Description
This article was created to provide in-depth steps for the configuration of the Azure Active Directory (AD) registered app for the Exchange Online sync in Veritas Alta Archiving, in addition to the already provided documentation at the link below:
Setting up modern authentication in Azure AD for Exchange Online sync
1. Register New Application
- Login to the Azure AD portal - https://aad.portal.azure.com/
- Go to Azure Active Directory -> App Registrations -> New Registration
- Type a name for the app to use for O365 Sync, such as EVC_Sync. Do not select any other options on this screen and select Register
2. Create Self-Signed Certificate
- Create a self-signed certificate with the Exchange Online V3 (EXO V3) module.
○ Go to a server that has the EXO V3 module available in PowerShell (PS). If not installed, run the following command to make the module available: (https://www.powershellgallery.com/packages/ExchangeOnlineManagement/3.1.0)
Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.1.0
○ Open PS and browse to the local file path (i.e., C:\Program Files\WindowsPowerShell\Modules\ExchangeOnlineManagement\3.1.0\netFramework) where the Create-SelfSignedCertificate.ps1 is located.
○ Run the following command. Set the certificate expiry as required:
.\Create-SelfSignedCertificate.ps1 EVCSyncCert -StartDate (Get-Date).Date -EndDate (Get-Date).Date.AddYears(1)
○ After successful execution of this script, a self-signed certificate (.CER) and public key (.PFX) will be created in the current working directory. The .CER file will be used in Azure AD and the corresponding .PFX file in Veritas Alta View Compliance & Governance console.
NOTE: Record the password used for the certificate. This will be required later while configuring the Exchange Online sync in Archive Collectors in Veritas Alta Archiving.
- Upload the certificate (.CER file) created in the previous step. Select Certificates & secrets in the left navigation pane and then upload the certificate (.CER file) that was created in the previous step.
- It will now show up under Certificates with the associated details.
3. Apply Permissions
- Browse to API Permissions -> Add Permissions -> Microsoft Graph.
- Select Application Permissions.
- Type User.Read.All in the search bar.
- Expand User and select User.Read.All (Read all users' full profiles).
- Select the last Graph permission by typing Directory.Read.All in the search bar.
- Expand Directory and select Directory.Read.All (Read directory data).
- Select Add Permissions so both User.Read.All and Directory.Read.All permissions get applied.
- Go back to Add A Permission and select APIs My Organization Uses.
- Type Office in the search bar.
- Select Office 365 Exchange Online.
- Select Application Permissions.
- Expand Other Permissions and select full_access_as_app (Use Exchange Web Services with full access to all mailboxes).
- Expand Exchange and select Exchange.ManageAsApp (Manage Exchange As Application).
- Select to Add Permissions.
- Once those permissions are applied, the admin has to grant consent. The following will be seen if not granted:
- After granting permissions it will show green check marks stating it has been granted:
4. Assign Roles
- Now the app needs to be assigned as the Exchange Administrators role.
(NOTE: The Exchange Administrators role and the Global Reader role serve the same purpose in terms of performing a sync in the Veritas Alta Archiving O365 Sync. The only difference is that the Exchange Administrators role is needed to add a journal address automatically in Exchange Online, so if that is not needed the permissions can be minimized by using the Global Reader role instead.)
- Go to back to Azure Active Directory and select Roles and Administrator
- Type Exchange in the search bar and select Exchange Administrator.
- Select the 3 dots at the right to show the Description
- Select Assignments from the left hand side and select Add Assignments
- Type EVC to show the app created earlier. In this example it's EVC_Sync.
5. Updating O365 Sync in Veritas Alta Archiving
- The following two things are needed from the Azure AD Admin Center in order to configure the O365 Sync configuration page in Veritas Alta Archiving
1. The Application (client) ID of the application just created (Azure Active Directory -> App Registrations -> EVC_Sync -> Overview)
2. The Tenant Name which is the Available Domain (NOT the Primary Domain) for the Azure AD Tenant (Azure Active Directory -> Custom domain names -> Status=Available).
***The default onmicrosoft.com domain MUST be used or the O365 Sync won't fully work***
Lastly, follow the instructions below to complete O365 synchronizations with Azure AD registered app:
Configuring Exchange Online Sync
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.