Enterprise Vault.cloud™ Archive Administration Help
- Getting started with Archive Administration
- Archive Overview
- Customer Dashboard
- My Config
- About Provisioning
- About Managed Tags
- About Account Management
- Archive Collectors
- About Exchange Online Archiving
- About Bloomberg Archiving
- About Microsoft Teams Archiving
- About OneDrive for Business Archiving
- Role Management
- Policy Management
- Import Data
- Authentication Management
- AD FS Configuration Guide
- Retention Management
- Continuity Management
- Reports Management
- Notification Management
- Personal.cloud Deployment for IBM Notes
- Archive Administration Updates in Previous Releases
- Archive Administration Known Issues
Setting up modern authentication in Azure AD for Exchange Online sync
If you want to use modern authentication for O365 sync, you need to configure an app in Azure AD. After you complete this setup, you get the Application (Client) ID and the primary domain details. These details are required to manage Exchange Online synchronization.
To set up modern authentication in Azure AD for Exchange Online sync
- Create a new Azure AD app.
To create app on the Azure Active Directory, you need to select App Registrations in the left navigation pane. Click New Registration, and provide the user-facing display name of the application. Click Register.
Copy and note the Application (Client) ID.
- On the Azure AD portal, select Certificates & secrets, and upload the public key for a self-signed certificate created by you for the Azure AD app.
You can use any secured method to create a self-signed certificate and a public key. However, in this sample scenario, to create a self-signed certificate and a public key, the Create-SelfSignedCertificate.ps1 script is executed. This script is available with the Exchange Online V2 module. Save or install the module from https://www.powershellgallery.com/packages/ExchangeOnlineManagement/2.0.3
Example to create a self signed certificate using Create-SelfSignedCertificate.ps1
< Location where ExchangeOnlineManagement is installed or saved >\ExchangeOnlineManagement\2.0.3\Create-SelfSignedCertificate.ps1
-CommonName AnimDemoCert -StartDate (Get-Date).Date -EndDate (Get-Date).Date.AddYears(1)
After successful execution of this script, a self-signed certificate (.CER) and the public key (.PFX) will be created in the current working directory. You can use the .PFX certificate file in Enterprise Vault.cloud, and corresponding .CER certificate file in Azure Active Directory.
Note the password used for the certificate. You need this password later while configuring the Exchange Online sync in Archive Administrator.
In the above example, the self-signed certificate is valid for a year. You can choose the certificate expiry as required.
- Upload the certificate (.CER file) that you have created in the previous step.
Select Certificates & secrets in the left navigation pane. Upload the certificate (.CER file) that you have created in the previous step.
Certificates are the recommended way to connect to a registered Azure AD app and also Exchange Online V2 module only supports using certificates to connect to Exchange Online using a registered Azure AD app.
- Provide the required API permissions to the app.
The following Azure AD app permissions are required for configuring Exchange Online sync with Modern Authentication:
The following permissions are required to support for full functionality of this feature. Items noted below as optional can be omitted if the API permission use and the associated functionality is not required for your environment.
Exchange web service (EWS API\Proxy)
API permission use: Web folder deployment
This permission is required for the initial configuration, but is optional for ongoing use if this functionality is not required. You can remove it after initial configuration.
How to configure: Exchange Online Exchange Online > Application permissions > Other permissions > full_access_as_app
Exchange Online V2 (PowerShell)
API permission use: To get exchange related information like delegated permissions, DL membership, and DDL membership.
API permission path: Exchange Online Exchange Online > Application permissions > Exchange > Exchange.ManageAsApp
Exchange.ManageAsApp permission is required. For reference, see Set up app-only authentication
Role: One of the following roles is required.
Need to assign RBAC roles to the app. You can assign any of the following roles:
Exchange Administrator: Use this role if you want the Exchange Online Sync connector create and manage journal address and journal rules in Exchange automatically for you.
How to configure: AAD->Roles and Administrators->Exchange Administrator->Add Assignments->Search for the app-> Select app-> Add Exchange Administrator
Global Reader: Use this role if you prefer to create and manage journal address and journal rules in Exchange manually.
How to configure: AAD->Roles and Administrators->Global Reader->Add Assignments->Search for the app-> Select app-> Add Global Reader.
You cannot see the App immediately after creating it. This could take 12-24 or more hours for the app to show up in the list to be selected.
Need to assign the Exchange Administrator role to add journal address in provisioning configuration automatically in exchange.
Else, the Global Reader role serves the same purpose for syncs.
API permission use: To get user license and other information from Azure AD.
How to configure:
MS Graph > Application permissions > User > User.Read.All
MS Graph > Application permissions > Directory > Directory.Read.All
Permissions to be assigned: You need to at least assign the User.Read.All permission to the application.
Reference: See Permissions
- To add the journal address automatically to Exchange, add app as an Exchange Administrator.
Alternatively, if you want to add the journal address manually, assigning the Global Reader role is enough.
- From the Azure AD portal, select Overview to view Tenant information section.
Copy and note the primary domain details that you need as the Tenant name while configuring the Exchange Online sync in Enterprise Vault.cloud.