Using Modern Authentication (oAuth) with Archive Shuttle (QT5056)

Archive Shuttle can be configured to use oAuth to authenticate with Microsoft Office 365, using a Certificate and/or Secret. Please read the step-by-step guide below on how to configure oAuth using Secret and a certificate.
Note: oAuth is currently supported over both Exchange and PowerShell endpoints in AS 10 or above.

Note: If you would like to use oAuth, please install Azure Active Directory Powershell Module V2, as oAuth only supports Azure AD PowerShell. For more on this, click here.

Configuring Modern Authentication (oAuth) with a Secret 

Step 1: Create a new Registered Application in Azure 
To get an application ID: 

1. Go to https://portal.azure.com and log in to your Office 365 tenant with an administrator account. 
2. From the left menu, select Azure Active Directory > App registrations. 
3. Click New registration. 
4. Enter a name. 
5. From the Supported account types, select Supported Account Type – Single tenant.
6. Don’t enter anything for Redirect URI (optional). Leave it as it is.
7. Click Register. 
8. Copy the Application (client) ID and save it somewhere secure that you will remember. You will need it later. 

Step 2: Configure Permissions, Roles and Secret 
Configure Application Permissions: Return to the Azure portal and access Azure Active Directory > App registrations > owned applications. Then find the application you created in Step 1 above. 

1. Select your application, and then select API Permissions. 
2. Click Add a Permission. 
3. In the Request API permissions section > Select APIs my organization uses, search for Office 365 Exchange Online and select this API.
   
4. Click Application Permissions
5. In the Permissions list section, select the full_access_as_app listed in this article. 
6. Click Add permissions.
7. Click Grant Admin consent. 

Assign User Administrator role to the registered Application:

1. From the left menu, select Azure Active Directory > Groups and create New group.
2. For Group type choose Security and enter a descriptive name. 
3. Go to Members > Add members and search for Application created in Step 1 above. 
   
4. Click Select and then Create the group.
5. Go back to the created group, select Azure Active Directory > Groups.
   
6. Search for group you have created and open it.
   
7. Select Assigned roles (Preview) > Add assignments and search for role User administrator.
8. Click Add.

Configure Application Secret: 

1. Go to Certificates & Secrets and click the New Client Secret button.
2. Enter a descriptive name. 
3. Choose an Expiry duration for the Secret. (It is recommended to set the secret to not expire.) 
4. Click Add.
5. Copy the Secret created and save it somewhere. You will need it later. 

Step 3: Add your Application ID and Secret on the server running the Archive Shuttle O365 Import module. 
To do this: 

1. In Archive Shuttle, open the Credential Editor while logged in as the account the module is running under. 
2. Select the Office 365 oAuth tab and click Add. 
3. Enter the Name (free format text), Application ID, Tenant (eg. tenant.onmicrosoft.com) and Secret. 
4. Save and close the Credential Editor. 
5. Open the Archive Shuttle Administrator Console. 
6. Click Configuration > System Configuration. 
7. Go to the O365 module settings and enable the option to Use modern authentication (oAuth). 
8. Restart the O365 module to force settings to take immediate effect. 

Configuring oAuth with a certificate 

Step 1: Create a new Registered Application in Azure 
To get an application ID: 

1. Go to https://portal.azure.com and log in to your Office 365 tenant with an administrator account. 
2. From the left menu, select Azure Active Directory > App registrations. 
3. Click New registration. 
4. Enter a name. 
5. From the Supported account types, select Supported Account Type – Single tenant.
6. Don’t enter anything for Redirect URI (optional). Leave it as it is.
7. Click Register. 
8. Copy the Application (client) ID and save it somewhere you will remember and securely. You will need it later. 

Step 2: Add a certificate to the server running the O365 module. 
For this step you will need a SHA-1 certificate that will be used to establish a secure connection from this workstation to O365. This can be done with a certificate from a trusted certificate authority or a self-signed certificate. Below we assume you do not have a trusted certificate to use and need to create a certificate to use. There are many ways to create a certificate on a Windows server and below we are using PowerShell modules.
To create a self-signed certificate in Windows Server 2016: 

1. Access the server where the O365 module is installed. 
2. Launch PowerShell and type the following commands: 

 # Create certificate 

$cert=New-SelfSignedCertificate -Subject “CN=ArchiveShuttleoAuth” –CertStoreLocation “cert:\CurrentUser\My”-KeyExportPolicy Exportable -Provider ‘Microsoft RSA SChannel Cryptographic Provider’-NotAfter (Get-Date).AddYears(5) 

$password=ConvertTo-SecureString -String “UseSecurePasswordHere”-Force –AsPlainText 

$localPath=’D:/Temp’ 

# Used for authentication -> load it from disk 

Export-PfxCertificate -Cert $cert –FilePath ($localPath.Path+”\ArchiveShuttleSelf.pfx”) -Password $password 

# Export certificate to a .cer file: 

Export-Certificate -Type CERT -Cert $cert –FilePath ($localPath.Path+”\ArchiveShuttleServer.cer”) 

* Where “UseSecurePasswordHere” is the desired password of the certificate. 

To add an untrusted certificate to your bridgehead server’s local certificate store: 

1. Access the server where the O365 module is installed.
2. Open the certificates manager by start/run certlm.msc 
3. Expand Trusted Root Certificate Authorities > Certificates. 
4. Right-click Certificates and select All Tasks > Import… to launch the Certificate Import Wizard. 
5. Locate the (.cer) certificate file and follow the wizard prompts. 
6. Supply password, if required. 
7. Right-click Certificates and select All Tasks > Import… to launch the Certificate Import Wizard. 
8. Locate the (.pfx) certificate file and follow the wizard prompts. 
9. Supply the password, if required. 

Step 3: Get a Thumbprint. 
To get a thumbprint: 

1. Return to the Azure portal and access Azure Active Directory > App registrations > owned applications, and find the application you created in Step 1 above. 
2. Select your application, and then select API Permissions. 
3. Click Add a Permission. 
4. In the Add API access section > Select an API, choose Exchange. 
5. In the Select permissions > Enable Access section, select the option to Use Exchange Web Services with full access to all mailboxes. (full_access_as_app) 
6. Click Add permissions. 
7. Click Grant Admin consent. 
8. Go to Certificates & Secrets and click the Upload Certificate button. 
9. Upload your certificate file from Step 2. 
10. Copy the certificate Thumbprint and save it somewhere. You will need it later. 

Step 4: Add your Application ID and Thumbprint on the server running the Archive Shuttle module. 
To do this: 

1. In Archive Shuttle, open the Credential Editor while logged in as the account the module is running under. 
2. Select the Office 365 oAuth tab and click Add. 
3. Enter the Name (free format text), Application ID, Thumbprint, and Tenant (eg. tenant.onmicrosoft.com) 
4. Save and close the Credential Editor. 
5. Open the Archive Shuttle Administrator Console. 
6. Click Configuration > System Configuration. 
7. Go to the O365 module settings and enable the option to Use modern authentication (oAuth). 
8. Restart the O365 module to force settings to take immediate effect.