The service account that is used to scan Exchange requires the following access rights:
1.Membership in the Exchange security group "View-Only Organization Management"
2.Read permissions in Active Directory (During the scan distinguished names are resolved and access rights are partially read from the mailbox user)
3.Impersonation rights to recall deputy rules, mailbox folders. Please see the following chapter: "Exchange Web Service – Impersonation"
4.Its own mailbox to scan public folders
The service account that you want to use to modify Exchange requires additional different rights:
Membership in the Exchange security group "Organization Management"
Please note that deny rights applied to mailbox content may hinder successful scans.
For Exchange Online, create a user (with an email address) that is "Global Administrator" on the server and does not need to be licensed. Add the user to the group "View-Only Organization Management" for read only access, "Organization Management" for modify access.