Provisioning an Exchange Online Authorized Account

Cloud App Security also supports using the OAuth authorization framework to provision a service account (Authorized Account) for Exchange Online. With the OAuth authorization framework, Cloud App Security uses an access token to obtain limited access on the Global Administrator's behalf to run advanced threat protection and data loss prevention scanning on email messages in protected mailboxes.


Trend Micro does not save the Global Administrator credentials. They are used only once to provision the necessary service account.

Cloud App Security uses OAuth 2.0 for authentication.

During provisioning, Cloud App Security allows you to synchronize:

  • All AD users and groups of your organization

  • Certain AD users of your organization for testing purposes


You need to use the same method when provisioning a service account for Exchange Online, SharePoint Online, and OneDrive for Business, that is, to either synchronize all targets or synchronize certain targets.

For service account provisioning with certain targets synchronized, Cloud App Security does not support manual synchronization and scheduled synchronization.

To synchronize all targets after provisioning a service account with certain targets synchronized, remove the service account in Administration > Service Account and re-provision a service account to synchronize all targets.

The steps outlined below detail how to provision an authorized account for Exchange Online from Dashboard.

  1. Log on to the Cloud App Security management console.
  2. Hover over Exchange Online and click Provision.

    The Use Access Token tab on the Accessing Microsoft Exchange Online Account Information screen appears by default.

  3. Click Click here at the end of Step 1.

    The Microsoft logon screen appears.

  4. Specify your Office 365 Global Administrator credentials and click Sign in.

    The Exchange Online authorization screen appears.

  5. Click Accept to grant Cloud App Security permissions to use the Exchange Web Service (EWS) managed API for quarantine management.
  6. Go back to the Cloud App Security management console as instructed and click Click here at the end of Step 2.

    The Exchange Online authorization screen appears.

  7. Click Accept to grant Cloud App Security permissions to use the Graph API to access all mailboxes.
  8. Go back to the Cloud App Security management console as instructed.
  9. Select to synchronize all users and groups or selected users during provisioning.
    • Select Synchronize all users and groups and go to Step 10.

    • Select Synchronize selected users.

      1. In the Available Targets area that appears, specify individual users or select users from groups.

        • By User: specify the exact user principal name of a user and press Enter to verify and display the user name.

        • By Group: specify at least the first three characters of the group name and press Enter to search for and display the group(s).

      2. Select the user(s) and click the arrow button to add them to the Selected Targets area.


        You can synchronize a maximum of 100 users.

      3. Optionally select one or multiple users in the Selected Targets area and click the arrow button to remove them.

  10. Click Submit.
  11. Hover over the ring icon in the upper-right corner of the management console.

    If the message "Exchange Online protected." appears on the Notifications screen, the provisioning is successful.

    For the Exchange Online service account that is provisioned using an access token, if for some reason the access token becomes invalid, a notification appears on Dashboard. Cloud App Security also sends an email message to notify the administrator of this event. To continue using the service account, go to Administration > Service Account to create a new access token. For more information, see Service Account.