Assigning Full Access to Service Accounts Access to Mailboxes in Exchange Online (Through Azure Active Directory)

Applies to: Office 365 with Exchange, User Mailbox

In an Office 365 with Exchange environment, you must configure the following service accounts to discover, archive, cleanup and restore data for user mailboxes, group mailboxes and all public folders.

  • Exchange Online Service Account
  • Local System Account (Windows user)


  • License is not required for an Exchange Online Service Account. It is recommended to convert the user mailbox to a shared mailbox and remove the Office 365 license for the Exchange Online Service Account.
  • It is recommended that you enable multi-factor authentication (MFA) for the Exchange Online Service Account. You must provide the service account email address and the app password, which must be created so that the app can connect to Office 365.For more information, see Set up multi-factor authentication in the Office 365 admin center and Create an app password for Office 365.
  • You must assign the Exchange administrator role to the Exchange Online Service account. This is required to discover and protect Office365 Group mailboxes. For more information see, Assign admin roles in Office 365.
  • For restoring public folders, service account should have owner permission at the root level (All Public Folders).

Before You Begin

The Office 365 with Exchange (Exchange Online) Administrator Account must have the following service accounts configured:

  • Exchange Online Service Account, which must meet the following requirements:
    • Must be an online mailbox.
  • Local System Account (Windows user), which must meet the following requirements:
    • Must be a member of the Local Administrator Group.
  • The service accounts must belong to the Exchange administrator role.


  1. Open Windows PowerShell and create a remote PowerShell session to Office 365 with Exchange.
  2. To assign impersonation and view-only recipient permissions, type the following command:

    New-RoleGroup -Name "ExchangeonlinebackupGrp" -Roles "ApplicationImpersonation", "View-Only Recipients" -Members serviceaccount1,serviceaccount2


    • ExchangeonlinebackupGrp is a unique name of the new role group.
    • serviceaccount1 and serviceaccount2 are Exchange Online service accounts.

What To Do Next

Run Application Check Readiness for the Exchange Mailbox Client

Last modified: 1/13/2020 3:02:39 PM