Add the Exchange Online API permission to an existing AAD connection

Updated 3 years ago by admin

This article applies if you have an existing Azure Active Directory connection in Settings -> Active Directory and you wish to be able to identify shared mailboxes. By default, shared mailboxes synchronised from Azure Active Directory (AAD) are identified as standard users (objectClass=user) which means they are subject to billing. To exclude shared mailboxes from billing, you must grant the existing USS AzureAD application access to the Office 365 Exchange Online API.

This article applies to existing Azure Active Directory connections only, created prior to 21st October 2020.
The permission must be granted by the administrator of the Azure Active Directory tenant

To grant the permission:

  1. Sign in to Azure Active Directory
  2. Click All Services and then Enterprise applications. Use the search box to quickly find the section.
  1. Locate or search for USS in the list of applications and locate USS AzureAD. Click the entry.
  1. Under the Security side menu, click Permissions.
  1. Click the Grant admin consent for Censornet Ltd button underneath the paragraph of text.
  2. Follow the prompts to approve access to the Office 365 Exchange Online API (Manage Exchange As Application) permission
  1. Click Accept
  2. The Office 365 Exchange Online permission should now appear in the Admin Consent tab
  1. Follow this article to add the necessary Security Reader permission to complete the process.


How did we do?