Archive Shuttle 11.2 - Planning Guide

Required API permissions for to use modern authentication (oAuth)

Below are required API permissions for Archive Shuttle.

As Global Administrator

For Exchange Online

Using Exchange Online PowerShell module

Connecting to Office 365 using OAuth supports the Exchange Online Powershell Module v3.1.0. This can be used to authenticate the use of a certificate and thumbprint. This is useful in the case of a Global Administrator account not being present to connect to Office 365.

Visit this article from Microsoft for more about the module.

Installing the Exchange Online Management module

You first need to download the Exchange Online Management module. This needs to be on the same machine as the Office 365 module.

1.Install the certificate into the Personal and Trusted Root Certification Authorities folder stores on a virtual machine where the Office 365 module is running.

2.Open the Azure Active Directory portal, and go to Active Directory.

3.Select App registrations, then New registration.

4.Give the application a name, and select Accounts in this organizational directory only.

5.Set Redirect URI to Web, and leave the URL blank. Then click Register.

6.Next, we need to configure the Application permissions. Select API Permissions.

7.User Read should appear as default. Click Add a permissions, and locate Office 365 Exchange Online from the APIs my organization uses tab.

8.Select Application permissions. In the next screen, expand Exchange, and check full_access_as_app and Exchange.ManageAsApp. Then click Add permissions.

9.Now we need to grant administration consent. Click Grant admin consent for <tenant>. When this is completed, the Status column for full_access_as_app and Exchange.ManageAsApp permissions should read Granted for <tenant>.

10.Select Certificates & Thumbprints, and upload the certificate you previously created.

11.Navigate to Active Directory - roles and administrators.

12.Find the Global Reader role and open it.

13.Click on the Add assignments button.

14.Select the registered application from step 4 as the ServicePrincipal for the Global Reader role.

15.Repeat steps 12 and 13 for the Exchange Administrator and User Administrator roles.

Scoping the application access policy (creating scoped accounts)

Creating an application registration using a certificate

1.Create a new registered application with Azure using a certificate. Use the instructions as seen in step 1, under the Configuring OAuth with a certificate section here.

2.Upload a certificate by going to Certificates & secrets, and under Certificates, click Upload certificate.

3.Select the required certificate, enter a description if needed, and click Add.

4.On API Permissions, click Add a permission, and enter the API permissions as seen under the For Exchange Online section here. Do NOT grant admin consent at this time.

Adding administrative roles

5.On the Roles and administrators tab in the Azure Active Directory admin center, and in the text field, search for the role titled Exchange recipient administrator or global reader. Click on its name.

6.Click Add assignments, then search for the application registration you created earlier, then click Add.

Creating an Exchange security group

7.You now need to create an Exchange security group. Go to the Exchange admin center.

8.Under Recipients > Groups, click Add a group.

9.On the Group type page, select Mail-enabled security, and click Next.

10.On the Basics page, enter a group name and, optionally, a description. Once created, this is the group where you will need to add the mailboxes that you want the app registration to have write access to write to. Once this is done, click Next.

11.On the Settings page, enter a group email address. This could be the same name as the group name, and click Next.

12.Review the group you have created. Once you are satisfied, click Create group. It may take a few minutes for the group to appear in the group list.

13.You will now need to add users to the group. Select the group under Mail-enabled security, and under Members, select View all and manage members. Enter the members by selecting their checkbox, and click Add until all your desired members have been added.

Connecting to the tenant

14.Open the PowerShell module, and connect to the Exchange module using the following command: Connect-ExchangeOnline. Then click the Run Selection button.

15.Sign into the module using a global administration account. Connecting may take up to a minute.

Creating the application access policy

16. Use the following command in PowerShell to create the application policy. Replace the fields in bold with your own credentials:

New-ApplicationAccessPolicy -Description “Policy Name” -AppId ‘OAuth App Registration ID ’ -AccessRight RestrictAccess -PolicyScopeGroupId ‘Mail Enabled Security Group Email Address’

Then click Run Selection. The output to the command should appear below.

Grant admin consent

17.Go back to the API permissions for your application registration, and click Grant admin consent for <tenant>, and click Yes.

Adding credentials for Office 365 ingest account in Credential Editor

If you want to add/change credentials for Office 365 ingest account, you must be logged in as the local service account under which the Services (particularly Office 365 module) runs. Use the Archive Shuttle Credentials Editor for adding/changing of the credentials for Office 365 ingest account.

The tool is called ArchiveShuttle.Module.CredentialsEditor.exe and is by default located in: C:\Program Files (x86)\QUADROtech\Archive Shuttle Modules\CredentialsEditor\.

Then, follow these steps:

1.Run the tool, click Add and specify the valid UPN account and the valid password. Then, click OK and save the credentials.

2.Restart the module.

At least one service account is required per import module. One service account needs to have configured Global Administrator rights and rest of the accounts should have Application Impersonation rights configured.