Exchange Online Management

Microsoft Entra ID can be used to manage Exchange online mailboxes, distribution lists, and mail-enabled security groups. The Microsoft Entra ID connector uses Exchange Online PowerShell Module through IQService to support this feature.

Exchange Online Management supports the following operations:

  • Aggregation of Exchange Online Mailbox attributes for users

  • Aggregation of Shared Mailbox as an entitlement for users

  • Modification of Exchange Online Mailbox attributes

  • Adding and Removing Shared Mailboxes from users

  • Aggregation of Exchange Online attributes for groups

  • Adding and Removing Exchange Distribution Lists and Mail-Enabled Security groups from users

Note
Delta Aggregation does not capture changes in Exchange Online Attributes and Shared Mailbox assignments.

Objects/Attributes

Aggregation

Modification

Add/Remove User

Creation

Deletion

Exchange Online Mailbox attributes for users

Yes

Yes

N/A

N/A

N/A

Shared Mailbox as an entitlement for users

Yes

N/A

Yes

N/A

N/A

Exchange Online attributes for groups

Yes

Yes

N/A

N/A

N/A

Distribution List

Yes

Yes

Yes

Yes

Yes

Mail-Enabled Security Group

Yes

Yes

Yes

Yes

Yes

Prerequisites

The following are required host values by the IQService to interact with the managed service, whitelist/allow the URLs from the IQService machine:

  • https://graph.microsoft.com

  • https://login.microsoftonline.com

Basic Authentication

Important
  1. Configure IQService

  2. Install Exchange Online PowerShell Module: EXO V3 (version 3.0.0 or later) on the same IQService machine.

  3. Create a user in Microsoft Entra ID with the Exchange Administrator role.

  4. Select Manage Exchange Online on Application Configuration page.

  5. Provide username and password of user created in step 3

Note
Due to a limitation on PowerShell sessions, SailPoint recommends using separate IQService instances and a separate exchange admin user for different Microsoft Entra ID applications, which are defined to manage exchange online.

Note
The connector uses PowerShell sessions to manage Exchange Online Mailboxes. Due to restrictions on the number of concurrent PowerShell sessions allowed by Microsoft, there may be a delay or occasional failures when the connector processes Exchange Online requests.

Certificate Based Authentication

  • The following additional API permission needs to be added to the already registered Microsoft Entra ID Enterprise Application. Refer to the Prerequisites section regarding application registration and API permissions, if necessary.

  • Assign the following roles to the application:

  • To ensure modern authentication:

    • A certificate key-pair needs to be generated for the IQService machine. This will be used by the Exchange PowerShell module to connect to the Exchange Online.

    • The certificate must be uploaded to the registered Microsoft Entra ID Enterprise Application under Certificates and Secrets.

  • The steps to generate a self-signed certificate and attach it to the Microsoft Entra ID application are listed here:

  • Use Exchange Online PowerShell Module: EXO V3 (version 3.0.0 or later).

Schema Configurations

You must add Exchange attributes that you want to aggregate to the account or group scheme with the prefix EXO_.

For example, to aggregate EmailAddresses attribute, add it to the schema as follows:

  • Name: EXO_EmailAddresses

  • Type: String

  • Property: Multivalued

  • To aggregate shared mailbox attributes as an Entitlement, add sharedMailbox as an account attribute.

  • Example Name: sharedMailbox

  • Type: String

  • Property: Multivalued, Entitlement, Managed

Aggregate Exchange Online Groups

By default, the Microsoft Entra ID connector aggregates Mail-Enabled Security groups. To aggregate Distribution List groups enable the Aggregate All Groups configuration parameter.

Note
Aggregation of Distribution List group with basic group details does not need Exchange Online IQService configuration.

Add/Remove Exchange Distribution Groups from Users

When adding a user to, or removing a user from, a Mail-Enabled Security group, the user configured in the Manage Exchange Online configuration must be the owner of the group. The Distribution does not have the same restriction, but SailPoint recommends that the user in the Manage Exchange Online configuration is the owner of the group.

Note
When the Exchange Online Authentication Type is set to certificate-based authentication, BypassSecurityGroupManagerCheck entry gets added by default. If you don't want to use BypassSecurityGroupManagerCheck, add enableByPassSecurityManagerCheck entry to the application XML with its value set to false.

Provisioning Policy Changes

To update the Exchange Mailbox attribute value, the attribute must be added to provisioning policy with the prefix EXO_.

For example, to update the Alias attribute, it must be added in provisioning policy as follows:

  • Name: EXO_EmailAddresses

  • Type: String

  • Type Setting: Multivalued: true, Review Required: true

Note

  • It is important to add with proper attribute type and property, which meets exchange attribute definition for successful update operation.

  • Attributes to be added in provisioning policy must be present in account schema.

Shared Mailbox As Entitlement

An Exchange user can be a member of a Shared Mailbox. Along with membership, the user obtains permission on the mailbox. This permission has to be selected while adding the user to the shared mailbox. The following permissions are categorized as Recipient and Mailbox:

  • Recipient: SendAs

  • Mailbox: ChangeOwner, ChangePermission, DeleteItem, ExternalAccount, FullAccess, ReadPermission

In order to provide flexibility to select the permission to be assigned, mailbox entitlements are created one per permission per mailbox as shown in the following example:

User Mark Taylor has SendAs, FullAccess and ReadPermission permissions on shared mailbox called O365Support. After account aggregation following entitlements would be created:

O365Support: SendAs

O365Support: FullAccess

O365Support: ReadPermission