Configuring Azure AD for Exchange (📺)

How To Video:

To use the Exchange Collector, you must first authenticate the application using an Azure AD registered application. The following article details setting up an application in Azure AD to support this authentication method.

Required Permissions for Exchange

Retrieving information via Graph API requires authentication, achieved via an Azure Registered Application. Using the Client Credentials flow (communicating with the Graph API), we are seen as an application rather than a user. Currently, the Collector only supports Client Secrets with no support for Certificates at this time.

The Azure registered application's access to the target repository is controlled via the API permissions assigned to the application in the Azure portal.

The following permissions are required:

• User.Read.All
• Mail.Read

Registering an Azure Application for an Exchange Tenant

1. Log in to Azure AD as a user with permission to add and update App Registrations, then navigate to App Registrations. (Searching for "App Registration" also works).

2. Choose + Add.

3. Enter the name of the app. 

4. Choose Accounts in this organizational directory only as the Supported account types and leave the Redirect URL blank.

5. Click Register.

6. Select API permissions.

7. Select +Add a permission.

8. Under Microsoft APIs, select Microsoft Graph and select Application Permissions.

9. Next, search for the User.Read.All permission and select it.

a. Search for the Mail.Read permission and select it. 

11. Click Add Permissions.

12. Select Grant admin consent for the domain for the chosen permissions.

13. Select Certificates & secrets.

14. Select Client Secrets.

15. Click New Client Secret, give a brief description, and select a time for the expiration of Client Secret.

16. Click Add.