Enterprise Vault™ Setting up Exchange Server and Office 365 for SMTP Archiving

Last Published:
Product(s): Enterprise Vault (14.5)
  1. Configuring Exchange Server for an Enterprise Vault SMTP Archiving solution
    1.  
      About using Enterprise Vault SMTP Archiving for Exchange Server journaling
    2.  
      Summary of steps
    3.  
      Creating a remote domain using the Exchange Management shell
    4.  
      Creating a recipient mail contact in the remote domain
    5.  
      Creating a Send Connector for the remote domain
    6.  
      Setting up Exchange Server journaling
    7.  
      Points to note when setting up Enterprise Vault SMTP Archiving servers
  2. Configuring Office 365 for Enterprise Vault SMTP Archiving
    1.  
      About using Enterprise Vault SMTP Archiving for Office 365 journaling
    2.  
      Summary of steps
    3.  
      Creating an Office 365 to Enterprise Vault Send Connector
    4.  
      Points to note when setting up Enterprise Vault SMTP Archiving servers
  3. Configuring the Azure RMS Decryption feature for Office 365 email encryption support
    1.  
      About configuring the Azure RMS Decryption feature for Office 365 email encryption support
    2.  
      Summary of steps
    3.  
      Configuring IRM settings for journal report decryption in your organization
    4.  
      Getting the Rights Management configuration details of your Azure tenant
    5.  
      Creating a new service principal that represents your tenant to external applications
    6.  
      Adding the service principal to the list of superusers for your organization
    7.  
      Installing Microsoft Right Management Services Client 2.1
    8.  
      Configuring the decryption of RMS-protected messages in Enterprise Vault
  4. Configuring decryption of MPIP-protected Office 365 emails archived in Enterprise Vault
    1.  
      About configuring the MPIP decryption feature in Enterprise Vault
    2.  
      Summary of steps
    3.  
      Disable decryption of journal report in your organization
    4.  
      Register an application with the Azure Active Directory
    5.  
      Assign the required permissions to an application
    6.  
      Upload certificates
    7.  
      Configure decryption of MPIP-protected emails in Enterprise Vault

Configure decryption of MPIP-protected emails in Enterprise Vault

Perform the following steps to configure decryption of Microsoft Purview Information Protection (MPIP) protected emails in Enterprise Vault:

  1. On the left navigation pane of the Administration Console, expand the hierarchy until the name of the site is visible.

  2. Right-click on the name of the site, and click Properties.

    The site properties are displayed.

  3. Click on the MPIP tab.

  4. Click on Start decryption of MPIP-protected emails.

  5. Enter the Application ID and Tenant ID on the UI.

    The Application ID and Tenant ID details were retrieved during Register an application with the Azure Active Directory.

  6. Choose an appropriate authentication method in Authenticate with Azure AD using.

    Common certificate installed on all the Enterprise Vault storage servers

    Choose this option, in case you have to use a single certificate for authentication then install that certificate in Trusted Root Certification Authorities in Local Computer of all the Enterprise Vault storage servers.

    Common PFX certificate file for all the Enterprise Vault storage servers

    Choose this option, in case you have to upload a PFX file to Enterprise Vault and use those details for authentication. Enterprise Vault stores PFX file contents in the database and the password to open the PFX file is stored in an encrypted format.

    Specific certificate installed on each Enterprise Vault storage server

    Choose this option, in case you have to use a separate certificate for authentication on Enterprise Vault storage. Each storage server should have that certificate installed in Trusted Root Certification Authorities in Local Computer.

    Note:

    In any of above option the public key of X509 certificate must be uploaded to the Azure AD as mentioned in Upload certificates.

    Authentication with Azure AD using Common certificate installed on all Enterprise Vault storage servers.

    • Upload the public key of the X509 certificate to Azure AD as mentioned in Upload certificates.

    • Obtain the Thumbprint of X509 certificate as mentioned in step 3 in Upload certificates.

    • Enter the above Thumbprint in the Certificate Thumbprint field on above UI.

    • You must install that certificate in Trusted Root Certification Authorities in Local Computer on all Enterprise Vault storage servers.

    Authentication with Azure AD using Common PFX certificate file for all Enterprise Vault storage servers.

    • Upload the public key of X509 certificate to Azure AD as mentioned in Upload certificates.

    • • Upload the PFX file (X509 certificate having both public and private keys) in the Certificate field in the above UI.

    • Enter the password to open the certificate PFX file in the Certificate Password field in the above UI.

    Authentication with Azure AD using a Specific certificate installed on each Enterprise Vault storage server.

    • Upload the public key of X509 certificate of each Enterprise Vault storage server to Azure AD as mentioned in Upload certificates.

    • Obtain the Thumbprint of X509 certificate of all storage server specific certificates as mentioned in step 3 in Upload certificates.

    • • Enter the thumbprint of the certificate corresponding to that Enterprise Vault storage server in the Certificate Thumbprint field in the above UI.

    • You must have a certificate installed in Trusted Root Certification Authorities in Local Computer on that Enterprise Vault storage server.

  7. Once you enter all the required details, click Test to validate configuration details. This ensures that all Enterprise Vault storage servers can authenticate with Azure AD and will be able to decrypt MPIP-protected emails during archiving.

  8. In case there are any errors, please see event logs of particular storage server and resolve those errors.

  9. On validation, the UI notifies you whether the MPIP configuration test has been successful or not.

  10. Click OK.

  11. Click OK to close the site properties and save the details in Enterprise Vault.

  12. On the left pane of the Administration Console, expand the hierarchy until Policies is visible. Expand Policies and click SMTP.

    On the right-hand pane, double-click the name of the policy that is used for SMTP archiving. The policy's properties are displayed.

  13. Click the Advanced tab.

  14. Set ClearText copies of MPIP-protected items to Treat as Secondary.

  15. Set Decrypt MPIP-protected items to Decrypt for journal archives only.

  16. Restart the SMTP archiving task and the associated Storage service to apply the changes. If that is not known better to restart all SMTP archiving tasks and Storage service on all Enterprise Vault storage servers on the site.