Enterprise Vault.cloud™ Archive Administration Help
- Getting started with Archive Administration
- Archive Overview
- Customer Dashboard
- My Config
- About Provisioning
- About Managed Tags
- About Account Management
- Archive Collectors
- About Exchange Online Archiving
- About Bloomberg Archiving
- About Microsoft Teams Archiving
- Role Management
- Policy Management
- Import Data
- Authentication Management
- AD FS Configuration Guide
- Retention Management
- Continuity Management
- Reports Management
- Notification Management
- Personal.cloud Deployment for IBM Notes
- Archive Administration Updates in Previous Releases
- Archive Administration Known Issues
Setting up modern authentication in Azure AD for Exchange Online sync
If you want to use modern authentication for O365 sync, you need to configure an app in Azure AD. After you complete this setup, you get the Application (Client) ID and the primary domain details. These details are required to manage Exchange Online synchronization.
To set up modern authentication in Azure AD for Exchange Online sync
- Create a new Azure AD app.
To create app on the Azure Active Directory, you need to select App Registrations in the left navigation pane. Click New Registration, and provide the user-facing display name of the application. Click Register.
Copy and note the Application (Client) ID.
- On the Azure AD portal, select Certificates & secrets, and upload the public key for a self-signed certificate created by you for the Azure AD app.
You can use any secured method to create a self-signed certificate and a public key. However, in this sample scenario, to create a self-signed certificate and a public key, the Create-SelfSignedCertificate.ps1 script is executed. This script is available with the Exchange Online V2 module. Save or install the module from https://www.powershellgallery.com/packages/ExchangeOnlineManagement/2.0.3
Example to create a self signed certificate using Create-SelfSignedCertificate.ps1
< Location where ExchangeOnlineManagement is installed or saved >\ExchangeOnlineManagement\2.0.3\Create-SelfSignedCertificate.ps1
-CommonName AnimDemoCert -StartDate (Get-Date).Date -EndDate (Get-Date).Date.AddYears(1)
After successful execution of this script, a self-signed certificate (.CER) and the public key (.PFX) will be created in the current working directory. You can use the .PFX certificate file in Enterprise Vault.cloud, and corresponding .CER certificate file in Azure Active Directory.
Note the password used for the certificate. You need this password later while configuring the Exchange Online sync in Archive Administrator.
In the above example, the self-signed certificate is valid for a year. You can choose the certificate expiry as required.
- Upload the certificate (.CER file) that you have created in the previous step.
Select Certificates & secrets in the left navigation pane. Upload the certificate (.CER file) that you have created in the previous step.
Certificates are the recommended way to connect to a registered Azure AD app and also Exchange Online V2 module only supports using certificates to connect to Exchange Online using a registered Azure AD app.
- Give required API permissions to the app.
The following Azure AD app permissions are required for modern authentication for Exchange Online sync:
Exchange web service (EWS API\Proxy)
API permission use: Web folder deployment
API permission path: Exchange Online Exchange Online > Application permissions > Other permissions > full_access_as_app
Exchange Online V2 (PowerShell)
API permission use: To get exchange related information like delegated permissions, DL, DDL, and so on.
API permission path: Exchange Online Exchange Online > Application permissions > Exchange > Exchange.ManageAsApp
Need to assign RBAC roles to the app. You can assign any of the following roles:
Need to assign the Exchange Administrator role to add journal address in provisioning configuration automatically in exchange.
Else, the Global Reader role serves the same purpose for syncs.
Permissions to be assigned: For the application object to access Exchange Online resources, it needs to have the application permission Exchange.ManageAsApp.
API permission use: To get user license and other information from Azure AD.
API permission path:
MS Graph > Application permissions > User > User.Read.All
MS Graph > Application permissions > Dicrectory>Directory.Read.All
Permissions to be assigned: You need to at least assign the User.Read.All permission to the application.
- To add the journal address automatically to Exchange, add app as an Exchange Administrator.
Alternatively, if you want to add the journal address manually, assigning the Global Reader role is enough.
- From the Azure AD portal, select Overview to view Tenant information section.
Copy and note the primary domain details that you need as the Tenant name while configuring the Exchange Online sync in Enterprise Vault.cloud.