Preparing an administration account for Office 365

Last published : Apr 17, 2026
When you configure Folder Sync for Office 365 folder synchronization you must provide the credentials of a Microsoft Office 365 account with the required permissions.
Note: You must not use the account that Enterprise Vault.cloud Office 365 Sync uses for Office 365 account synchronization.
If you install Folder Sync on multiple servers for load sharing or redundancy, each instance of Folder Sync requires its own Office 365 service account. Create a separate Office 365 service account for each installation.
The Office 365 account must have the following role assignments:
  • The account must be assigned to the following Office 365 administrator roles: Exchange administrator, Service administrator, User management administrator.
  • In the Office 365 Exchange admin center, the account must be a member of an Exchange management role group that includes the management roles ApplicationImpersonation, View-Only Configuration, and View-Only Recipients.
The following procedure describes how you can create an account with these required permissions from the Office 365 Admin center.
To prepare an administration account for Office 365
  1. Sign in to Microsoft Office 365 as a global administrator.
  2. Click the Admin app to open the Office 365 Admin center.
  3. Under Users > Active Users, click \+ Add a user.
  4. Complete the New user dialog, including the following role assignment:
Expand Roles, selectCustomized administrator , and then select the following roles:
  • Exchange administrator-Service administrator-User management administratorThen clickAdd to add the new user.
  1. In the left menu bar of the Office 365 Admin center, expand Admin centers(Adminin the old admin center), and selectExchange.
  2. In the left navigation pane of the Exchange admin center, click permissions.
  3. On the admin rolespage, click the**+** icon to create a new role group.
  4. In the new role group window, enter a suitable role group name in the Name field, such as Folder Sync App Impersonation.
  5. In the Roles section of the new role group window, click the + icon.
  6. In the Select a Role window, select each of the following roles from the list, and click add to add them to the role group:
    • ApplicationImpersonation-View-Only Configuration-View-Only Recipients
  7. ClickOK to close the Select a Role window and to return to the new role group window.
  8. In the Members section of the new role group window, click the + icon.
  9. In the Select Members window, select the new account that you are using as the Office 365 service account, and then click Add.
  10. Click OK to close the Select Members window and to return to the new role group window.
  11. Click Save to save the new role group.
The new role group now appears in the list of Admin Role Groups on the admin roles page.
Note: If you do not see the new role group, wait several minutes and then refresh the page.
  1. Select the new role group in the admin roles list. Confirm that the three required roles are shown as assigned roles, and that the account that is to act as the Office 365 service account is listed as a member.
    Note: A long propagation time may be required for an account to acquire any new or changed role settings. You can also use PowerShell commands such asget-managementroleassignmentandget-rolegroupmemberto confirm that the new settings have taken effect. For more information on PowerShell commands see Microsoft's support documentation.