If you’re using Microsoft Exchange Online and you’re setting up a server side sync or email router, you may be using the method of using one service account in your Exchange environment to use in the configuration of the email router or server side sync. This one service account would then be used for access to all other user mailboxes. In today’s blog, however, we’ll show you how to set permissions for an Exchange online service account for use with server side sync or email router. So let’s dive in!


This steps outlined below are accomplishing this using PowerShell. Most of these steps can also be done via the web user interface of Office 365, but it’s easier to automate the permissions on a large number of mailboxes with PowerShell.

1. First, connect to your Office 365 tenant via PowerShell.

2. Next, run PowerShell using the following commands to connect to your Office 365. When prompted, log in with an account that’s a global administrator in your Office 365 tenant:

Import-Module MSOnline
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService –Credential $O365Cred

3. Grant your service account the application impersonation role by running the following commands:

  • Enable -> organizationcustomization
  • New -> managementroleassignment –> role applicationimpersonation –> user serviceaccount@domain.com

Note: This permission may sometimes take up to about an hour to take effect.

4. The service account will need “send as” permissions for any users that will be sending out emails from CRM through this setup as well as “full access” permissions for any users that will have incoming mail monitored by the email router or SSS (server side sync).

To grant “send as” permission for all existing mailboxes follow these steps:

  • Get-Mailbox -ResultSize Unlimited | Add-RecipientPermission -AccessRights SendAs –Trustee serviceaccount@domain.com
  • To grant “full access” permission for all existing mailboxes: Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -User serviceaccount@domain.com -AutoMapping:$false

Alternatively, if you wanted to apply permissions only to some users, simply create a text file of all the email addresses, one email address per line, and apply permissions with the commands below. First, create your text file with one email address per line and nothing else. Be sure that the email addresses are primary email address.

In this example, our file is called “emailaddresses.txt” and is saved in c:\filelocation.

5. Run this command to import contents into a new variable we are calling $emails:

  • $emails = get-content “C:\filelocation\emailaddresses.txt”
  • Confirm that the list looks ok by running the following: Echo $emails

6. Next, to set “send as” permissions for the service account on all the mailboxes in the list follow these steps:

  • Foreach ($i in $emails){Get-Mailbox –identity $i | Add-RecipientPermission –AccessRights SendAs –Trustee serviceaccount@domain.com –confirm:$false}
  • Similarly, to set “full access” to all mailboxes in the list: Foreach ($i in $emails){Add-mailboxpermission –AccessRights FullAccess –identity $i –User serviceaccount@domain.com –AutoMapping:$false}

7. One optional step you may want is to have the password never expire for this service account (be sure to set a very strong password). This will prevent email processing from stopping when the service account’s password expires. Through PowerShell, you can do this using the following command:

  • Get-msoluser -userprincipalname serviceaccount@domain.com | set-msoluser -passwordneverexpires $true

8. One final item to be aware of is that the “send as” and/or “full access” permissions were granted for existing mailboxes, but as new users get created in the future, the service account will need to have permissions added if the new users require incoming and/or outgoing email through CRM.

To grant these permissions for one user newuser@domain.com follow these steps:

  • Get-Mailbox –identity newuser@domain.com | Add-RecipientPermission –AccessRights SendAs –Trustee serviceaccount@domain.com –confirm:$false
  • Add-mailboxpermission –AccessRights FullAccess –identity newuser@domain.com –User serviceaccount@domain.com –AutoMapping:$false

That’s all for the blog today. Want to learn more about Microsoft’s wide array of services and products? Check out our information about Microsoft Office 365 and learn how you can bundle all of your cloud licenses and services by participating in our Microsoft Cloud by PowerObjects program!

Happy CRM’ing!

Avatar for Joe D365

Joe D365

Joe D365 is a Microsoft Dynamics 365 superhero who runs on pure Dynamics adrenaline. As the face of PowerObjects, Joe D365’s mission is to reveal innovative ways to use Dynamics 365 and bring the application to more businesses and organizations around the world.