Summary
This article shows how to provision an Exchange Online Authorized Account in Cloud App Security (CAS).
Cloud App Security supports using OAuth 2.0 to provision a service account (Authorized Account) for Exchange Online. With the OAuth 2.0 framework, Cloud App Security obtains an access token to get limited access on the Global Administrator's behalf to run advanced threat protection and data loss prevention scanning on email messages in protected mailboxes.
During provisioning, Cloud App Security allows you to synchronize:
- All Azure AD users and groups of your organization
- Certain Azure AD users of your organization for testing purposes
You need to use the same option when provisioning a service account for Exchange Online, SharePoint Online, and OneDrive, that is, to either synchronize all targets or synchronize certain targets.
For service account provisioning with certain targets synchronized, Cloud App Security does not support manual synchronization and scheduled synchronization.
To provision an Authorized Account for Exchange Online from Cloud App Security web console:
- Log on to the Cloud App Security management console.
- Go Dashboard > Service Status.
- Click Grant Access in the Action column for Exchange Online.
Click the image to enlarge.
- Select the policy to enable automatically when the access grant is complete.
- Click Grant Permission.
Click the image to enlarge.
- Specify your Office 365 Global Administrator credentials, and click Sign in.
- Click Accept to grant Cloud App Security permissions to use the Graph API to access all mailboxes.
Click the image to enlarge.
- Go back to the Cloud App Security management console as instructed.
- Wait until the process is completed.
If the message "Successfully created a service account and synced data." appears on the screen, the grant is successful.
If for some reason the access token becomes invalid, you may refer to the "What to do next" section on
Granting Access to Exchange Online with an Authorized Account.
