Migrate from Exchange service account to API/Service Principal

Home / Prerequisites / Migrate from Exchange service account to API/Service Principal
  • 2 minutes read
New Method for Connecting to Exchange Online

Microsoft now requires a more secure method for accessing Exchange Online. Instead of using a traditional service account with a password, we now use an Azure AD application, authenticated via a certificate, and represented in Exchange Online by a service principal.

For you, this means:

  • The IDECSI platform will connect using a registered Azure AD application.
  • This application is represented in Exchange Online by a service principal, which acts as a technical identity.
  • It will be granted the same permissions as your previous service account by being added to your existing Exchange role group (e.g., I2A).
  • This method is more secure: no password management, isolated access, and improved traceability.
Why Create an Exchange Service Principal?

Although the application is already registered in Azure AD, Exchange Online uses its own role-based access control (RBAC) system. To assign Exchange permissions to the app, it must be represented within Exchange as a ServicePrincipal.

The New-ServicePrincipal command creates this representation, linking the Azure AD AppId and ObjectId to an Exchange-recognized identity.

Steps to Follow

  1. An administrator simply needs to approve the IDECSI application via a secure Microsoft link (provided below).

  2. An administrator needs to run the PowerShell script to reuse your existing Exchange role group (e.g., I2A) that already contains the set of roles you granted to the former service account, and add the new Service Principal as a member.

  3. Our team will then finalize the setup so that IDECSI connects to Exchange with the new secured method.

👉 Administrator approval link for IDECSI Platform app (to be opened with an Azure AD admin account):
https://login.microsoftonline.com/common/adminConsent?client_id=52e3a6c9-b6cc-4854-92db-06afc774da14

👉 PowerShell script to create the Service Principal & add roles via role group (to be runned with an Azure AD admin account and an Exchange admin account):

# 1. Connect to Microsoft Graph to locate the App Registration
Import-Module Microsoft.Graph
Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All,Application.Read.All

# 2. Get the Service Principal of the Azure AD App "IDECSI - Platform"
$AzureADApp = Get-MgServicePrincipal -Filter "DisplayName eq 'IDECSI - Platform'"

# 3. Connect to Exchange Online
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline

# 4. Create the Exchange Service Principal linked to the Azure AD App (one-time)
New-ServicePrincipal -AppId $AzureADApp.AppId -ObjectId $AzureADApp.Id -DisplayName "SP for Azure AD App IDECSI - Platform"

# 5. Retrieve the new Service Principal object
$SP = Get-ServicePrincipal -Identity "SP for Azure AD App IDECSI - Platform"

# 6. Add the Service Principal to your existing role group (replace 'I2A' if needed)
Add-RoleGroupMember -Identity "I2A" -Member $SP.Identity

# 7. Clean disconnects
Disconnect-ExchangeOnline
Disconnect-Graph

Once the application is approved and the script has been successfully executed, the IDECSI team will finalize the setup so the platform can connect to Exchange using this new secure method.