Provisioning an Exchange Online Authorized Account

The steps outlined below detail how to provision an Authorized Account for Exchange Online from Dashboard. This account enables Cloud App Security to scan messages after they arrive at or are delivered from protected mailboxes.

  1. Log on to the Cloud App Security management console.
  2. Hover over Exchange Online and click Provision.

    The Provision Service Account for Exchange Online screen appears.

  3. Click Click here at the end of Step 1.

    The Microsoft logon screen appears.

  4. Specify your Office 365 Global Administrator credentials and click Sign in.

    The Exchange Online authorization screen appears.

  5. Click Accept to grant Cloud App Security permissions to use the Graph API to access all mailboxes.
  6. Go back to the Cloud App Security management console as instructed.
  7. Select to synchronize all users and groups or selected users during provisioning.

    You need to use the same option when provisioning a service account for Exchange Online, SharePoint Online, and OneDrive, that is, to either synchronize all targets or synchronize certain targets.

    For service account provisioning with certain targets synchronized, Cloud App Security does not support manual synchronization and scheduled synchronization.

    • Select Synchronize all users and groups and go to step 7.

    • Select Synchronize selected users.

      This option is generally used for testing purposes.

      1. In the Available Targets area that appears, specify individual users or select users from groups.

        • By User: specify the exact user principal name of a user and press Enter to verify and display the user name.

        • By Group: specify at least the first three characters of the group name and press Enter to search for and display the group(s).

      2. Select the user(s) and click the arrow button to add them to the Selected Targets area.

        You can synchronize a maximum of 100 users.

      3. Optionally select one or multiple users in the Selected Targets area and click the arrow button to remove them.

  8. Click Done.
  9. Hover over the ring icon in the upper-right corner of the management console.

    If the message "Exchange Online protected." appears on the Notifications screen, the provisioning is successful.

If for some reason the access token becomes invalid, a notification appears on Dashboard. Cloud App Security also sends an email message to notify the administrator of this event. To continue using the service account, go to Administration > Service Account to create a new access token. For more information, see Service Account.

If only some targets were selected to synchronize during provisioning, Cloud App Security is also able to extend its protection to all targets under the corresponding service by enabling you to manually synchronize all targets:
  1. On the Notifications screen, click Extend to protect all your Office 365 service targets..

  2. On the screen that appears, view the instructions and click Submit.

  3. Go to Advanced Threat Protection or Data Loss Prevention, and open an ATP or DLP policy of each service you want to extend the protection to, that is, Exchange Online, SharePoint Online, or OneDrive.

  4. Select the General tab and click Click here to manually synchronize all your targets.


After clicking Submit, you can also wait until the next day because Cloud App Security automatically synchronizes with your Office 365 environment once per day.