Print this page

Creating a Service Account and Configuring Office 365 E1 and above for Exchange Sync

Knowledge Article Number 000212263

In order to use Exchange Sync, you need to create a new username or use one of your existing users and convert it to a service account. So this will be an account with impersonation rights for the mailbox of each Exchange Sync user

Impersonation enables the service account to impersonate other user accounts to be able to access and sync other Exchange users mailboxes with Salesforce. Your Office 365 administrator will need to grant any service account that will be impersonating other users the "ApplicationImpersonation" role from the Office 365 Exchange Admin Center

How to create a user for a service account
A service account is just an account that you use for an Exchange Web Services connection. It can be any account with a mailbox.

To add a user account

1. Sign in to Office 365 with your credentials.

2. Go to the Office 365 admin center by selecting the app launcher icon Office 365 app launcher icon in the upper-left and choosing Admin.


User-added image

3. On the left select  ACTIVE USERS  select the + sign to Add new users

User-added image

4. On the Create new user account, populate the necessary fields.
5. Uncheck the box for Make this user change their password with Outlook Web App on next login. and click on Create

Additional information is available on this topic by Microsoft. How to Add users individually to Office 365 - Admin Help

Enabling a service account

Now that you created a new user, you would need to assign the "ApplicationImpersonation" role to it so it can act as a service account for other user's mailboxes. To do so,


1. Go to the following URL:

2. Provide your credentials to log into Office 365.

3. Exchange Admin Center ( EAC ) opens in your browser window:

4. Under Permissions, click on admin roles

5. Hit the plus sign above the table to create a new Role group

6. On the New Role group pop up window, type in a name in the Name field

7. Hit the plus sign below the Roles:  area and select ApplicationImpersonation in the list under DISPLAY NAME then click the add - > button and then click OK


User-added image

8. Under the Members: section click on the plus sign and select the user that you created previously as a service account to use with Exchange Sync

9. Select the  add - >  button and then click OK

NOTE: Rather than adding the actual user mentioned to the "Role group"  there may be advantages assigning the user to a "Security group" instead and adding the Security group here instead of the user.


User-added image

10. Your should have something similar to this

User-added image

11. You have successfully created your service account. So the username: ServiceAccount1 will act as your service account to impersonate other user's mailboxes that your Salesforce Administrator will configure in the Exchange Sync Configurations

To check that the correct user has the ApplicationImpersonation role, in the Permissions window, in the Exchange Admin Center (EAC) highlight the name of the Role you created which in our example it would be Exchange sync role group and in the right hand pane observe the Assigned Role and Members

The validity of the role applied and the permissions of the user can be tested using the Microsoft Remote Connectivity Analyzer

Resolution Here is a short video showing the procedure mentioned above:  ​

promote demote