Include users from an Azure AD

Configuration in Azure AD to be able to access its users with the UMA

Last adaptation to the version: 3.3.4 (07.2023)

New:

Azure Cloud Update in the Setup Wizard and in the Email Accounts menu
User authentication using Microsoft Azure enables multi-factor authentication in the DMS
Client secret ID from Azure AD required (v3.2)

notempty

This article refers to a Beta version

3.3 3.2

Requirements

Users in Azure AD with mail addresses to be archived

Azure AD configuration

The following steps are necessary:

In Azure AD, the Securepoint UMA NG must be registered as a new app
The following permissions are required:
- MS-Graph / Delegated Permission:
  - User.Read (should already exist as default permission)
- MS-Graph / Application Permissions:
  - Group.Read.All
  - MailboxSettings.Read
  - User.Read.All
  - Application.Read.All
A Secret Client Key must be added to the app

In order to archive additional mail addresses besides the original Microsoft Azure email address, these must be stored in the user profile in the Azure Active Directory in the section Contact information as Alternative email address.

The login of the user in the Securepoint UMA NG is then done with the user principal name (user pricipal name) and the corresponding password from Azure AD.


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Fig.1

Opening the Azure Dashboard or the Microsoft 365 Portal
Menu Azure Active Directory

Fig.2

Menu App registrations

Fig.3

Button + New registration

Fig.4

Assigning unique name

Option Only accounts in this organization directory (single client)

A redirection URI is not required

Button Register

Fig.5

The following values are required later in the Securepoint UMA:

Application ID (Client ID)
Directory ID (client)
Client Secret ID

Selection menu API permissions

Fig.6

Button + Add Permission

The permission User.Read of type Delegated permission should already be entered as default permission

Fig.7

Button Microsoft Graph

Fig.8

Application Permissions button

Fig.9

Mark API permission Group.Read.All

The search bar can be used to narrow down the display of permissions.
This lets you find the permission you need faster.

Fig.10

Mark API permission MailboxSettings.Read

The previously marked permission remains marked even if it is no longer displayed by another term in the search bar

Fig.11

Mark API permission User.Read.All
button Add permissions

Fig.12

Check API permission Application.Read.All New as of 3.1.3

Button Add permissions

Fig.13

If previously worked without Global Admin Authorization, now the approval of such is required

Fig.14

Grant administrator authorization

Fig.15

Configured API permissions

Fig.16

Back to the dashboard, menu Azure Active Directory

Menu Authentication

Entry Add a platform

Click on Single-page application in the Configure platform section.

Fig.17

Under Redirect URIs enter either the hostname or the IP address of the UMA.

Click the Configure button

Fig.18

Menu Certificates & Secrets

Fig.19

Button + New secret client key

Fig.20

Assigning unique name

Selecting desired validity period
The Secret client Key must be renewed in a timely manner. After the validity period expires, emails will no longer be delivered to the UMA and users of the UMA DMS will no longer be able to be authenticated by Azure AD.

Button Add

Fig.21

The Client Secret is displayed in the Value column

The Client ID is displayed in the column Secret ID

The Client Secret value will not be displayed again later and must therefore be saved elsewhere.
New as of 3.1.3 Both values are required for configuration in the Securepoint UMA.

Fig.22

In order to archive additional mail addresses besides the original Microsoft Azure email address, these must be stored in the user profile in the Azure Active Directory in the section Contact information as Alternative email address.

The login of the user in the Securepoint UMA NG is then done with the user principal name (user pricipal name) and the corresponding password from Azure AD.

For mailbox import and journal mailbox use from Azure, additionally configured apps in Azure are required.

Note

This article includes descriptions of third-party software and is based on the status at the time this page was created.
Changes to the user interface on the part of the manufacturer are possible at any time and must be taken into account accordingly in the implementation.
All information without warranty.

To use the UMA with Microsoft 365's OAuth service, the following information is required:

Tenant ID
Client ID
Client secret

This guide shows an example of the preparations and setting required in Microsoft Azure

Launch Azure Active Directory admin center
Note down/Copy Tenant ID from the Azure Active Directory menu
Register new app under theApp registration menu under the New registration button
Assign a unique name and click the register button
In the API permissions menu, click the Add a permission button.
Select permission for Office 365 Exchange Online in the APIs my organization uses tab
Add IMAP.AccessAsApp permission for Office 365 Exchange Online
In the menu API permissions activate the entry Grant admin consent for [...].
Create a Client secret in the Certificates & secrets menu
Note down Value, is entered as Client secret for Remote e-mail accounts and Import single mailboxes
Open menu Enterprise Applications and select app
Note down from the app properties Application ID and Object ID.
Open Powershell on Windows Client Administrator, import ExchangeOnlineManagement and connect to tenant
Select the recipient mailbox in the Exchange admin center and choose Read and manage (Full Access) as delegation.
Add member for Mailbox Delegation

This completes the configuration in Microsoft Azure.
Further configuration is done in the UMA in the
System settings Tab Email accounts section Azure AD menu, in the setup wizard or when importing mailboxes.
The Microsoft servers may take up to 30 minutes before access works


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

Fig.1

Select Azure Active Directory menu
Note down or copy Tenant ID, is entered for remote e-mail accounts and for importing single mailboxes

Fig.2

Register new app:

Menu App registration

Button New registration

Fig.3

Assign a unique name

Click Register button

Fig.4

A summary of the newly registered app is displayed

The Object ID displayed here does not belong to the app and is not needed!

Select API permissions menu

Fig.5

Click Add a permission button

Fig.6

Select the tab APIs my organization uses

Select permission for Office 365 Exchange Online

Fig.7

Click Application permissions button

Search for imap

Checkmark IMAP.AccessAsApp

Click the Add permissions button

Fig.8

Select menu API permissions again.

Select entry Grant admin consent for [...]

Click the Yes button

Fig.9

Grant admin consent for... successfully granted

Fig.10

Menu Certificates & secrets

Tab Client secrets

Entry New Client secret

Enter unique description

Select desired duration (max. 24 months)

Click Add button

Fig.11

Note down Value, is entered as Client secret for Remote e-mail accounts and Import single mailboxes

Fig.12

Back to the dashboard, menu Azure Active Directory

Menu Enterprise applications

Fig.13

All applications menu

Select Securepoint app

Fig.14

Note down from the app properties:

Application ID, is entered as Application (Client) ID for Remote E-mail Accounts and Import Individual Mailboxes

Object ID, is required for the granting of the authorisation via Powershell

Fig.15

Open Powershell on a Windows client administrator

Install ExchangeOnlineManagement module

If there are problems installing the module or connecting, you may need to configure Powershell to TLS 1.2:
>[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

> Install-Module -Name ExchangeOnlineManagement -allowprerelease

Import ExchangeOnlineManagement and connect to Tenant:

> Import-module ExchangeOnlineManagement
> Connect-ExchangeOnline -Organization Tenant ID (See Fig.1)

Create a new service principal and assign a unique name:

> New-ServicePrincipal -DisplayName SecurepointServicePrincipal -AppId Enterprise-oApp-ooID-oooo-oooooooo -ServiceId Enterprise-oObj-ooID-oooo-oooooooo
For Enterprise-oApp-ooID-oooo-oooooooo enter the Application ID and for Enterprise-oObj-ooID-oooo-oooooooo enter the Object ID (see Fig. 14)

Then assign mailbox permissions:

> Add-MailboxPermission -Identity alice@anyideas.onmicrosoft.com -User SecurepointServicePrincipal -AccessRights FullAccess

The Microsoft servers may take up to 30 minutes before access works

The preparatory configuration of the Azure AD is now complete

Configuration in the UMA

In the setup wizard

Caption	Value	Description
Repository Type	Azure AD	Selecting Azure Active Directory as authentication source
Directory (tenant) ID:	•••••••	Directory ID (client) from the app registration in Azure AD
Application (client) ID:	•••••••	Application ID (Client ID) from the app registration in Azure AD
Secret Value:	•••••	Value of the client secret key from the Certificates & Secrets section of Azure AD
Secret ID:	•••••	New as of 3.1.3 Secret ID of the client secret key from the Certificates & Secrets section of Azure AD
Azure Cloud:	Azure Cloud Global Azure Cloud USA Azure Cloud Deutschlandnotempty Is no longer available as of UMA version 3.3.4. Microsoft has closed Azure Cloud Germany. Azure Cloud China	Selection of the Azure Cloud that hosts the AD
User authentication method	Username and Password	Logging in to the DMS is done exclusively with the data from the user accounts configured above.
	Single Sign-on	Authentication in the DMS via Microsoft Azure. The login dialog offers a button that leads to the Microsoft login. This enables e.g. two-factor authentication (2FA)
	Single Sign-on or username and Password	Authentication in the DMS using the data from the user accounts configured above or via Microsoft Azure. The login dialog offers the possibility to log in with username and password and alternatively an additional button that leads to the Microsoft Azure login.

Next		Verify the credentials and go to the next step

In the menu email accounts

Menu System Settings / Email Accounts

Caption	Value	Description	Configuration in the Admin Interface
User repository	Azure AD	Selecting Azure Active Directory as authentication source
Directory (tenant) ID:	•••••••	Directory ID (client) from the app registration in Azure AD
Application (client) ID:	•••••••	Application ID (Client ID) from the app registration in Azure AD
Secret Value:	•••••	Value of the client secret key from the Certificates & Secrets section of Azure AD
Secret ID:	•••••	New as of 3.1.3 Secret ID of the client secret key from the Certificates & Secrets section of Azure AD
Azure Cloud:	Azure Cloud Global Azure Cloud USA Azure Cloud Deutschlandnotempty Is no longer available as of UMA version 3.3.4. Microsoft has closed Azure Cloud Germany. Azure Cloud China	Selection of the Azure Cloud that hosts the AD
User authentication method	Username and Password	Logging in to the DMS is done exclusively with the data from the user accounts configured above.
	Single Sign-on	Authentication in the DMS via Microsoft Azure. The login dialog offers a button that leads to the Microsoft login. This enables e.g. two-factor authentication (2FA)
	Single Sign-on or username and Password	Authentication in the DMS using the data from the user accounts configured above or via Microsoft Azure. The login dialog offers the possibility to log in with username and password and alternatively an additional button that leads to the Microsoft Azure login.

Azure AD Settings Testing		Verifies the credentials and opens a window showing all available user accounts on the server. The lists (Public and Private) can be searched.	User accounts on the server
			User accounts on the server

Selection of individual accounts (archive only individual accounts) Selection of individual accounts (archive only individual accounts)
Activate manual selection		Selecting this option allows a limit to archiving of individual accounts When removing mail accounts from the archive, it is important to consider whether legal retention requirements are affected !

Archived user accounts Archived user accounts
Manage subscriptions		Enables read permission on public folders

Show advanced settings Other functions after activation: Edit user
Action: Move	In case of a move, the archive mailbox will be renamed and/or the type will be changed. The purpose of this is, for example, to allow access to archive folders whose owners have been made inactive or deleted in AD: A private archive is changed to public. Afterwards the archive can be made accessible to an active user under Manage subscriptions.		Dialog Edit user
	New name:	New archive name. If the username is not changed in the Azure AD, direct access to the archive is no longer possible
	New type:	User mailbox type: private or public
	Reason:	The reasoning is recorded in the log and remains visible for an unlimited period of time

Action: Merge	Transfers the archived mails of one archive account to another archive account If the user account still exists unchanged in the Azure AD, new incoming mails are received in the original archive again		Merging of user accounts
	Data transferred to:	type/target account User account to which the mails are to be transferred
	Reason:	The reasoning is recorded in the log and remains visible for an unlimited period of time

Delete		When deleting mail accounts from the archive, it must be noted whether legal regulations for retention are affected! In order to prevent unintentional or incorrect deletions, the administrator password must also be entered.	Dialog Delete user Check admin password

LDAP search settings LDAP search settings
Referrals		LDAP-Referrals provides a reference to an alternate location where an LDAP request can be processed. Enabling this is only useful in extremely rare cases and should usually be avoided.	LDAP search settings

Troubleshooting

Error messages when testing Azure AD settings:

Error message	Description
Insufficient privileges to complete the operation.	In this case, make sure that all Permissions have been set correctly
The requested user is invalid.	Self-explanatory. User names must exist and be permissible. Not allowed is for example: '@ttt-point.onmicrosoft.com
To many requests were made. Please try again later.	Throttling. Happens rarely to never. The Microsoft Graph API can handle a lot of requests in a short time. If not, it helps to wait a bit.
Unlicensed user. Mails will not get delivered until there has been a valid license assigned.	Occurs when the queried account does not have a valid license. This results in the mailboxSettings attribute not being able to be queried. This is necessary to check whether the account is a shared mailbox. If the attribute cannot be queried, it is uncertain whether the account must be archived as public or private.
An unknown error occurred.	This is the fallback if the error could not be identified. This happens rarely. The Microsoft Graph API does not send a valid json in incredibly rare situations. Please try again.

Requirements

Azure AD configuration

Configuration in the UMA

In the setup wizard

In the menu email accounts

Selection of individual accounts (archive only individual accounts)

Archived user accounts

LDAP search settings

Troubleshooting