Prerequisites

In order to connect an IAM.cloud instance to an on-prem Active Directory, the IAM.cloud on-prem Gateway has to deployed in the customers on-prem network.

Detailed information about the installation of the IAM.cloud on-prem Gateway can be found here:

Installation of the IAM.cloud on-prem gateway

Users and permissions for connecting to on-prem Microsoft Exchange

To connect to an on-prem Microsoft Exchange, a user must be provided with the following authorizations:

  • Member of the role group “View-Only organizational management”

  • Member of the role group “Public folder management”

  • Member of the role group “Recipient management”

  • Member of a new role group that has to created in Microsoft Exchange that has to be created containing the Microsoft Exchange role “Security Group Creation and Membership”

If the target system connector will be used to provision distribution lists as well as user mailboxes, the user has to be assigned to role group “Organization Management”. This is due to fact that while creating distribution lists, the user has to set the parameter “Bypass Security Group Manager check” which is only allowed to members of the role group “Organization Management”. More information on this topic can be found here:

https://docs.microsoft.com/en-us/powershell/module/exchange/users-and-groups/set-distributiongroup?view=exchange-ps

Server configuration

Configuration on the Microsoft Exchange Server

The server that will be leveraged as the connection endpoint for the target system connector needs to be configured for remote access using Windows Powershell. This requires the following steps using an administrative Powershell:

  • Prepare the server for remote access usage

winrm quickconfig
POWERSHELL

  • Allow the execution of scripts / cmdlets of trusted publishers

Set-ExecutionPolicy RemoteSigned
POWERSHELL

  • Customize the list of trusted hosts to activate authentication coming from trusted hosts

Set-Item wsman:\localhost\client\trustedhosts * -Force
POWERSHELL

The list might be limited to the IAM.cloud on-prem Gateway.

Configuration on the IAM.cloud on-prem Gateway

The IAM.cloud on-prem Gateway needs to be configured for remote access using Windows Powershell. This requires the following steps using an administrative Powershell:

  • Prepare the server for remote access usage

winrm quickconfig
POWERSHELL

  • Allow the execution of scripts / cmdlets of trusted publishers

Set-ExecutionPolicy RemoteSigned
POWERSHELL

  • Customize the list of trusted hosts to activate authentication coming from trusted hosts

Set-Item wsman:\localhost\client\trustedhosts * -Force
POWERSHELL

Test the remote powershell connectivity

To test the remote powershell connectivity, the following script can be leveraged using MS Powershell on the IAM.cloud on-prem Gateway:

$credentials = New-Object System.Management.Automation.PSCredential ("<domain>\<user>", (ConvertTo-SecureString "<password>" -AsPlainText -Force)) $ExchangeSession = New-PSSession -Configurationname Microsoft.Exchange -ConnectionUri http://<Exchange Server FQDN>/powershell -Credential $credentials -Authentication Kerberos Import-PsSession $ExchangeSession

Get-Mailbox
POWERSHELL

If the Get-Mailbox cmdlet returns with valid data, the connectivity works as expected.

Setting up the target system connector

To connect to an on-prem Microsoft Exchange connect to the IAM.cloud with a user having the IAM.cloud application role “Global Target system configurator”. Click “Responsibilities” and “Target systems”.

In the list of available target system connectors select the connector “on-prem Exchange“ and click the button “Setup” to create a new target system instance.

Name the target system instance, put in a description and select the IAM.cloud on-prem Gateway as the execution server.

Attribute

Description

Target system instance

The name of the target system instance - this is a freetext value with no technical relevance and will be used as the display name for the target system instance only.

Description

The description to the target system instance - this is a freetext value with no technical relevance and will be used for documentation purposes only.

Execution server

The server that will be executing the target system connectivity tasks. This has to be an IAM.cloud on-prem Gateway in order to connect to the on-prem Microsoft Exchange from within the on-prem network.


After entering the target system instance attributes, click “Save” to enable the technical configuration of the target system connector.

Fill in the technical attributes for the target system connector and click “Save”.

Attribute

Description

ShellDisplay

The value in the attribute ShellDisplay will be used as the name of the technical connectivity setup.

ShellDescription

The value in the attribute ShellDescription will be used for documentation purposes for the technical connectivity setup.

EX0ServerFqdn

Full qualified domain name (FQDN) of the Exchange server that will be connected by the target system connector.

EX0SyncUserName

The EX0SyncUserName represents the technical user account being used to connect to the on-prem Microsoft Exchange. The user name can be given in the following notation options:

  • <domain>\<username>

  • <username>@<domain>

EX0SyncUserPassword

The EX0SyncUserPassword is the password of the technical user account being used to connect to the on-prem Microsoft Exchange.

SynchronizeEntireOrganization

Indicates wether the entire Exchange organization will be synchronized with IAM.cloud.

UseSSL

Indicated wether the connection from the IAM.cloud on-prem gateway to the Exchange server will be secured using SSL.


If all mandatory attribute values are filled in and the configuration is saved, the button “Rollout” will be enabled. Click “Rollout” to connect the on-prem Microsoft Exchange to IAM.cloud.