news and know-how about microsoft, technology, cloud and more.

How to setup an Exchange Admin in Office 365 (and use this account in Delegate365)

In large organizations it´s often useful to create an own Exchange administrator for performing tasks against the Exchange API´s, f.e. with PowerShell or with third party tools like our Delegate365 solution. Here´s how to create an Exchange Admin in Office 365.

There are two ways to accomplish this task:

  1. The easy way is to simply create (or use) a gobal administrator in Office 365. This user gets all rights in all services of Office 365 (AAD, Exchange, SharePoint, Lync) automatically.
  2. The second way - if your want to have an own Exchange administrator - is described here.

Login in as global admin

First, open the Office 365 portal with a global admin account to get full rights in that Office 365 tenant.

Create a new user

Now create a new user in the Office 365 portal in the Users / Active users menu and type in your desired password (URL


The user object will be created. The new user automatically gets a Office 365 license.



Without license?

In case you need to manage Exchange objects only with that admin you can remove the license...


Remove the license and Save the user object.

Or with license?

If your want this user also be able to send (and receive) message, he needs a mailbox - and an Exchange license.

In Delegate365 this user should get an Exchange Online Plan license (as shown here) if that same account is used in the SMTP settings (see below).


Set the license properly when you want this account being able to send or receive emails.

Set the Office 365 role to Service administrator

The second thing we need to change is to define the Office 365 role we need for Exchange:
It´s the "Service administrator" role like in the following screenshot.


Set permissions in Exchange Online

To define who is administrator in Exchange Services, there´s a group named "Organization Management" where members have permissions to manage Exchange objects and their properties in the Exchange organization. Members can also delegate role groups and management roles in the organization. This group is not visible in the Office 365 portal, but in the Exchange portal.

Background information

We need to add our Exchange Administrator (exchangeadmin@...) to that group since members of the Office 365 role "Service administrators" by default DO NOT HAVE any rights in Exchange Online.

The following table lists the Office 365 roles and the Exchange Online role group they correspond to.


As we can see, only the "global administrator" role has access to Exchange management and "Password administrators" are mapped "Help Desk administrators". See Permissions in Exchange Online for more information about that.

Let´s continue...

So, open the Exchange portal in the Office 365 portal menu Administrator / Exchange (or with the URL and in the Exchange admin center go to menu "permissions".


Another hint

In each Office 365 Tenant there´s also a hidden security group named "TenantAdmins_[someID]". This group is also not visible in the Office 365 portal, but in the Exchange portal. All global administrators are members in there automatically - and you can´t add members to that group manually.


This group "TenantAdmins_[someID]" is also member if the Exchange group "Organization Management".
So all Office 365 global admins are automatically members of the "Organization Management" group and get permissions for Exchange management this way.

Add Membership...

We now simply add our Exchange Administrator (exchangeadmin@...) as member to the group "Organization Management" like in this screenshot.


Save the changes.

Try it

It can take up to about 15 minutes, till the Exchange Administrator gets permissions to Exchange!

In another browser (Private mode) open the Office 365 portal and login with the exchangeadmin@... account. Try to open the Exchange portal with the URL

Hint: When the sync operation is not finished the Exchange portal shows an error 403:


In that case simply wait some minutes and retry.

When everything is setup, the exchangeadmin@... should get the Exchange portal page as well.


That´s it. Now this account can be used for accessing Exchange services.

Set the Exchange account in Delegate365

If the Exchange Admin works in the Exchange portal this account can be used for accessing the Exchange API (or with PowerShell). In your D365 portal login with a portal admin, open the "administration" menu and in there "exchange account".


Now enter the Exchange Admin credentials exchangeadmin@... with the password and "Save".
(All credentials in D365 are stored encrypted. You can change the account anytime.)

Usually the same account can be used for the menu "smtp configuration" for sending notifications in D365. If the service account has a Exchange license you can use it also for the SMTP settings.


To test if the new Exchange account works properly, open the "sync" menu and sync the AAD to D365.


If all operations in the sync action show "success" (are green), the services work. In the Sync-function the Exchange account is used for "distribution groups" and "Shared mailboxes".

So, green color means, it works! Zwinkerndes Smiley

Choose your method

So the simplest way is to use global administrator accounts for accessing Exchange services.
With the method described above companies can define their service accounts just for Exchange.

Comments (1) -

  • Christian Heim

    4/7/2015 3:36:15 PM |

    Hi Toni!
    I watched a recent O365 User Group video ( that explained that administrative roles are now also available for SharePoint. Can you confirm this and how would this be configured within the SharePoint configuration within O365?

    Thank you in advance,