Objective
This document aims to identify the permissions required for a service account that can be used to authorize Scalefusion to provide Conditional Exchange Access for Microsoft On-Prem Exchange.
Scope
The scope of this document is limited to identifying permissions for the service account that can be used to set up Conditional Exchange Access for Microsoft's On-Prem Active Directory. It does not cover how to set up CEA or other aspects of the entire feature. Please refer to our Help documentation for a complete understanding.
Service Account & Required Permissions
For Scalefusion to provide Conditional Exchange access, it needs the credentials for an account that has permissions to,
- Fetch all the devices where the end-user uses Email via Exchange protocol.
- Fetch all the devices where the end-user uses Email via the Outlook application.
- Set-Mailbox rules using Exchange Cmdlet that allows or blocks access to Mailbox using Device Identifiers.
To be able to perform above operations, a Global Administrator credentials can be used, however organizations that are required to create specific service accounts with scoped permissions can do so by following the steps below,
- Create a new Service Account with a unique username and password
- You can also use an existing service account.
- Mail Recipient: Grant this account the Mail Recipient permission
- Organization Client Access: Grant the Organization Client Access Permissions
