Create a new Single Tenant Application to use with the Authentication Broker.
https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
...
2. Click “Add A permission”, go to the “API’s my organization uses” and enter “Office 365” in the search box. Select “Office 365 Exchange Online”.
...