Migrating to Use Authorized Account for Exchange Online

Important:

Starting on April 19, 2020 Cloud App Security is supporting only provisioning the Authorized Account for Exchange Online, and stops the support for automatic and manual provisioning of the Delegate Account for Exchange Online. If you have already created a Delegate Account, Cloud App Security will continue to protect your Exchange Online service using this account. You can also migrate to use a modern authentication based Authorized Account for protection by Cloud App Security. For more information, see Migrating to Use Authorized Account for Exchange Online. If you have not created a service account for Exchange Online yet, you can start by creating an Authorized Account. For more information, see Provisioning an Exchange Online Authorized Account.

As announced by Microsoft, Microsoft is planning to gradually disable Basic Authentication for EWS to access Exchange Online starting from October 2020. This means that new or existing apps will not be able to use Basic Authentication when connecting to Exchange using EWS. To ensure the continuous protection for your Exchange Online service,

  • Cloud App Security now supports migrating customers currently with a Delegate Account away from basic authentication and to use modern authentication.

  • Trend Micro recommends that customers currently with a Delegate Account complete the migration as early as possible.

During migration, Cloud App Security provisions an Authorized Account and obtains an access token to gain limited access to protected Exchange Online mailboxes.

Important:

Before migration to use token-based authentication is successful, Cloud App Security continues to protect your Exchange Online service by using the current basic authentication.

  1. Open the migration screen in either of the following ways:
    • Click Click here in the upper left of the Dashboard screen.

    • Go to Administration > Service Account, and then click Migration Available under Status of the Exchange Online service account.

    The Migrate to Use Authorized Account screen appears.

  2. Follow steps 3 through 8 in Provisioning an Exchange Online Authorized Account.
  3. Click Done.
  4. Hover over the task icon in the upper-right corner of the management console.

    If the message "Migrated to use Authorized Account for Exchange Online" appears, the migration is successful. Cloud App Security will protect your Exchange Online service using token-based modern authentication through the provisioned Authorized Account.

  5. (Optional) Delete the Delegate Account in your Microsoft 365 admin center.
    1. Go to Administration > Service Account and view the account name for Exchange Online.

    2. Log on to your Microsoft 365 admin center.

    3. Go to Users > Active users, and then locate and select the Delegate Account to delete the account.