Configuration in Azure AD to be able to access its users with the UMA
Last adaptation to the version: 3.2 (11.2021)
New:
Client secret ID from Azure AD required
notempty
This article refers to a Resellerpreview
-
Requirements
Users in Azure AD with mail addresses to be archived
Azure AD configuration
The following steps are necessary:
In Azure AD, the Securepoint UMA NG must be registered as a new app
The following permissions are required:
MS-Graph / Delegated Permission:
User.Read (should already exist as default permission)
MS-Graph / Application Permissions:
Group.Read.All
MailboxSettings.Read
User.Read.All
Application.Read.All
A Secret Client Key must be added to the app
In order to archive additional mail addresses besides the original Microsoft Azure email address, these must be stored in the user profile in the Azure Active Directory in the section Contact information as Alternative email address.
The login of the user in the Securepoint UMA NG is then done with the user principal name (user pricipal name) and the corresponding password from Azure AD.
Option Only accounts in this organization directory (single client)
A redirection URI is not required
Button Register
The following values are required later in the Securepoint UMA:
Application ID (Client ID)
Directory ID (client)
Client Secret ID
Selection menu API permissions
Button + Add Permission
The permission User.Read of type Delegated permission should already be entered as default permission
Button Microsoft Graph
Application Permissions button
Mark API permission Group.Read.All
The search bar can be used to narrow down the display of permissions. This lets you find the permission you need faster.
Mark API permission MailboxSettings.Read
The previously marked permission remains marked even if it is no longer displayed by another term in the search bar
Mark API permission User.Read.All
button Add permissions
Check API permission Application.Read.AllNew as of 3.1.3
Button Add permissions
If previously worked withoutGlobal Admin Authorization, now the approval of such is required
Grant administrator authorization
Configured API permissions
Menu Certificates & Secrets
Button + New secret client key
Assigning unique name
Selecting desired validity period The Secret client Key must be renewed in a timely manner. After the validity period expires, emails will no longer be delivered to the UMA and users of the UMA DMS will no longer be able to be authenticated by Azure AD.
Button Add
The Client Secret is displayed in the Value column
The Client ID is displayed in the column Secret ID
The Client Secret value will not be displayed again later and must therefore be saved elsewhere. New as of 3.1.3 Both values are required for configuration in the Securepoint UMA.
In order to archive additional mail addresses besides the original Microsoft Azure email address, these must be stored in the user profile in the Azure Active Directory in the section Contact information as Alternative email address.
The login of the user in the Securepoint UMA NG is then done with the user principal name (user pricipal name) and the corresponding password from Azure AD.
The preparatory configuration of the Azure AD is now complete
Configuration in the UMA
In the setup wizard
Caption
Value
Description
Azure AD credentials in step 3 of the setup wizard
Repository Type
Azure AD
Selecting Azure Active Directory as authentication source
Mandant:
•••••••
Directory ID (client) from the app registration in Azure AD
Client-ID:
•••••••
Application ID (Client ID) from the app registration in Azure AD
Client-Secret:
•••••
Value of the client secret key from the Certificates & Secrets section of Azure AD
Client-Secret-ID:
•••••
New as of 3.1.3Secret ID of the client secret key from the Certificates & Secrets section of Azure AD
Azure Cloud:
Azure Cloud Global
Azure Cloud USA
Azure Cloud Deutschland
Azure Cloud China
Selection of the Azure Cloud that hosts the AD
Next
Verify the credentials and go to the next step
In the menu email accounts
Menu System Settings / Email Accounts
Caption
Value
Description
Configuration in the Admin Interface
User repository
Azure AD
Selecting Azure Active Directory as authentication source
Mandant:
•••••••
Directory ID (client) from the app registration in Azure AD
Client-ID:
•••••••
Application ID (Client ID) from the app registration in Azure AD
Client-Secret:
•••••
Value of the client secret key from the Certificates & Secrets section of Azure AD
Client-Secret-ID:
•••••
New as of 3.1.3Secret ID of the client secret key from the Certificates & Secrets section of Azure AD
Azure Cloud:
Azure Cloud Global
Azure Cloud USA
Azure Cloud Deutschland
Azure Cloud China
Selection of the Azure Cloud that hosts the AD
Azure AD Settings Testing
Verifies the credentials and opens a window showing all available user accounts on the server. The lists (Public and Private) can be searched.
User accounts on the server
Selection of individual accounts (archive only individual accounts)
Selection of individual accounts (archive only individual accounts)
Activate manual selection
Selecting this option allows a limit to archiving of individual accounts
When removing mail accounts from the archive, it is important to consider whether legal retention requirements are affected !
Archived user accounts
Archived user accounts
Manage subscriptions
Enables read permission on public folders
Show advanced settings Other functions after activation:
Edit user
Action: Move
In case of a move, the archive mailbox will be renamed and/or the type will be changed. The purpose of this is, for example, to allow access to archive folders whose owners have been made inactive or deleted in AD: A private archive is changed to public. Afterwards the archive can be made accessible to an active user under Manage subscriptions.
Dialog Edit user
New name:
New archive name. If the username is not changed in the Azure AD, direct access to the archive is no longer possible
New type:
User mailbox type: private or public
Reason:
The reasoning is recorded in the log and remains visible for an unlimited period of time
Action: Merge
Transfers the archived mails of one archive account to another archive account
If the user account still exists unchanged in the Azure AD, new incoming mails are received in the original archive again
Merging of user accounts
Data transferred to:
type/target account User account to which the mails are to be transferred
Reason:
The reasoning is recorded in the log and remains visible for an unlimited period of time
Delete
When deleting mail accounts from the archive, it must be noted whether legal regulations for retention are affected! In order to prevent unintentional or incorrect deletions, the administrator password must also be entered.
Dialog Delete user
Check admin password
LDAP search settings
LDAP search settings
Referrals
LDAP-Referrals provides a reference to an alternate location where an LDAP request can be processed. Enabling this is only useful in extremely rare cases and should usually be avoided.
LDAP search settings
Troubleshooting
Error messages when testing Azure AD settings:
Error message
Description
Insufficient privileges to complete the operation.
In this case, make sure that all Permissions have been set correctly
The requested user is invalid.
Self-explanatory. User names must exist and be permissible. Not allowed is for example: '@ttt-point.onmicrosoft.com
To many requests were made. Please try again later.
Throttling. Happens rarely to never. The Microsoft Graph API can handle a lot of requests in a short time. If not, it helps to wait a bit.
Unlicensed user. Mails will not get delivered until there has been a valid license assigned.
Occurs when the queried account does not have a valid license. This results in the mailboxSettings attribute not being able to be queried. This is necessary to check whether the account is a shared mailbox. If the attribute cannot be queried, it is uncertain whether the account must be archived as public or private.
An unknown error occured.
This is the fallback if the error could not be identified. This happens rarely. The Microsoft Graph API does not send a valid json in incredibly rare situations. Please try again.