サポートと今すぐチャット
サポートとのチャット

Quadrotech Archive Shuttle 10.3 - Planning Guide

Introduction Architecture Modules Migration Workflow Planning Component Installation Planning for the Archive Shuttle Databases Planning Export/Import Storage Permissions/Access requirements for complex deployments Sizing the PST Output Location How to change Folder Translations Preserving the Chain of Custody Planning for Migrations Migrating Leavers Data and Journal Archives Journal Transformation Migration Tuning a Migration About Us Contacting Quest

Using OAuth Authentication

Archive Shuttle can be configured to use OAuth to authenticate with Microsoft Office 365, using a Certificate and/or Secret. Please read the step-by-step guide below on how to configure OAuth using Secret and a certificate. For more on this, click here.

info

NOTES:

·OAuth is currently supported over both Exchange Online and PowerShell endpoints in AS 10 or above.

·If you would like to use OAuth, please install Azure Active Directory PowerShell Module V2, as OAuth only supports Azure AD PowerShell.

·Local machines need to have basic authentication enabled in order to use OAuth.

Be aware you must select ONE method of authentication with your Archive Shuttle project; either basic authentication or OAuth authentication. Mixed authentication is not available. However, you still require an account with Global Administration rights with Archive Shuttle 10.1. in Credentials Editor. Minimum permissions required for the account are listed om the installation guide, under 'Minimum Permissions for Migrations to Office 365'.

 

Configuring Modern Authentication (OAuth) with a Secret

Step 1: Create a new Registered Application in Azure

To get an application ID:

1.Go to https://portal.azure.com and log in to your Office 365 tenant with an administrator account.

2.From the left menu, select Azure Active Directory > App registrations.

3.Click New registration.

4.Enter a name.

5.From the Supported account types, select Supported Account Type – Single tenant.

6.Don’t enter anything for Redirect URI (optional). Leave it as it is.

7.Click Register.

8.Copy the Application (client) ID and save it somewhere secure that you will remember. You will need it later.

 

2021-01-19-AS-oAuth

 

Step 2: Configure Permissions, Roles and Secret

Configure Application Permissions: Return to the Azure portal and access Azure Active Directory > App registrations > owned applications. Then find the application you created in Step 1 above.

1.Select your application, and then select API Permissions.

2.Click Add a Permission.

3.In the Request API permissions section > Select APIs my organization uses, search for Office 365 Exchange Online and select this API.

4.Click Application Permissions

5.In the Permissions list section, select the full_access_as_app listed in this section.

6.Click Add permissions.

7.Click Grant Admin consent.

 

Assign User Administrator role to the registered Application:

1.Navigate to Active Directory - Roles and Administrators

2.Find and open the User Administrator role

3.Click on Add Assignments

4.Search for the registered application (by Display Name)

5.Select the application and click Add.

 

The application is now recognized as Service Principal for the User Administrator role.

 

info

NOTES:

·An Azure Active Directory Premium license is required for these steps.

·This role is mandatory to collect mailboxes. For more on this role, click here.

Configure Application Secret:

1.Go to Certificates & Secrets and click the New Client Secret button.

2.Enter a descriptive name.

3.Choose an Expiry duration for the Secret. (It is recommended to set the secret to not expire.)

4.Click Add.

5.Copy the Secret created and save it somewhere. You will need it later.

 

Step 3: Add your Application ID and Secret on the server running the Archive Shuttle O365 Import module.

To do this:

1.In Archive Shuttle, open the Credential Editor while logged in as the account the module is running under.

2.Select the Office 365 OAuth tab and click Add.

3.Enter the Name (free format text), Application ID, Tenant (eg. tenant.onmicrosoft.com) and Secret.

4.Save and close the Credential Editor.

5.Open the Archive Shuttle Administrator Console.

6.Click Configuration > System Configuration.

7.Go to the O365 module settings and enable the option to Use modern authentication (OAuth).

8.Restart the O365 module to force settings to take immediate effect.

 

Configuring OAuth with a certificate

Step 1: Create a new Registered Application in Azure

To get an application ID:

1.Go to https://portal.azure.com and log in to your Office 365 tenant with an administrator account.

2.From the left menu, select Azure Active Directory > App registrations.

3.Click New registration.

4.Enter a name.

5.From the Supported account types, select Supported Account Type – Single tenant.

6.Don’t enter anything for Redirect URI (optional). Leave it as it is.

7.Click Register.

8.Copy the Application (client) ID and save it somewhere you will remember and securely. You will need it later.

 

2021-01-19-AS-oAuth

 

Step 2: Add a certificate to the server running the O365 module.

To add an untrusted certificate to your bridgehead server’s local certificate store:

1.Access the server where the O365 module is installed.

2.Open the certificates manager by start/run certlm.msc

3.Expand Trusted Root Certificate Authorities > Certificates.

4.Right-click Certificates and select All Tasks > Import… to launch the Certificate Import Wizard.

5.Locate the (.cer) certificate file and follow the wizard prompts.

6.Supply password, if required.

7.Right-click Certificates and select All Tasks > Import… to launch the Certificate Import Wizard.

8.Locate the (.pfx) certificate file and follow the wizard prompts.

9.Supply the password, if required.

 

Step 3: Get a Thumbprint

To get a thumbprint:

1.Return to the Azure portal and access Azure Active Directory > App registrations > owned applications, and find the application you created in Step 1 above.

2.Select your application, and then select API Permissions.

3.Click Add a Permission.

4.In the Add API access section > Select an API, choose Exchange.

5.In the Select permissions > Enable Access section, select the option to Use Exchange Web Services with full access to all mailboxes. (full_access_as_app)

6.Click Add permissions.

7.Click Grant Admin consent.

8.Go to Certificates & Secrets and click the Upload Certificate button.

9.Upload your certificate file from Step 2.

10.Copy the certificate Thumbprint and save it somewhere. You will need it later.

 

info

NOTE: OAuth supports the Exchange Online Powershell Module V2. This can be used to authenticate the use of a certificate and thumbprint in the case of a Global Administrator not being present to connect to Office 365. Application secret is NOT supported via this method. When OAuth is deactivated on the Office 365 Module Setting, Basic Authorization will be used.

 

Step 4: Add your Application ID and Thumbprint on the server running the Archive Shuttle module.

To do this:

1.In Archive Shuttle, open the Credential Editor while logged in as the account the module is running under.

2.Select the Office 365 OAuth tab and click Add.

3.Enter the Name (free format text), Application ID, Thumbprint, and Tenant (eg. tenant.onmicrosoft.com)

4.Save and close the Credential Editor.

5.Open the Archive Shuttle Administrator Console.

6.Click Configuration > System Configuration.

7.Go to the O365 module settings and enable the option to Use modern authentication (OAuth).

8.Restart the O365 module to force settings to take immediate effect.

Required API permissions for to use modern authentication (oAuth)

Below are required API permissions for Archive Shuttle.

As Global Administrator

 

Office 365 Exchange Online (1)

full_access_as_app

Application

Use Exchange Web Services with full access to all mailboxes

 

For Exchange Online

 

Microsoft Graph (1)

User.Read

Delegated

Sign in and read user profile

 

Office 365 Exchange Online (2)

Exchange.ManageAsApp

Application

Manage Exchange as Application

full_access_as_app

Application

Use Exchange Web Services with full access to all mailboxes

Planning for Migrations to Exchange

As with the ingestion in to Office 365, ingestion in to Exchange may be subject to throttling limits within Microsoft Exchange. A knowledge base article has been created which can help raise these limits.

By default the Exchange Import Module will attempt to ingest items into the chosen target mailbox or personal archive three times using AIP and then will fall back to trying Exchange Web Services (EWS). If they all fail, then the ItemRoutingErrorCount will be incremented, and the item will be counted as failed (and it will be visible on the Failed Items screen, and retried from time to time).

Planning for Migrations to Enterprise Vault

When migrating data to an Enterprise Vault environment, it is essential that the option in the provisioning group to “Automatically enable mailboxes” is turned off. If it is not turned off, there is the possibility that duplicate archives may be created in the target.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択