Creating an Azure Application for Exchange Online

A new Azure application must be created and configured to support the Data Access Security Exchange Online functionality.

This configuration can be performed either by running the automated powershell script supplied with the SailPoint distribution pack, or by creating and configuring the application through the Azure portal.

Creating and Configuring the Application Automatically

There is a powershell script below will perform all the Azure application creation and configuration steps required for Exchange Online.

To run this script the Azure AD powershell module must be installed.

1. Open PowerShell as an Administrator.
2. Install the Azure AD PowerShell module: Install-Module -Name AzureAD

3. Open the CreateExchangeOnlineApp.ps1 file in a text editor to review the default parameters. The parameters can be edited in the file or passed as parameters when running the script.

   CreateEchangeOnlineApp.ps1

   # Configures Azure Application for use as DAS Exchange Online Application:
   #   Creates Exchange Online App  with 'Exchange.ManageAsApp' API permission.
   #   Creates and uploads certificate as app client credential.
   #   Assigns application to directory role.
   #   Prompts for application admin consent.
   #
   # NOTE: Must install Azure AD Powershell before running this script:
   #   Install-Module -Name AzureAD
   param(
      [string]$AppName = 'DAS Exchange Cloud Dev App',
      # Available directory roles: Exchange Administrator, Global Administrator, Compliance Administrator
      [string]$DirectoryRole = 'Exchange Administrator', 
      # DnsName will be included in Cert subject name
      [string]$CertDnsName = 'organization.com',
      [int]$CertYearsValid = 10,
      [int]$SleepBeforeConsentSeconds = 30,
      [Parameter(Mandatory=$True)]
      [Security.SecureString]$CertPassword
   )
   
   # Stop the script on error
   $ErrorActionPreference = "Stop"
   
   ''
   'Connecting to Azure AD...'
   
   Connect-AzureAD
   
   ''
   'Getting required API details...'
   ## Get the Office 365 Exchange Online API details.
   $api = (Get-AzureADServicePrincipal -Filter "AppID eq '00000002-0000-0ff1-ce00-000000000000'")
   
   ## Get the API permission ID
   $permission = $api.AppRoles | Where-Object { $_.Value -eq 'Exchange.ManageAsApp' }
   
   ''
   'Building API permissions...'
   ## Build the API permission object (TYPE: Role = Application, Scope = User)
   $apiPermission = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]@{
      ResourceAppId  = $api.AppId ;
      ResourceAccess = [Microsoft.Open.AzureAD.Model.ResourceAccess]@{
         Id   = $permission.Id ;
         Type = "Role"
      }
   }
   
   ''
   'Registering Azure App...'
   ## Register the new Azure AD App with API Permissions
   $myApp = New-AzureADApplication -DisplayName $AppName -ReplyUrls 'http://localhost' -RequiredResourceAccess $apiPermission
   
   ## Enable the Service Principal
   $mySP = New-AzureADServicePrincipal -AppID $myApp.AppID
   
   # Display the new App properties
   ''
   "App Display Name: $($myApp.DisplayName)"
   "App ID: $($myApp.AppID)"
   
   ''
   'Creating certificate...'
   
   ## Find the ObjectID of role
   $RoleId = (Get-AzureADDirectoryRole | Where-Object {$_.displayname -eq $DirectoryRole}).ObjectID
   
   ## Add the service principal to the directory role
   Add-AzureADDirectoryRoleMember -ObjectId $RoleId -RefObjectId $mySP.ObjectID -Verbose
   
   # Create certificate
   $mycert = New-SelfSignedCertificate -DnsName $CertDnsName -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears($CertYearsValid) -KeySpec KeyExchange
   
   ''
   'Exporting certificate files to disk...'
   
   # Export certificate to .pfx file
   $pfxFilePath = ".\$($AppName).pfx"
   $output = $myCert | Export-PfxCertificate -FilePath $pfxFilePath -Password $CertPassword
   
   # Display certificate pfx file path
   ''
   "Certificate pfx file path: $($output.FullName)"
   
   # Export certificate to .cer file
   $certFilePath = ".\$($AppName).cer"
   $output = $myCert | Export-Certificate -FilePath $certFilePath
   
   # Display certificate cer file path
   ''
   "Certificate cer file path: $($output.FullName)"
   $bin = $mycert.GetRawCertData()
   $base64Value = [System.Convert]::ToBase64String($bin)
   
   $bin = $mycert.GetCertHash()
   $base64Thumbprint = [System.Convert]::ToBase64String($bin)
   
   ''
   'Uploading certificate to Azure App...'
   ## Upload and assign the certificate to application in AzureAD
   $null = New-AzureADApplicationKeyCredential -ObjectId $myApp.ObjectID `
      -CustomKeyIdentifier $base64Thumbprint `
      -Type AsymmetricX509Cert -Usage Verify `
      -Value $base64Value `
      -StartDate ($myCert.NotBefore) `
      -EndDate ($myCert.NotAfter)
   
   ''
   "Waiting $SleepBeforeConsentSeconds seconds to allow the Azure App to be fully created before consent..."
   
   sleep $SleepBeforeConsentSeconds
   
   ''
   'Getting tenant details for consent...'
   ## Get the TenantID
   $tenantID = (Get-AzureADTenantDetail).ObjectID
   
   ## Browse this URL
   $consentURL = "https://login.microsoftonline.com/$tenantID/adminconsent?client_id=$($myApp.AppId)"
   
   # Display the consent URL
   ''
   "Consent URL: $consentURL"
   
   ''
   'Launching browser for consent...'
   # Browse to the consent URL using the default browser
   Start-Process $consentURL
   
   ''
   'Done.'
   

4. Run the script:

   • To run the script while overriding some of the default parameters, run .\CreateExchangeOnlineApp.ps1 -AppName "Exchange Online DAS App" -DirectoryRole "Exchange Administrator" -CertDnsName "contoso.com" -CertYearsValid 1

5. When prompted, log in with administrator credentials to create and configure Azure applications.

The last step of the script will launch a URL to grant admin consent for the Application. After granting consent the page will redirect to a missing localhost URL. This can be ignored.

Note

If you experience an access denied error or other error in the web browser when granting admin consent, this might be a timing issue. This can be resolved by either manually granting admin consent through the Azure portal. Alternatively, you can copy and paste the consent URL intow your browser. This is the last line of output from the script output that contains text adminconsent.

The following output should be gathered or noted when running the script. This information will be used to configure the Exchange Online application in Data Access Security.

1. The App ID value in the console output.
2. The created certificate file .pfx located in your working directory.
3. The certificate password that was entered when prompted.

Creating and Configuring the Application Manually

The following steps will create and configure an Azure application for Exchange Online authentication through the Azure portal.

These steps are adapted from the following online Microsoft documentation:

https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#set-up-app-only-authentication

Specify the Exchange Administrator when assigning the Azure Active Directory role.

Comments