Security Requirements

• Overview

• Access Requirements

• Registering Azure Active Directory Application

• Authorize Access to Exchange Online

Overview

The exchange connector uses a mixture of the Microsoft Exchange Web Service and Exchange Online PowerShell management to crawl and secure content.

Access Requirements

The Upland BA Insight Exchange Online connector uses OAuth Specifies a process for resource owners to authorize third-party access to their server resources without providing credentials.. The O365 account used in the OAuth process must have the permissions below configured in the Exchange Admin Center. Permissions for the crawling account can be granted through Role Management or give direction to the crawl account through PowerShell.

• Choose an AAD An identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multicloud environments. Account for Crawling Exchange. You will use this account when adding a role group. For example, exchange_crawler@contoso.com

Using Role Management

1. Login to the Exchange Admin Center: admin.exchange.microsoft.com.

2. Select Roles > Admin Roles.

3. Create a new Admin Role Group. Enter a Name and Description for your role group then click Next.
   

   From the Permissions list, select the following permissions:

   1. Application Impersonation

   2. Mailbox Search

   3. View-Only Audit Logs

   4. View-Only Recipient.

   When you are finished, click Next.

4. In the Members field, assign the crawling account to the admin role.
   

5. Review and Finish the role setup.

Using Direct Assignment through PowerShell

1. Open Windows PowerShell or Windows PowerShell ISE.

2. If the Exchange Online Management PowerShell has not been previously loading, execute the following command:

   Copy

   Get-InstalledModule -Name ExchangeOnlineManagement

3. Enter the following command to connect to Exchange Online with an Admin account:
   

   Copy

   Connect-ExchangeOnline -UserPrincipalName exchangeadmin@contoso.com

4. Run the following 4 commands:
   

   Copy

   New-ManagementRoleAssignment -Role "View-Only Audit Logs" -User exchange_crawler@contoso.com
   
   New-ManagementRoleAssignment -Role "View-Only Recipients" -User exchange_crawler@contoso.com
   
   New-ManagementRoleAssignment -Role "Mailbox Search" -User exchange_crawler@contoso.com
   
   New-ManagementRoleAssignment -Role "Application Impersonation" -User exchange_crawler@contoso.com

Exchange Connector PowerShell Commands

1,  Get-DistributionGroup

Access Thru Role:  View-Only Recipients    


2,  Get-Group

Access Thru Role:  View-Only Recipients        

  
3. Get-Mailbox

Access Thru Role: Mailbox Search, View-Only Recipients, View-Only AuditLogs     

   
4. Get-MailboxPermission

Access Thru Role:  View-Only Recipients         

                                                  
5. Get-MailboxFolderPermission

Access Thru Role:  Mailbox Search       


6.  Get-User

Access Thru Role: View-Only Recipients


7.   Search-MailboxAuditLog

Access Thru Role: View-Only Audit Logs

Registering Azure Active Directory Application

Use the following steps to register your Azure AD An identity and access management solution from Microsoft that helps organizations secure and manage identities for hybrid and multicloud environments. application:

1. Using an Azure Administrator account which can create applications, go to Azure Active Directory A directory service for Windows domain networks. A hierarchical structure that stores information about objects on the network. Used to manage permissions and control access to critical network resources. > App Registrations > New App Registration.

2. Select Public client / native (mobile & desktop) in the platform drop-down.

3. Use “http://localhost:2571/oAuthresult.aspx” (or another address pointing to your Exchange Connector IIS Site) as the redirect URI

   • Example: http(s)://<yourExchangeConnectorSite>:<PORT>/OAuthResult.aspx

4. Click Register.
   

5. On the Overview page, note the Application ID and Tenant ID to use them later in the deployment process:
   

6. Click API permissions in the left pane, click Add a permission, and add the following Delegated Permissions and Application Permissions:

   • Microsoft Graph:
     • Calendars.Read
     • Contacts.Read
     • Mail.Read
     • Tasks.Read.All
     • User.Read.All
   • Office 365 Exchange Online
     • EWS.AccessAsUser.All
     • Exchange.Manage
   Tip: The permission Exchange.Manage enables PowerShell to run using oAuth tokens.

7. Click Certificates & Secrets from the left pane, click New client secret, and add your client secret string. Copy the Client Secret when you are finished.

Authorize Access to Exchange Online

For each connection Connection defines the how Connectivity Hub connects to your Source System (which contains your documents, graphics, etc.,). Your Connection includes identifying elements such as: URL of the BA Insight web service connector you are using, (File Share connector, SharePoint Online connector, etc.), Authentication mode, User Accounts and Credentials, Database information (for database connectors) to a specific Exchange Online instance (if you plan to index multiple instances), you must register and authorize a separate Azure App with your BA Insight Exchange Online connector.

Use the steps below to register and authorize each of your Azure app(s) with your BA Insight Exchange Online connector.

1. Navigate to the OAuth.aspx page of your connector.

   1. For example, http://localhost:2571/OAuth.aspx.

2. Provide the necessary information:

   1. Client Id:

      1. This is the application ID for the Azure App you created previously.

      2. For example, 86a9e7f9-9337-454b-8159-c28785729425

   2. Tenant Id:

      1. This is your Azure Tenant ID

      2. For example, 658ca3f0-2a13-4b4c-966e-62f8ea2b0902

   3. OAuth Login Base URL:

      1. This is the default login base URL for your Azure Tenant

         1. If you are using the default value, do not change the predefined value:

            • https://login.microsoftonline.com

         2. If you are using a different one, update this field accordingly

   4. OAuth Authorization Scope:

      1. The EWS.AccessAsUser.All scope URL and offline_access scope separated by a single space. If you are using a default value, do not change the predefined value: https://outlook.office365.com/EWS.AccessAsUser.All offline_access

      2. If you are using a different scope URL, update this field accordingly.
         

3. Click the Authorize button.

4. A login pop-up window appears. Specify the credentials for the Azure account that you granted Application Impersonation and Mailbox Search permissions to (the account is used to retrieve Exchange content).

5. Click on Accept.
   

6. On success, a "Connector is successfully authorized" message displays.