Required API permissions for to use modern authentication (oAuth)
Below are required API permissions for Archive Shuttle.
As Global Administrator
|
Office 365 Exchange Online (1) | ||
|---|---|---|
|
full_access_as_app |
Application |
Use Exchange Web Services with full access to all mailboxes |
For Exchange Online
|
Microsoft Graph (1) | ||
|---|---|---|
|
User.Read |
Delegated |
Sign in and read user profile |
|
Office 365 Exchange Online (2) | ||
|---|---|---|
|
Exchange.ManageAsApp |
Application |
Manage Exchange as Application |
|
full_access_as_app |
Application |
Use Exchange Web Services with full access to all mailboxes |
Using Exchange Online PowerShell module
Connecting to Office 365 using OAuth supports the Exchange Online Powershell Module v3. This can be used to authenticate the use of a certificate and thumbprint. This is useful in the case of a Global Administrator account not being present to connect to Office 365.
Visit this article from Microsoft for more about the module.
|
|
NOTE: Application secret is NOT supported via this method. |
Installing the Exchange Online Management module
You first need to download the Exchange Online Management module. This needs to be on the same machine as the Office 365 module.
|
|
PRE-REQUISITES: ·PowerShell 5.1 and later are supported. ·Minimum requirements: EXO v3 installed on machine where module is located. ·PowerShell command: Install-Module ExchangeOnlineManagement on machine where module is located. ·A self-signed certificate can be used. Certificates issued with SHA 1 or SHA 2 can also be used. Azure permits only .cer, .pem and .crt public keys. For more about Azure requirements for certificates, click here. View this section and this page for more information. |
1.Install the certificate into the Personal and Trusted Root Certification Authorities folder stores on a virtual machine where the Office 365 module is running.
2.Open the Azure Active Directory portal, and go to Active Directory.
3.Select App registrations, then New registration.
4.Give the application a name, and select Accounts in this organizational directory only.
5.Set Redirect URI to Web, and leave the URL blank. Then click Register.
6.Next, we need to configure the Application permissions. Select API Permissions.
7.User Read should appear as default. Click Add a permissions, and locate Office 365 Exchange Online from the APIs my organization uses tab.
8.Select Application permissions. In the next screen, expand Exchange, and check full_access_as_app and Exchange.ManageAsApp. Then click Add permissions.
9.Now we need to grant administration consent. Click Grant admin consent for <tenant>. When this is completed, the Status column for full_access_as_app and Exchange.ManageAsApp permissions should read Granted for <tenant>.
10.Select Certificates & Thumbprints, and upload the certificate you previously created.
|
|
NOTE: Check that the certificate (that is on the same virtual machine as the Office 365 module) is in the .cer format. .pfx is not supported. |
11.Navigate to Active Directory - roles and administrators.
12.Find the Global Reader role and open it.
13.Click on the Add assignments button.
14.Select the registered application from step 4 as the ServicePrincipal for the Global Reader role.
15.Repeat steps 12 and 13 for the Exchange Administrator and User Administrator roles.
Setup application using Exchange Online role groups
Prerequisites
This method is supported only in Exchange Online PowerShell, and only when you connect in the REST API mode (do not use the UseRPSSession switch in the Connect-ExchangeOnline command).
This configuration is only compatible with the following scenarios:
·collection of mailboxes
·owner migration scenarios
|
|
NOTE: Archive Shuttle's leaver, virtual journals and other user provisioning operations require Azure Active Directory roles. |
Steps
1.Register your application in Azure Active Directory
2.Select Created application registration -> Certificate & secrets -> upload certificate
3.Select API permissions
4.Configure permissions based on the following:
|
API/Permissions Name |
Type |
Description |
Admin consent required? |
|---|---|---|---|
|
Microsoft Graph (2) |
|||
|
Organization.Read.All |
Application |
Read organization information |
Yes |
|
User.Read.All |
Application |
Read all users' full profiles |
Yes |
|
Office 365 Exchange Online (2) |
|||
|
Exchange.ManageAsApp |
Application |
Manage Exchange As Application |
Yes |
|
full_access_as_app |
Application |
Use Exchange web Services with full access to all mailboxes. |
Yes |
5.Navigate to the Exchange Admin center
6.Select Roles -> Admin roles
7.Add the Role group with the necessary roles
8.Start PowerShell and connect to Azure Active Directory as an administrator
9.Connect to Exchange Online as an administrator
10.Run the following cmdlets:
# Get registered application and create service principal
$appFromAzure = Get-AzureADServicePrincipal -SearchString"YourRegisterApplicationName"
New-ServicePrincipal -AppId $appFromAzure.AppId -ServiceId $appFromAzure.ObjectId -DisplayName "NameForServicePrincipal"
$SP = Get-ServicePrincipal -Identity "NameForServicePrincipal"
# Assign service principal to RoleGroup
Add-RoleGroupMember -Identity "YourRoleGroup" -Member $SP.Identity
# Check result
Get-RoleGroup -Identity " YourRoleGroup"
|
Supported Office 365 features when basic RBAC setup is used | |
|---|---|
|
Feature |
Supported? |
|
Sync Office 365 mailboxes |
Yes |
|
Sync cloud-only Office 365 mailboxes |
Yes |
|
Get licenses |
Yes |
|
Get mailbox quota |
Yes |
|
Ingest data into mailbox (normal users, journal transformation) |
Yes |
|
Process shortcuts on Office 365 mailboxs (delete, convert, fix, restore) |
Yes |
|
Virtual journal and leavers provisioning |
No |
|
Journal transformation leavers |
No |
|
Collect retention labels and tags |
No |
Scoping the application access policy (creating scoped accounts)
|
|
NOTE: This process can only be used when configuring Archive Shuttle using a certificate. |
Creating an application registration using a certificate
1.Create a new registered application with Azure using a certificate. Use the instructions as seen in step 1, under the Configuring OAuth with a certificate section here.
2.Upload a certificate by going to Certificates & secrets, and under Certificates, click Upload certificate.
3.Select the required certificate, enter a description if needed, and click Add.
4.On API Permissions, click Add a permission, and enter the API permissions as seen under the For Exchange Online section here. Do NOT grant admin consent at this time.
Adding administrative roles
5.On the Roles and administrators tab in the Azure Active Directory admin center, and in the text field, search for the role titled Exchange recipient administrator or global reader. Click on its name.
|
|
NOTE: The global reader role will allow you to read any attribute, but not update attributes. |
6.Click Add assignments, then search for the application registration you created earlier, then click Add.
Creating an Exchange security group
7.You now need to create an Exchange security group. Go to the Exchange admin center.
8.Under Recipients > Groups, click Add a group.
9.On the Group type page, select Mail-enabled security, and click Next.
10.On the Basics page, enter a group name and, optionally, a description. Once created, this is the group where you will need to add the mailboxes that you want the app registration to have write access to write to. Once this is done, click Next.
11.On the Settings page, enter a group email address. This could be the same name as the group name, and click Next.
12.Review the group you have created. Once you are satisfied, click Create group. It may take a few minutes for the group to appear in the group list.
|
|
NOTE: You may want to remove access to emails being sent to the group directly. To do this, click on the group name under Mail-enabled security, and under Settings, check the Hide this group from the global address list. |
13.You will now need to add users to the group. Select the group under Mail-enabled security, and under Members, select View all and manage members. Enter the members by selecting their checkbox, and click Add until all your desired members have been added.
Connecting to the tenant
14.Open the PowerShell module, and connect to the Exchange module using the following command: Connect-ExchangeOnline. Then click the Run Selection button.
15.Sign into the module using a global administration account. Connecting may take up to a minute.
Creating the application access policy
16. Use the following command in PowerShell to create the application policy. Replace the fields in bold with your own credentials:
New-ApplicationAccessPolicy -Description Policy Name -AppId OAuth App Registration ID -AccessRight RestrictAccess -PolicyScopeGroupId Mail Enabled Security Group Email Address
Then click Run Selection. The output to the command should appear below.
|
|
NOTES: ·Once the command has been ran, it may take up to one hour for the command to take effect. It is recommended that you wait this full period to ensure application of this command. Click here for more information. ·You can test whether the application of the command has been successful by using the following command. Replace the fields in bold with your own credentials: Test-ApplicationAccessPolicy -Identity SMTP address -AppId Outh App Registration ID |
Grant admin consent
17.Go back to the API permissions for your application registration, and click Grant admin consent for <tenant>, and click Yes.
|
|
NOTE: Using this process may result in certain features not functioning as expected, such as leavers and virtual journal migrations. If this occurs, please contact support. |