Exchange Online Management

Microsoft Entra can be used to manage Exchange online mailboxes, distribution lists, and mail-enabled security groups. The Microsoft Entra SaaS connector uses Exchange Online PowerShell Module to support this feature.

Exchange Online Management supports the following operations:

Aggregation of Exchange Online Mailbox attributes for users
Aggregation of Shared Mailbox as an entitlement for users
Aggregation of Exchange Online attributes for groups
Modification of Exchange Online Mailbox attributes
Adding and Removing Shared Mailboxes from users
Adding and Removing Exchange Distribution Lists and Mail-Enabled Security groups from users

Note
The Exchange Online attributes and Shared Mailbox can be aggregated only during a full aggregation. If you want to aggregate both of them during update operation and delta aggregation, ensure to add the entry performGetObjectForEXOAttributes in the source XML.

Objects/Attributes	Aggregation	Modification	Add/Remove User
Exchange Online Mailbox attributes for users	Yes	Yes	N/A
Shared Mailbox as an entitlement for users	Yes	N/A	Yes
Exchange Online attributes for groups	Yes	N/A	N/A
Distribution List	Yes	N/A	Yes
Mail-Enabled Security Group	Yes	N/A	Yes

Basic Authentication

Important

Basic authentication in Exchange Online is deprecated by Microsoft. For more information, refer to deprecation of basic authentication in Exchange Online in Microsoft documentation.

It is recommended to utilize Certificate Based Authentication for Exchange Online management.

Create a user in Microsoft Entra with the Exchange Administrator role.
Select Manage Exchange Online on Application Configuration page.
Provide username and password of user created in step 3

Note
The connector uses PowerShell sessions to manage Exchange Online Mailboxes. Due to restrictions on the number of concurrent PowerShell sessions allowed by Microsoft, there may be a delay or occasional failures when the connector processes Exchange Online requests.

Certificate Based Authentication

The following additional API permission needs to be added to the already registered Microsoft Entra Enterprise Application. Refer to the Prerequisites section regarding application registration and API permissions, if necessary.
- Permission Exchange.ManageAsApp, for Office 365 Exchange Online
- The steps to assign API permissions to an application are listed here: Assign API permissions to the application.
Assign the following roles to the application:
- Exchange Administrator
- The steps to assign roles to an application are listed here: Assign Microsoft Entra roles to the application.
To ensure modern authentication:
- A certificate key-pair needs to be generated on any host machine. This will be used by the Exchange PowerShell module to connect to the Exchange Online.
- The certificate must be uploaded to the registered Microsoft Entra Enterprise Application under Certificates and Secrets.
The steps to generate a self-signed certificate are listed here:
1. Generate the .cer and .pfx files using either of the below mentioned process.
  
  Note
  Please save the password used for generating the .pfx file, as this will be required later at Step 3.
  - Generate a self-signed certificate. Or,
  - Generate a self-signed certificate using OpenSSL.
    
    Note
    Make use of latest OpenSSL version on the system, Recommended version is OpenSSL 3.1.2.x onwards.
    - Using OpenSSL with a password-protected private key from the PowerShell admin console, enter the following command:
      Copy
      openssl req -newkey rsa:2048 -x509 -keyout privateKey.key -out public-certificate.pem -days 3650
    - Convert the above key pair to the .pfx file using the following command:
      Copy
      openssl pkcs12 -export -out certificateEntra.pfx -inkey privateKey.key -in public-certificate.pem
2. Convert the .pfx file to base64 encoded string.
  - Get the .pfx file content by using the following command:
    Copy
    $pfx_cert = Get-Content '<path of the .pfx file>' -Encoding Byte
    For example-
    Copy
    $pfx_cert = get-content "C:\Harshal-WorkSpace\mycert.pfx" -Encoding byte
  - Convert the .pfx file content to base64 by using the following command:
    Copy
    $base64 = [System.Convert]::ToBase64String($pfx_cert)
  - Export the base64 content to a text file by using the following command:
    Copy
    Add-Content "<path to the txt file to store the content>" $base64
    For Example-
    Copy
    Add-Content "C:\Harshal-WorkSpace\outputFileBytesBase64.txt" $base64
3. Upload the credentials
  - Upload the .cer certificate created at Step 1 on the Microsoft EntraID portal.
  - Enter the results of the base64 certificate content from generated text file in Step 2 in the Sailpoint Microsoft Entra source UI Exchange Certificate field.
  - Enter the private key password (provided while generating the self-signed certificate) in Microsoft Entrust Source UI Exchange Private Key Password field.

The steps to attach the self-signed certificate to the Microsoft Entra application are listed here:
- Attach the certificate to the Microsoft Entra application

Schema Configurations

You must add Exchange attributes that you want to aggregate to the account or group scheme with the prefix EXO_.

For example, to aggregate EmailAddresses attribute, add it to the schema as follows:

Name: EXO_EmailAddresses
Type: String
Property: Multivalued
To aggregate shared mailbox attributes as an Entitlement, add sharedMailbox as an account attribute.
Example Name: sharedMailbox
Type: String
Property: Multivalued, Entitlement, Managed

Aggregate Exchange Online Groups

By default, the Microsoft Entra SaaS connector aggregates Mail-Enabled Security groups. To aggregate Distribution List groups, on the Aggregation Settings page, enable the Aggregate All Groups configuration parameter.

Note
Aggregation of Distribution List group with basic group details does not need Exchange Online configuration.

Add/Remove Exchange Distribution Groups from Users

When adding a user to, or removing a user from, a Mail-Enabled Security group, the user configured in the Manage Exchange Online configuration must be the owner of the group. The Distribution does not have the same restriction, but SailPoint recommends that the user in the Manage Exchange Online configuration is the owner of the group.

Provisioning Policy Changes

To update the Exchange Mailbox attribute value, the attribute must be added to provisioning policy with the prefix EXO_.

For example, to update the Alias attribute, it must be added in provisioning policy as follows:

Name: EXO_EmailAddresses
Type: String
Type Setting: Multivalued: true, Review Required: true

Note

It is important to add with proper attribute type and property, which meets exchange attribute definition for successful update operation.
Attributes to be added in provisioning policy must be present in account schema.

Shared Mailbox As Entitlement

An Exchange user can be a member of a Shared Mailbox. Along with membership, the user obtains permission on the mailbox. This permission has to be selected while adding the user to the shared mailbox. The following permissions are categorized as Recipient and Mailbox:

Recipient: SendAs
Mailbox: ChangeOwner, ChangePermission, DeleteItem, ExternalAccount, FullAccess, ReadPermission

In order to provide flexibility to select the permission to be assigned, mailbox entitlements are created one per permission per mailbox as shown in the following example:

User Mark Taylor has SendAs, FullAccess and ReadPermission permissions on shared mailbox called O365Support. After account aggregation following entitlements would be created:

O365Support: SendAs

O365Support: FullAccess

O365Support: ReadPermission

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.