With release 4.19.0, Discovery Center Project Suite (DCPS) has added the option to utilize application based authentication for the Exchange Connector when working with Exchange Online.
This will ensure that the operation of the Exchange Connector is maintained as Microsoft enacts changes to the permitted use of roles within Exchange Online.
https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-rbac-application-impersonation-in-exchange-online/ba-p/4062671
Existing users of the Exchange Connector for on-premise Exchange content are unaffected by this change and need not make immediate changes but should be aware of forthcoming changes within Exchange Online that may require them to use this new approach in the future. We recommend new users of the Exchange Connector adopt this new approach.
Note: This approach uses a different range of API permissions than those provided in the multi-tenant Azure application registration for ROPC based authentication that is documented in the DCPS Installation guide. To use this approach you must create a unique application registration in Entra ID using the steps below.
Registering an Azure Application for the Exchange Online Connector
When using application authentication within Azure, Discovery Center makes use of a Certificate credential type for authentication with the registered Azure App. As a prerequisite to this, the public key (.cer) element of a certificate must be uploaded to the Azure app with the private key (.pfx) element being uploaded to the Discovery Center application.
The steps below assume a certificate has already been created for this purpose. If you do not have an established process for preparing certificates then you can find guidance on creating certificates using PowerShell here : https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-self-signed-certificate
- Log in to Azure AD as user with permissions to add and update App Registrations and navigate to App Registrations.
2. Choose New Registration.
3. Enter the name of the app, choose Accounts in this organizational directory only as the Supported account types, leave the Redirect URL blank and select Register.
4. Select API permissions and choose Add a permission, under Microsoft APIs select Microsoft Graph. Select Application permissions and enter User.ReadBasic.All into the search box as shown to locate that permission. Select the User.ReadBasic.All checkbox and then click the Add Permissions button.
5. Select Add a Permission again, followed by APIs my organization uses, then enter Office 365 Exchange Online into the search box to locate the Exchange API category, as shown below.
Select the category, choose Application Permission, and then select the full_access_as_app API.
6. Remove the default delegated User.Read permission.
7. Select Grant admin consent for the domain for the chosen permissions.
6. Select Certificates & secrets and then Upload certificate before browsing to select the public key portion of the certificate to use for authentication with the app (.cer, .pem or .crt file types are accepted).
The steps above include screenshots that were correct at the time of writing but which may be outdated following any changes to the Azure AD cloud interface.
For the latest instructions on how to register applications in Azure AD see https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.
Discovery Center Configuration
Once the above steps have been completed, credential records can be created in the Discovery Center application to use for authentication to Exchange Online using this registered app. These credential records should make use of the private key portion of the certificate that has been uploaded to the app. You will also need the Tenant ID and the Application / Client ID displayed in the Overview page for the Azure application that has been created.
- Navigate to System Settings > Credential Management.
- Create a new credential using the Azure App Certificate type.
- Fill in the relevant information using the Application and Tenant information from the app created above.
- The password will be the password of the certificate file.