Granting access to synchronise Azure AD shared mailboxes

Updated 1 month ago by admin

By default, shared mailboxes synchronised from Azure Active Directory (AAD) are identified as standard users (objectClass=user) which means they are subject to billing. To exclude shared mailboxes from billing, the synchronisation service requires additional permissions to read from the Exchange API.

This article applies to new Azure Active Directory connections. If you already have an existing Azure Active Directory connection, please assign the Office 365 Exchange Online API permission before continuing.
The permission must be granted by the administrator of the Azure Active Directory tenant

To grant the permission:

  1. Sign in to Azure Active Directory
  2. Click All Services and then Azure AD roles and administrators. Use the search box to quickly find the section.
  1. In All Roles, search for Security Reader
Grants the Unified Security Service Active Directory sync access to read extended information about Azure AD objects
  1. Click Add Assignments and then search for USS AzureAD
If the USS AzureAD entry is missing from the search results, ensure that you have created an Azure Active Directory connection within the USS dashboard.
  1. Click Add

This has now granted the necessary permissions.

If there are existing shared mailboxes then a full synchronisation is required to detect them or alternatively, updating a property of the shared mailbox will force it to update

How did we do?