Tools4everBV / HelloID-Conn-Prov-Target-ExchangeOnline

Exchange Online - Target - Permissions
0 stars 0 forks source link
cloud distribution distribution-group exchange exchange-online exo group itm mailbox microsoft office365 online pnc powershell shared shared-mailbox
:warning: Warning
This connector is written and tested for the EXO module v3.1. Please make sure you have installed, at least, this version.
:information_source: Information
This repository contains the connector and configuration code only. The implementer is responsible to acquire the connection details such as username, password, certificate, etc. You might even need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements.

Versioning

Version Description Date
2.0.0 Use of Access Token to authenticate and no longer use additional PS sessions 2023/06/09
1.0.0 Initial release 2022/03/30

Table of Contents

Requirements

Introduction

For this connector we have the option to correlate to and/or update Exchange Online (Office 365) users and/or mailboxes and provision permission(s) to a group and/or shared mailbox.

Only Exchange and Cloud-only groups are supported

If you want to create Exchange Online (Office 365) users and/or mailboxes, please use the built-in Microsoft (Azure) Active Directory target system. Or setup Business Rules to provision an Office 365 license group, Microsoft will automatically provision a mailbox for this user.

Installing the Microsoft Exchange Online PowerShell V3.1 module

Since we use the cmdlets from the Microsoft Exchange Online PowerShell module, it is required this module is installed and available for the service account. Please follow the Microsoft documentation on how to install the module.

Creating the Azure AD App Registration and certificate

The steps below are based on the Microsoft documentation as of the moment of release. The Microsoft documentation should always be leading and is susceptible to change. The steps below might not reflect those changes.

Please note that our steps differ from the current documentation as we use Access Token Based Authentication instead of Certificate Based Authentication

Application Registration

The first step is to register a new Azure Active Directory Application. The application is used to connect to Exchange and to manage permissions.

Some key items regarding the application are the Application ID (which is the Client ID), the Directory ID (which is the Tenant ID) and Client Secret.

Configuring App Permissions

The Microsoft Graph documentation provides details on which permission are required for each permission type.

Assign Azure AD roles to the application

Azure AD has more than 50 admin roles available. The Exchange Administrator role should provide the required permissions for any task in Exchange Online PowerShell. However, some actions may not be allowed, such as managing other admin accounts, for this the Global Administrator would be required. and Exchange Administrator roles. Please note that the required role may vary based on your configuration.

For more information about the permissions, please see the Microsoft docs:

Authentication and Authorization

There are multiple ways to authenticate to the Graph API with each has its own pros and cons, in this example we are using the Authorization Code grant type.

Connection settings

The following settings are required to connect.

Setting Description
Azure AD Organization The name of the organization to connect to and where the Azure AD App Registration exists. Please note: This has to be the .onmicrosoft domain name
Azure AD Tenant ID Id of the Azure tenant
Azure AD App Id The Application (client) ID of the Azure AD App Registration with Exchange Permissions
Azure AD App Secret Secret of the Azure AD App Registration with Exchange Permissions

Getting help

For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages

If you need help, feel free to ask questions on our forum

HelloID Docs

The official HelloID documentation can be found at: https://docs.helloid.com/