junto

Exchange Online delegation lets one user act on another user's mailbox. This includes granting Full Access, Send As, and Send on Behalf permissions — among the most common requests MSPs handle.

These operations are not available through the standard Microsoft Graph API. Junto uses a separate Exchange Admin API to manage delegation, which requires additional setup in the customer's Azure AD tenant.

Microsoft 365 tenant already connected via the company integrations page

Global Administrator or Privileged Role Administrator access in the customer's Azure AD tenant

- Microsoft 365 tenant already connected via the company integrations page
- Global Administrator or Privileged Role Administrator access in the customer's Azure AD tenant

Go to the company's Integrations page in Junto.

Find the Microsoft 365 integration card.

If Exchange Admin shows a red "Not configured" badge, click the Authorize button.

A new tab opens to Microsoft's admin consent page.

Sign in as a Global Administrator of the customer's tenant.

Review and accept the permissions (includes <code>Exchange.ManageAsApp</code>).

Switch back to the Junto tab — it will automatically re-check and the badge should turn green.

1. Go to the company's Integrations page in Junto.
2. Find the Microsoft 365 integration card.
3. If Exchange Admin shows a red "Not configured" badge, click the Authorize button.
4. A new tab opens to Microsoft's admin consent page.
5. Sign in as a Global Administrator of the customer's tenant.
6. Review and accept the permissions (includes <code>Exchange.ManageAsApp</code>).
7. Switch back to the Junto tab — it will automatically re-check and the badge should turn green.

Step 2: Assign Exchange Administrator Role

The admin consent grants the API permission, but the app also needs the Exchange Administrator role assigned in the customer's tenant.

Go to <a href="https://entra.microsoft.com" rel="nofollow noopener noreferrer" target="_blank">Azure AD Portal</a> and sign in as the customer's tenant admin.

Navigate to Identity &gt; Roles &amp; admins &gt; Roles &amp; admins.

Search for and select Exchange Administrator.

Search for the Junto app name (it appears as an Enterprise Application / Service Principal).

1. Go to <a href="https://entra.microsoft.com" rel="nofollow noopener noreferrer" target="_blank">Azure AD Portal</a> and sign in as the customer's tenant admin.
2. Navigate to Identity &gt; Roles &amp; admins &gt; Roles &amp; admins.
3. Search for and select Exchange Administrator.
4. Click Add assignments.
5. Search for the Junto app name (it appears as an Enterprise Application / Service Principal).
6. Select it and click Add.

Go back to the company's Integrations page in Junto.

Click Re-check next to the Exchange Admin badge.

The badge should show green "Exchange Admin".

1. Go back to the company's Integrations page in Junto.
2. Click Re-check next to the Exchange Admin badge.
3. The badge should show green "Exchange Admin".

All write operations require explicit approval before execution.

Microsoft Graph covers most M365 management (users, groups, mail, calendar, SharePoint, Teams, devices, security), but it does not provide endpoints for managing mailbox delegation. These operations are only available through the Exchange Admin API, which requires its own permission (<code>Exchange.ManageAsApp</code>) and the Exchange Administrator directory role.

Junto detects whether this is configured per tenant and shows a clear badge on the integrations page. No additional setup is required from the MSP beyond the two steps above — the tenant's admin handles both.

Badge stays red after authorizing — Ensure you signed in as a Global Administrator of the customer's tenant (not your own). The Exchange Administrator role may not be assigned yet (Step 2). Wait 1-2 minutes for permission propagation, then click Re-check.

Delegation tools return errors — The Exchange Administrator role is missing (Step 2), or the admin consent was granted in the wrong tenant.

"Tenant ID not found" error — Disconnect and reconnect the Microsoft 365 integration, then try again.

- Badge stays red after authorizing — Ensure you signed in as a Global Administrator of the customer's tenant (not your own). The Exchange Administrator role may not be assigned yet (Step 2). Wait 1-2 minutes for permission propagation, then click Re-check.
- Delegation tools return errors — The Exchange Administrator role is missing (Step 2), or the admin consent was granted in the wrong tenant.
- "Tenant ID not found" error — Disconnect and reconnect the Microsoft 365 integration, then try again.

How to enable Exchange Online delegation management (Full Access, Send As, Send on Behalf) for Microsoft 365 tenants.

Exchange Online Delegation Setup

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Tool	Description	Risk Level	Approval
View Mailbox Permissions	See who has Full Access to a mailbox	Low	None
View Send As Permissions	See who can Send As another user	Low	None
View Mailbox Details	See mailbox settings and Send on Behalf delegates	Low	None
Grant Full Access	Give a user Full Access to another mailbox	High	Always
Grant Send As	Allow a user to send email as another user	High	Always
Grant Send on Behalf	Allow a user to send on behalf of another user	High	Always

Exchange Online Delegation Setup

Prerequisites

Step 1: Grant Exchange Admin Permission

Step 2: Assign Exchange Administrator Role

Verification

What the AI Agent Can Do

Why a Separate Setup?

Troubleshooting