Creating and Configuring the Application Manually

The following steps will create and configure an Azure application for Exchange Online authentication through the Azure portal.

These steps are adapted from the following online Microsoft documentation:

https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#set-up-app-only-authentication

 

  1. Open the Azure AD portal at https://portal.azure.com/

  2. Under Manage Azure Active Directory, click View.

  3. On the Overview page that opens, under Manage, select App registrations.

  4. On the App registrations page that opens, click New registration.

  5. On the Register an application page that opens, configure the following settings:

    Name

    Enter something descriptive. For example, Exchange Online FAM App

    Supported account types

    Verify that Accounts in this organizational directory only (<YourOrganizationName> only - Single tenant) is selected.

    Redirect URI (optional)

    Leave empty.

  6. When you're finished, click Register.

Leave the app page open. You'll use it in the next step.

  1. On the app page under Manage, select Manifest.

  2. On the Manifest page that opens, find the requiredResourceAccess entry (on or about line 44).

  3. Modify the resourceAppId, resourceAccess, id, and type values as shown below:

    Copy 
    "requiredResourceAccess": [
       {
          "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
          "resourceAccess": [
             {
                "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
                "type": "Role"
             }
          ]
       }
    ],

  4. Click Save.

  5. On the Manifest page, under Manage, select API permissions.

  6. Grant admin consent manually

    On the API permissions page that opens, do the following:

    API / Permissions name

    Verify the value Exchange.ManageAsApp is shown.

    Status

    The initial value is Not granted for <Organization>.

    Select Grant admin consent for <Organization>, read the confirmation dialog that opens.

    Click Yes.

    The Status value should now be Granted for <Organization>.

  7. Close the current API permissions page (not the browser tab) to return to the App registrations page. You'll use it in an upcoming step.

Create a self-signed x.509 certificate using the following powershell commands.

Edit parameters such as DnsName, Certificate expiration, and password as appropriate.

# Create certificate

$mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(15) -KeySpec KeyExchange

# Export certificate to .pfx file

$mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force)

# Export certificate to .cer file

$mycert | Export-Certificate -FilePath mycert.cer

After you register the certificate with your application, you can use the private key (.pfx file) for authentication.

  1. On the Apps registration page from the end of Step 2, select your application.

    If you need to get back to Apps registration page

    1. Open the Azure AD portal at https://portal.azure.com/

    2. Under Manage Azure Active Directory, click View.

    3. On the Overview page that opens, under Manage, select App registrations.

  2. On the application page that opens, under Manage, select Certificates & secrets.

  3. Click Upload Certificate.

  4. Browse to the self-signed certificate (.cer file) that you created in Step 3.

  5. Click Add.

    The certificate is now shown in the Certificates section.

  6. Close the current Certificates & secrets page, and then the App registrations page to return to the main

    https://portal.azure.com/

    page. You'll use it in the next step.

The following admin roles are available. Each of these roles has the necessary permissions for File Access Manager functionality. Choose a role and assign the new Azure Application to it to complete the configuration.

  • Global administrator

  • Compliance administrator

  • Exchange administrator

  1. Open the Azure AD portal at https://portal.azure.com/

  2. Under Manage Azure Active Directory, click View.

  3. On the Overview page that opens, under Manage, select Roles and administrators.

  4. Find and select one of the supported roles by clicking on the name of the role (not the check box) in the results.

  5. On the Assignments page that opens, click Add assignments.

  6. In the Add assignments flyout that opens, find and select the app that you created in Step 1.

  7. Click Add.

  8. Back on the Assignments page, verify that the app has been assigned to the role.