If you followed the security recomendations in Office 365 and disabled the ability for users to consent for apps, iPhone users will be facing the message “iOS accounts needs permission to access resources in your organization” during native mail account setup for Exchange Online.
I had this situation and find some articles to solve the problem. I would like to give you a short summary of these articels.
Few weeks ago I had to implement Microsoft Exchange Online for a customer who didn’t used Exchange in the past. For a simple user management, I decided to install and configure Azure AD Connect. So the user accounts from local Active Directory will be synchronized to Azure AD.
There are several advantages of this scenario:
you have a single point for user management, your local Active Directory
if configured, user passwords (or better to say password hash values) are automatically synchronized to Azure AD
the user has a Single-Sign-On Experience for Office 365 services
Office 365 license assignment based on local AD groups
After setting up Azure AD Connect and enabling all users for Exchange Online, I started to configure some Exchange settings: configure distribution lists, shared mailboxes and second mail addresses. But wait, what’s that? After submitting the change and error message pops-up:
The operation on mailbox “Daniel” failed because it’s out of the current user’s write scope.
What da hack? After some research in the web and reading several blog entries, it was clear: When using AAD Connect and synchronized accounts in Office 365, you have to install an on-premises Exchange Management server for changing some Exchange Online settings. Even you don’t have an on-premises Exchange server installed yet. Very disappointing and frustating. That’s why a customer decides to use cloud service: they wan’t have to install and maintain the system on-premises.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.