Skip to content

Prerequisites

Make sure your system fits the descriptions below before starting the installation.

Software Requirements

Data Access Security requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.

Exchange Online Powershell Module Installation

For servers that host Permission Collection and Activity Monitoring, the EXO powershell module needs to be installed.

Run the following command from an elevated (Administrator) powershell prompt:

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.1.0 -Scope AllUsers -Force -AllowClobber

If this is done before applying the upgrade, no further action is required. If this upgrade is completed after the upgrade, the Permission Collection and Activity Monitor will need to be restarted.

Creating an Azure Application for SharePoint Online

A new Azure Active Directory application must be created and configured to support the File Access Manager SharePoint Online functionality.

This configuration can be performed either by running the automated PowerShell script supplied with the SailPoint distribution pack, or by creating and configuring the application through the Azure portal.

Creating and Configuring the Application Automatically

There is a PowerShell script named CreateSharePointOnlineAndSharePoint OnlineApp.ps1 provided in the Collectors.zip under the extracted scripts sub-folder. This script will perform all the Azure application creation and configuration steps required for SharePoint Online.

To run this script, the Azure AD PowerShell module must be installed.

Install-Module -Name AzureAD

Before running the script, open the file in a text editor to review the default parameters. The parameters can be edited in the file or passed as parameters when running the script.

To run the script with the default parameters:

.\CreateExchangeOnlineApp.ps1

To run the script while overriding some of the default parameters: .\CreateExchangeOnlineApp.ps1 -AppName "Exchange Online FAM App" -DirectoryRole "Exchange Administrator" -CertDnsName "contoso.com" -CertYearsValid 15

When prompted, log in with administrator credentials to create and configure Azure applications. The last step of the script will launch a URL to grant admin consent for the application. After granting consent, the page will redirect to a missing localhost URL. The operation is successful if the URL for that page contains admin_consent=True.

Note

If you experience an access denied error or other error in the web browser when granting admin consent, this might be a timing issue. This can be resolved by either manually granting admin consent through the Azure portal (see section Grant admin consent manually), or by copying and pasting the consent URL (represented in the line from the script output that starts in "Consent URL: ") into your browser.

The following output should be gathered or noted when running the script. This information will be used to configure the SharePoint Online application in File Access Manager:

  1. The App ID value in the console output.
  2. The created certificate file .pfx located in your working directory.
  3. The certificate password that was entered when prompted.

Creating and Configuring the Application Manually

The following steps create and configure an Azure application for SharePoint Online authentication through the Azure portal.

These steps are adapted from the online Microsoft documentation.

Registering an Azure Active Directory Application

Follow these steps to register an application in Azure Active Directory (Azure AD):

  1. Open the Azure AD portal at https://portal.azure.com.

  2. Under Manage Azure Active Directory, select View.

  3. On the Overview page, under Manage, select App registrations.

  4. On the App registrations, select New registration.

  5. On the Register an application page, configure the following settings:

    • Name: Enter something descriptive. For example, Exchange Online FAM App.

    • Supported account types: Verify that Accounts in this organizational directory only ( only - Single tenant) is selected.

    • Redirect URI (optional): Leave this field empty.

  6. When you're finished, select Register.

Note

Leave the app page open. You'll use it in the next step.

Assign API Permissions to the Application

  1. On the app page under Manage, select Manifest. Locate the requiredResourceAccess entry.
  2. Replace the entire requiredResourceAccess entry with the following:

     "requiredResourceAccess": [
        {
           "resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2",
           "resourceAccess": [
                 {
                    "id": "594c1fb6-4f81-4475-ae41-0c394909246c",
                    "type": "Role"
                 }
           ]
        },
        {
           "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
           "resourceAccess": [
                 {
                    "id": "678536fe-1083-478a-9c59-b99265e6b0d3",
                    "type": "Role"
                 }
           ]
        }
     ],
    
  3. Select Save.

  4. On the Manifest page, under Manage, select API permissions.
  5. Select Grant admin consent for and complete the following:
  6. Verify the value Exchange.ManageAsApp is shown in the API / Permissions Name.
  7. For Status, select Grant admin consent got and read the confirmatio dialog that displays.
  8. Select Yes. The Status value should now be Granted for on both entries.
  9. Close the current API permissions page (not the browser tab) to return to the App registrations page. You will use it in an upcoming step.

Generate a Self-Signed Certificate

Create a self-signed x.509 certificate using the following PowerShell commands.

Edit parameters such as DnsName, Certificate expiration, and password as appropriate:

# Create certificate - $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(15) -KeySpec KeyExchange

# Export certificate to .pfx file - $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force)

# Export certificate to .cer file - $mycert | Export-Certificate -FilePath mycert.cer

Assign the Certificate to the Azure Active Directory Application

After you register the certificate with your application, you can use the private key (.pfx file) for authentication.

  1. If you need to get back to the Apps registration page:

    1. Open the Azure AD portal at https://portal.azure.com/
    2. Under Manage Azure Active Directory, select View.
    3. On the Overview page that opens, under Manage, select App registrations.
  2. On the Apps registration page from the end of Step 2, select your application.

  3. On the application page that opens, under Manage, select Certificates & secrets.
  4. Select Upload Certificate.
  5. Browse to the self-signed certificate (.cer file) that you created in Step 3.
  6. Click Add. The certificate is now shown in the Certificates section.
  7. Close the current Certificates & secrets page, and then the App registrations page to return to the main https://portal.azure.com page. You'll use it in the next step.

Assign Azure Active Directory Role to the Application

  1. Open the Azure AD portal at https://portal.azure.com/
  2. Under Manage Azure Active Directory, select View.
  3. On the Overview page that opens, under Manage, select Roles and administrators.

  4. Find and select one of the supported roles by clicking on the name of the role (not the check box) in the results.

  5. On the Assignments page that opens, click Add assignments.
  6. In the Add assignments flyout that opens, find and select the app that you created in Step 1.
  7. Select Add.
  8. Back on the Assignments page, verify that the app has been assigned to the role.

Permissions

The Office365 Exchange Online service uses a similar permission model as the equivalent Exchange On-Premises.

Audit Bypass

The File Access Manager Connector for Exchange Online sets the mailbox audit for the selected mailboxes according to the configuration in the application. However, there are application service accounts (for example, BlackBerry or IXOS) that create many mailbox audit log entries, which can overload the Exchange and generate a lot of noise in File Access Manager.

You can configure a user or computer account to bypass mailbox audit logging, so that actions taken by that user or account for any mailbox are not logged.

By bypassing trusted user or computer accounts that require frequent access to mailboxes, you can reduce the noise in mailbox audit logs.

For more information, see Technet: Bypass Mailbox Audit Logging

Note

It is recommended to set an alert on bypass commands to verify that users are not bypassed unexpectedly.

Audit Age Log Limit

By default, audit logging is configured to store audit log entries for 90 days.

After 90 days, the audit log entry is cycled. You can change the audit log age limit using the Set-Mailbox cmdlet with the AuditLogAgeLimit parameter.

You can specify the number of days, hours, minutes, and seconds to retain audit log entries.

Logs need not be retained for a long time (more than a few days), since File Access Manager offloads the data from the exchange.

Important

It is not recommended to retain an audit for a long time, as doing so expands the Exchange DB.

For more information, see Technet: Audit Log Age Limit

Communication Requirements

Requirement Source Destination Port
File Access ManagerMessage Broker Permissions Collector Server RabbitMQ 5671
File Access ManagerAccess Activity Monitor and Permissions Collector servers File Access Manager Servers 8000-8008
Remote PowerShell Activity Monitor/Permissions Collector server Office 365 Cloud 80 or 443