Setting up Azure AD registered app for O365 Sync with least required permissions for Graph

''Description

This article was created to provide in-depth steps for the configuration of the Azure Active Directory (AAD) registered app for the Azure AD sync in Veritas Alta Archiving, in addition to the already provided documentation in the link below:

Setting up modern authentication in Azure AD for Exchange Online sync

1.  Register New Application
    - Login to the Azure AD portal - https://aad.portal.azure.com/
    - Go to Azure Active Directory -> App Registrations -> New Registration

- Type a name for the app to use for O365 Sync, such as EVC_Sync.  Do not select any other options on this screen and select Register.


 

2.  Create Self-Signed Certificate

    - Create a self-signed certificate with the Exchange Online V2 (EXO V2) module. 
        ○ Go to a server that has the EXO V2 module available in PowerShell (PS).  If not installed, run the following command to make the module available: (https://www.powershellgallery.com/packages/ExchangeOnlineManagement/2.0.3)

            Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.3

        ○ Open PS and browse to the local file path (i.e., C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\2.0.3) where the Create-SelfSignedCertificate.ps1 is located. 

NOTE: If another version of the ExchangeOnlineMangement module is installed, such as v2.0.5, then the Create-SelfSignedCertificate.ps1 script can be in a different location (i.e., C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\2.0.5\netFramework\)

        ○ Run the following command.  Set the certificate expiry as required:

            .\Create-SelfSignedCertificate.ps1 EVCSyncCert -StartDate (Get-Date).Date -EndDate (Get-Date).Date.AddYears(1)

○ After successful execution of this script, a self-signed certificate (.CER) and public key (.PFX) will be created in the current working directory. The .CER certificate file will be used in Azure AD and the corresponding .PFX file in Veritas Alta Archiving.  

NOTE: Record the password used for the certificate. This will be required later while configuring the Exchange Online sync in Archive Collectors in Veritas Alta Archiving.



- Upload the certificate (.CER file) created in the previous step.  Select Certificates & secrets in the left navigation pane and then upload the certificate (.CER file) that was created in the previous step.



   - It will now show up under Certificates with the associated details.



3.  Apply Permissions

 - Browse to API Permissions -> Add Permissions -> Microsoft Graph.
 

    - Select Application Permissions.
    - Type User.Read.All in the search bar.
    - Expand User and select User.Read.All (Read all users' full profiles).

- Select Graph permission by typing MailboxSettings.Read in the search bar.
- Expand Directory and select MailboxSettings.Read (Read mailbox type).

    - Select last Graph permission by typing Directory.Read.All in the search bar.
    - Expand Directory and select Directory.Read.All (Read directory data).
    - Select Add Permissions so all User.Read.All, MailboxSettings.Read and Directory.Read.All permissions are applied.   

  - Once those permissions are applied, the admin has to grant consent.  The following will be seen if not granted:



- After granting permission, it will show green check marks stating it has been granted:



 4. Updating O365 Sync in Veritas Alta Archiving 

 - The following two things are needed from the Azure AD Admin Center in order to configure the O365 Sync configuration page in Veritas Alta Archiving
        1. The Application (client) ID of the application just created (Azure Active Directory -> App Registrations -> EVC_Sync -> Overview)

        2. The Tenant Name which is the Available Domain (NOT the Primary Domain) for the Azure AD Tenant (Azure Active Directory -> Custom domain names -> Status=Available).

***The default onmicrosoft.com domain MUST be used or the O365 Sync won't fully work***

Lastly, follow the instructions below to complete O365 synchronizations with an Azure AD registered app:
 
Configuring Exchange Online Sync

Note: When the O365 Sync is setup with these least set of permissions, the below functionality of O365 Sync will not work.

1. Mailbox Delegate Permissions
2. Provisioning using Distribution List or Dynamic Distribution List (Only Sync All Users is supported)
3. Webfolder push
4. Domain Sync 

Contact Arctera Technical Support once the above configuration is completed, as a configuration change needs to be made by Support on the Insight tenant to get this to work.