Granting access to synchronise Azure AD shared mailboxes
By default, shared mailboxes synchronised from Azure Active Directory (AAD) are identified as standard users (
objectClass=user) which means they are subject to billing. To exclude shared mailboxes from billing, the synchronisation service requires additional permissions to read from the Exchange API.
To grant the permission:
- Sign in to Azure Active Directory
- Click All Services and then Azure AD roles and administrators. Use the search box to quickly find the section.
- In All Roles, search for Security Reader
- Click Add Assignments and then search for USS AzureAD
- Click Add
This has now granted the necessary permissions.