Appearance

Exchange Online Delegation

Exchange Online delegation is an optional add-on to the Microsoft 365 integration. It unlocks mailbox-level permissions that are not available through the standard Microsoft Graph API.

Why Is This Separate?

Microsoft Graph covers most of Microsoft 365 — users, groups, mail, calendar, SharePoint, Teams, devices, and security. However, Microsoft does not expose mailbox delegation through Graph. Managing who can access another user's mailbox, send as them, or send on their behalf requires the Exchange Admin API, which has its own authorization and role requirements.

Junto connects to both APIs so your team can manage the full Microsoft 365 experience from a single place.

What It Unlocks

With Exchange Online delegation enabled, the AI agent can manage three types of mailbox permissions:

  • Full Access -- Grant a user the ability to open and work in another user's mailbox. Commonly used for shared mailboxes, executive assistants, or temporary coverage during leave.
  • Send As -- Allow a user to send email that appears to come directly from another mailbox. Recipients see the email as if it came from the target mailbox. Useful for shared department addresses.
  • Send on Behalf -- Allow a user to send email on behalf of another user. Recipients see "sent by [user] on behalf of [mailbox owner]." Used when the sender's identity should remain visible.

The agent can also view existing delegation permissions on any mailbox to help with troubleshooting and audits. All changes to mailbox permissions require technician approval before the agent proceeds.

Prerequisites

  • An active Microsoft 365 connection for the customer tenant
  • Global Administrator access to the customer's Azure AD tenant

Setup

Exchange Online delegation requires a second authorization step beyond the standard Microsoft 365 OAuth connection:

  1. In Junto, go to the company's Integrations page and find the Microsoft 365 connection.
  2. Click Authorize next to the Exchange Admin badge to start the additional authorization.
  3. Sign in as a Global Administrator of the customer's tenant and grant admin consent.
  4. In the customer's Azure AD tenant, assign the Exchange Administrator role to the Junto application. This can be done in Azure AD Portal under Identity > Roles & admins.
  5. Back in Junto, click Re-check — the badge should turn green confirming Exchange delegation is active.

Troubleshooting

  • Badge stays red after authorizing -- Make sure you signed in as a Global Administrator of the customer's tenant (not your own). The Exchange Administrator role may not be assigned yet. Wait a minute or two for permission propagation, then click Re-check.
  • Delegation tools not appearing -- The base Microsoft 365 connection must be active first. Exchange delegation is an add-on.
  • Permission errors when managing mailboxes -- Verify the Exchange Administrator role is assigned to the Junto application in the customer's Azure AD tenant.