Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


To use the New-ServicePrincipal cmdlet, install the ExchangeOnlineManagement and connect to your tenant as shown in the following snippet.

Install-Module -Name ExchangeOnlineManagement -allowprerelease
Import-module ExchangeOnlineManagement 
Connect-ExchangeOnline -Organization <tenantId>

If you still get an error running the New-ServicePrincipal Cmdlet after you perform these steps, it is likely due to the fact that the user doesn't have enough permissions in Exchange online to perform the operation.

The following is an example of registering an Azure AD application's service principal in Exchange:

New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]

The OBJECT_ID is the Object ID from the Overview page of the Enterprise Application node (Azure Portal) for the application registration. It is not the Object ID from the Overview of the App Registrations node. Using the incorrect Object ID will cause an authentication failure.


You can get your registered service principal's identifier using the Get-ServicePrincipal cmdlet.

Get-ServicePrincipal | fl

The tenant admin can now add the specific mailboxes in the tenant that will be allowed to be access by your application. This is done with the Add-MailboxPermission cmdlet.

The following is an example of how to give your application's service principal access to one mailbox:

Add-MailboxPermission -Identity "" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess

VFC can now access the allowed mailboxes via the POP or IMAP protocols using the OAuth 2.0 client credentials grant flow. For more information, see the instructions in Permissions and consent in the Microsoft identity platform.


If the import fails, do the following checks:

  • Check if the client secret hasn't expired in Azure. Create a new one if needed and update on the import source configuration page.
  • The default scope for the OAuth2 token is ''. If this needs to be changed for some reason, the correct scope can be set/edited in the registry with the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Verba\Archive Import\IMAP\Oauth2TokenScope