles to add a new role to the role group.

  7. In the new window that pops up, select ApplicationImpersonation and then add ->.

  8. You new role group should match the following:

    Exchange admin center permissions Application Impersonation

  9. Click "+" and add a Member.

  10. Search for the account you want to give permissions to.

  11. Click add ->

  12. Click OK.

  13. You're done!

    Exchange admin center permissions add member

Authenticate Office 365 Users

Aliases and Service Accounts

Authenticating users with service accounts requires the original account instead of an alias. The domain names for the service account and the user must match. For example, if the service account credential was created under @contoso.com but the user account is @bravo.com, authentication will fail.

OAuth or Microsoft Modern Authentication

To authenticate [email protected] using a service account's credentials, pass the service account's refresh token in the settings object. Be sure to indicate that the credentials belong to a service account by including the service_account: true field. In the example below, email_address contains the email of the user account that will be authenticated. The settings object contains the service account's credentials.

Learn how to get a refresh token and when refresh tokens expire.

curl -X POST https://api.nylas.com/connect/authorize -d '{ 
    "client_id":     "nylas_client_id",
    "name":          "Nyla the Cheetah",
    "email_address": "[email protected]",   # Account to authenticate
    "provider":      "exchange",
    "settings": {
        "microsoft_client_id":     "{microsoft_client_id}",
        "microsoft_client_secret": "{microsoft_client_secret}",
        "microsoft_refresh_token": "{microsoft_refresh_token}", # Service account refresh token!
        "redirect_uri":            "https://example.com/redirect",
        "service_account": true,
        "eas_server_host": "server.host.com" #optional if autodiscovery fails. Specify the eas host.
    },
    "scopes": "calendar"
}'

Password Authentication or Microsoft Basic Authentication

As of October 1, 2022 Microsoft has deprecated Basic Authentication support for all Exchange Online accounts.

Learn more through our Microsoft Exchange Online and Basic Auth Changes guide.

To authenticate [email protected] using a service account's credentials, pass the service account's credentials in the settings object. Be sure to indicate that the credentials belong to a service account by including the service_account: true field. In the example below, email_address contains the email of the user account that will be authenticated. The settings object contains the service account's credentials.

curl -X POST https://api.nylas.com/connect/authorize -d '{
    "client_id": "nylas_client_id",
    "name": "Nyla the Cheetah",
    "email_address": "[email protected]", # Account to authenticate
    "provider": "exchange",
    "settings": {
        "username": "username", # Service account username
        "password": "password", # Service account password
        "service_account": true,
        "eas_server_host": "server.host.com" #optional if autodiscovery fails. Specify the eas host.
    }
    "scopes": "calendar.read_only"
}'

Keep in Mind

Authenticating every account in your application may take a long time if a service account doesn't have an associated mailbox. Monitor your application's logs through HttpProxy/Ews.

Office365 accounts with a business standard license and Azure Information Protection aren't compatible with Nylas.