Prerequisites

The Azure Active Directory must be connected before connecting Exchange Online.

Integrating IAM.cloud as enterprise application

Before connecting IAM.cloud to Exchange Online, IAM.cloud has to be configured as an enterprise application in Azure Active Directory. That for, log into the Microsoft Azure Admin Portal: Azure Admin Portal

Switch to the Azure Active Directory admin center.

In the Microsoft Azure Active Directory admin center, create a new enterprise application for your directory.

Click “Create your own application”

While naming the enterprise application, select the option “Register an application to integrate with Azure AD (App you’re developing)”. Then click “Create”.

IPG recommends to limit the access to the API to “Accounts in this organizational directory only” (Single tenant). Then click “Register”. Then switch to the Azure Active Directory dashboard and click “App registrations”.

Hint: While setting up the application, an application ID (client ID) is created and a tenant ID (tenant ID) is shown. This application ID and the tenant ID are required for setting up the target system connector.

Select the newly created application from the list of applications and click “API permissions”.

By clicking “Add a permission”, add the following permissions to the application by selecting “Microsoft Graph” as the API and “Delegated permissions” as the type of permissions:

API	Permission type	Permission
Microsoft Graph	Delegated	sign users in - openid sign in and read user profile - User.Read
Microsoft Graph	Application	Read and write all user mailbox settings - MailboxSettings.ReadWrite
Office 365 Exchange Online	Delegated	Manage Exchange configuration - Exchange.Manage Read and write all groups (preview) - Group.ReadWrite.All Read and write user mailbox settings - MailboxSettings.ReadWrite Read and write users' relevant people lists (preview) - People.ReadWrite Read and write user profiles - User.ReadWrite
Office 365 Exchange Online	Application	Manage Exchange As Application - Exchange.ManageAsApp Read and write all user mailbox settings - MailboxSettings.ReadWrite

Some of these permissions require administrative consent - this needs to be granted.

Configure the client secret using the option “Certificates & secrets” and clicking the button “upload certificate”.

Hint: The export of the certificate in format PKCS #12 with powershell with the following command (Password and Cert Path needs to be adopted) as password protected certificate archive.

C:\>Get-ChildItem -Path cert:\localMachine\my\5F98EBBFE735CDDAE00E33E0FD69050EF9220254 | Export-PfxCertificate -FilePath C:\mypfx.pfx -Password $mypwd

POWERSHELL

How to issue a self signed certificate for testing purpose is described in the following article. The relevant powershell examples are shown below.

App-only authentication | Microsoft Docs

# Create certificate $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange # Export certificate to .pfx file $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force) # Export certificate to .cer file

$mycert | Export-Certificate -FilePath mycert.cer

POWERSHELL

After creating the Enterprise Application, the app needs to be assigned to the exchange adminstration role.

Setting up the target system connector

To connect to Microsoft 365 Exchange Online connect to the IAM.cloud portal with a user having the IAM.cloud application role “Global Target system configurator”. Click “Responsibilities” and “Target systems”.

In the list of available target system connectors select the connector “Microsoft Office 365 Exchange Online“ and click the button “Setup” to create a new target system instance.

Name the target system instance, put in a description. The IAM.cloud Gateway as the execution server is pre selected.

Attribute	Description
Target system instance	The name of the target system instance - this is a freetext value with no technical relevance and will be used as the display name for the target system instance only.
Description	The description to the target system instance - this is a freetext value with no technical relevance and will be used for documentation purposes only.
Execution server	The server that will be executing the target system connectivity tasks. This has to be a specific IAM.cloud cloud Gateway in order to connect to Exchange Online. The relevant one is pre selected.

After entering the target system instance attributes, click “Save” to enable the technical configuration of the target system connector.

Fill in the technical attributes for the target system connector and click “Save”.

Attribute	Description
ShellDisplay	The value in the attribute ShellDisplay will be used as the name of the technical connectivity setup.
ShellDescription	The value in the attribute ShellDescription will be used for documentation purposes for the technical connectivity setup.
ConnectAppID	Client-ID / Application ID of the created enterprise application
ConnectPFX	A PFX file of the Certificate assigned to Application, also known as PKCS #12. It is a single, password protected certificate archive that contains the entire certificate chain plus the matching private key. Essentially it is everything that any server will need to import a certificate and private key from a single file.
ConnectPFXPassword	Password for the single password protected certificate archive
TenantDisplay	Azure Active Directory org domain name
TenantID	The ID of the Azure tenant
OrganizationDisplayName	Azure Active Directory org domain name

If all mandatory attribute values are filled in and the configuration is saved, the button “Rollout” will be enabled. Click “Rollout” to connect Microsoft 365 Exchange Online to IAM.cloud.

Prerequisites

The Azure Active Directory must be connected before connecting Exchange Online.

Integrating IAM.cloud as enterprise application

Before connecting IAM.cloud to Exchange Online, IAM.cloud has to be configured as an enterprise application in Azure Active Directory. That for, log into the Microsoft Azure Admin Portal: Azure Admin Portal

Switch to the Azure Active Directory admin center.

In the Microsoft Azure Active Directory admin center, create a new enterprise application for your directory.

Click “Create your own application”

While naming the enterprise application, select the option “Register an application to integrate with Azure AD (App you’re developing)”. Then click “Create”.

IPG recommends to limit the access to the API to “Accounts in this organizational directory only” (Single tenant). Then click “Register”. Then switch to the Azure Active Directory dashboard and click “App registrations”.

Hint: While setting up the application, an application ID (client ID) is created and a tenant ID (tenant ID) is shown. This application ID and the tenant ID are required for setting up the target system connector.

Select the newly created application from the list of applications and click “API permissions”.

By clicking “Add a permission”, add the following permissions to the application by selecting “Microsoft Graph” as the API and “Delegated permissions” as the type of permissions:

API	Permission type	Permission
Microsoft Graph	Delegated	sign users in - openid sign in and read user profile - User.Read
Microsoft Graph	Application	Read and write all user mailbox settings - MailboxSettings.ReadWrite
Office 365 Exchange Online	Delegated	Manage Exchange configuration - Exchange.Manage Read and write all groups (preview) - Group.ReadWrite.All Read and write user mailbox settings - MailboxSettings.ReadWrite Read and write users' relevant people lists (preview) - People.ReadWrite Read and write user profiles - User.ReadWrite
Office 365 Exchange Online	Application	Manage Exchange As Application - Exchange.ManageAsApp Read and write all user mailbox settings - MailboxSettings.ReadWrite

Some of these permissions require administrative consent - this needs to be granted.

Configure the client secret using the option “Certificates & secrets” and clicking the button “upload certificate”.

Hint: The export of the certificate in format PKCS #12 with powershell with the following command (Password and Cert Path needs to be adopted) as password protected certificate archive.

C:\>Get-ChildItem -Path cert:\localMachine\my\5F98EBBFE735CDDAE00E33E0FD69050EF9220254 | Export-PfxCertificate -FilePath C:\mypfx.pfx -Password $mypwd

POWERSHELL

How to issue a self signed certificate for testing purpose is described in the following article. The relevant powershell examples are shown below.

App-only authentication | Microsoft Docs

# Create certificate $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange # Export certificate to .pfx file $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "P@ssw0Rd1234" -AsPlainText -Force) # Export certificate to .cer file

$mycert | Export-Certificate -FilePath mycert.cer

POWERSHELL

After creating the Enterprise Application, the app needs to be assigned to the exchange adminstration role.

Setting up the target system connector

To connect to Microsoft 365 Exchange Online connect to the IAM.cloud portal with a user having the IAM.cloud application role “Global Target system configurator”. Click “Responsibilities” and “Target systems”.

In the list of available target system connectors select the connector “Microsoft Office 365 Exchange Online“ and click the button “Setup” to create a new target system instance.

Name the target system instance, put in a description. The IAM.cloud Gateway as the execution server is pre selected.

Attribute	Description
Target system instance	The name of the target system instance - this is a freetext value with no technical relevance and will be used as the display name for the target system instance only.
Description	The description to the target system instance - this is a freetext value with no technical relevance and will be used for documentation purposes only.
Execution server	The server that will be executing the target system connectivity tasks. This has to be a specific IAM.cloud cloud Gateway in order to connect to Exchange Online. The relevant one is pre selected.

After entering the target system instance attributes, click “Save” to enable the technical configuration of the target system connector.

Fill in the technical attributes for the target system connector and click “Save”.

Attribute	Description
ShellDisplay	The value in the attribute ShellDisplay will be used as the name of the technical connectivity setup.
ShellDescription	The value in the attribute ShellDescription will be used for documentation purposes for the technical connectivity setup.
ConnectAppID	Client-ID / Application ID of the created enterprise application
ConnectPFX	A PFX file of the Certificate assigned to Application, also known as PKCS #12. It is a single, password protected certificate archive that contains the entire certificate chain plus the matching private key. Essentially it is everything that any server will need to import a certificate and private key from a single file.
ConnectPFXPassword	Password for the single password protected certificate archive
TenantDisplay	Azure Active Directory org domain name
TenantID	The ID of the Azure tenant
OrganizationDisplayName	Azure Active Directory org domain name

If all mandatory attribute values are filled in and the configuration is saved, the button “Rollout” will be enabled. Click “Rollout” to connect Microsoft 365 Exchange Online to IAM.cloud.

Connect to Microsoft 365 Exchange Online

Prerequisites

Integrating IAM.cloud as enterprise application

Setting up the target system connector

Related articles

Prerequisites

Integrating IAM.cloud as enterprise application

Setting up the target system connector

Related articles