In BizTalk 2016, when I enable a Receive Location using the adapter "Office365 Outlook Email", it raises an error message in the Application Event Log:
Details "Service account does not have sufficient privileges. Please make sure the service account is a member of the SSO Administrators account.".
All our host instances run under an account that is BizTalk Admin, but probably not SSO Admin (I will get some with AD to verify). If I remember, that is the minimal security needed. Seems like a bad practice to add that user to SSO Administrator group.
So if I understand, the best practice might be to create another HostApp user account with BizTalk Admin and SSO just for this one adapter. This sounds kind of crazy and overkill to me - but is that what would have to be done?