Manually Provisioning an Exchange Online Delegate Account

Provision an Exchange Online Delegate Account in Microsoft Office 365 to allow Cloud App Security to protect email messages in protected mailboxes. The Delegate Account must have the ApplicationImpersonation Role and Mailbox Search Role assigned to it.


To simplify provisioning, Trend Micro recommends automatically provisioning Delegate Accounts.

Creating a Delegate Account

Warning: Creating a Delegate Account can fail due to an internal Microsoft Office 365 issue. If this should occur, try again in a few hours or in twenty-four hours.
  1. Go to Microsoft Office 365 Admin Center.
  2. Click the Admin icon on the home page.

    The Admin center page appears.

  3. Go to Users > Active users from the left navigation, and then click Add a user.

    The New user screen appears.

  4. Specify the following account information and then click Add.
    • Display name and User name of the delegate account.

    • Password: Keep the default setting.

    • Roles: Set to Customized administrator > Service administrator.

    • Product licenses: Turn on Create user without product license by moving the slider to the right.

  5. Record the Delegate Account user name and password.
  6. Click Close.

Configuring the Delegate Account

  1. Go to Admin centers > Exchange from the left navigation to open the Exchange Admin Center.

    The Exchange admin center page appears.

  2. Click permissions and then the + button to create a New Role Group.
  3. Type delegation_service as the name of the new role group.
  4. Under Roles, click the + button.
  5. Add the ApplicationImpersonation and Mailbox Search roles.
  6. Under Members, click the + button.
  7. Add the newly created Delegate Account.
  8. Click Save.

    Office 365 updates the organization settings.

Changing Delegate Account Password

  1. Sign in to Microsoft Office 365 using the new Delegate Account credentials.
  2. Click the settings icon and then Password, and on the change password screen, change the temporary Delegate Account password to a permanent one.
  3. Click submit.

    The Delegate Account can now be used to log on to Office 365.

Adding the Delegate Account to Cloud App Security

After configuring a Delegate Account in Microsoft Office 365, add the account to Cloud App Security.

  1. Go to Administration > Service Account.
  2. Click Add and select Microsoft Office 365.
  3. Click the Manually tab.
  4. Select Exchange Online.
  5. Scroll down the instructions and specify the Delegate Account credentials.
  6. Click Submit.
  7. Hover over the ring icon in the upper-right corner of the management console.

    If the message "Exchange Online protected." appears on the Notifications screen, the provisioning is successful.