notempty
notempty
notempty Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!
notempty
Der Artikel für die neueste Version steht hier
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht
Configuration in Azure AD to be able to access its users with the UMA
Last adaptation to the version: 3.2 (11.2021)
New:
- Client secret ID from Azure AD required
notempty
This article refers to a Resellerpreview
-
Requirements
- Users in Azure AD with mail addresses to be archived
Azure AD configuration
The following steps are necessary:
- In Azure AD, the Securepoint UMA NG must be registered as a new app
- The following permissions are required:
- MS-Graph / Delegated Permission:
- User.Read (should already exist as default permission)
- MS-Graph / Application Permissions:
- Group.Read.All
- MailboxSettings.Read
- User.Read.All
- Application.Read.All
- MS-Graph / Delegated Permission:
- A Secret Client Key must be added to the app
- In order to archive additional mail addresses besides the original Microsoft Azure email address, these must be stored in the user profile in the Azure Active Directory in the section Contact information as Alternative email address.
The login of the user in the Securepoint UMA NG is then done with the user principal name (user pricipal name) and the corresponding password from Azure AD.
- Calling the Azure Dashboard or the Microsoft 365 Portal
- Menu Azure Active Directory
Menu App registrations
Button + New registration
- Assigning unique name
- Option Only accounts in this organization directory (single client)
- A redirection URI is not required
- Button Register
- The following values are required later in the Securepoint UMA:
- Application ID (Client ID)
- Directory ID (client)
- Client Secret ID
- Selection menu API permissions
- Button + Add Permission
- The permission User.Read of type Delegated permission should already be entered as default permission
- Button Microsoft Graph
- Application Permissions button
- Mark API permission Group.Read.All
This lets you find the permission you need faster.
- Mark API permission MailboxSettings.Read
- Mark API permission User.Read.All
- button Add permissions
- Check API permission Application.Read.All New as of 3.1.3
- Button Add permissions
- Grant administrator authorization
- Configured API permissions
- Menu Certificates & Secrets
- Button + New secret client key
- Assigning unique name
- Selecting desired validity period
The Secret client Key must be renewed in a timely manner. After the validity period expires, emails will no longer be delivered to the UMA and users of the UMA DMS will no longer be able to be authenticated by Azure AD. - Button Add
- The Client Secret is displayed in the Value column
- The Client ID is displayed in the column Secret ID
New as of 3.1.3 Both values are required for configuration in the Securepoint UMA.
- In order to archive additional mail addresses besides the original Microsoft Azure email address, these must be stored in the user profile in the Azure Active Directory in the section Contact information as Alternative email address.
The login of the user in the Securepoint UMA NG is then done with the user principal name (user pricipal name) and the corresponding password from Azure AD.
The preparatory configuration of the Azure AD is now complete
Configuration in the UMA
In the setup wizard
| Caption | Value | Description |  |
|---|---|---|---|
| Repository Type | Azure AD | Selecting Azure Active Directory as authentication source | |
| Mandant: | ••••••• | Directory ID (client) from the app registration in Azure AD | |
| Client-ID: | ••••••• | Application ID (Client ID) from the app registration in Azure AD | |
| Client-Secret: | ••••• | Value of the client secret key from the Certificates & Secrets section of Azure AD | |
| Client-Secret-ID: | ••••• | New as of 3.1.3 Secret ID of the client secret key from the Certificates & Secrets section of Azure AD | |
| Azure Cloud: | Azure Cloud Global |
Selection of the Azure Cloud that hosts the AD | |
| Verify the credentials and go to the next step | |||
Menu System Settings / Email Accounts
| Caption | Value | Description |  |
|---|---|---|---|
| User repository | Azure AD | Selecting Azure Active Directory as authentication source | |
| Mandant: | ••••••• | Directory ID (client) from the app registration in Azure AD | |
| Client-ID: | ••••••• | Application ID (Client ID) from the app registration in Azure AD | |
| Client-Secret: | ••••• | Value of the client secret key from the Certificates & Secrets section of Azure AD | |
| Client-Secret-ID: | ••••• | New as of 3.1.3 Secret ID of the client secret key from the Certificates & Secrets section of Azure AD | |
| Azure Cloud: | Azure Cloud Global |
Selection of the Azure Cloud that hosts the AD | |
| Verifies the credentials and opens a window showing all available user accounts on the server. The lists (Public and Private) can be searched. |  | ||
Selection of individual accounts (archive only individual accounts) Selection of individual accounts (archive only individual accounts)
| |||
| Activate manual selection | Selecting this option allows a limit to archiving of individual accounts |
 | |
Archived user accounts Archived user accounts
| |||
Manage subscriptions
|
Enables read permission on public folders  |
 | |
| Show advanced settings Other functions after activation: Edit user
| |||
| Action: Move |
In case of a move, the archive mailbox will be renamed and/or the type will be changed. The purpose of this is, for example, to allow access to archive folders whose owners have been made inactive or deleted in AD: A private archive is changed to public. Afterwards the archive can be made accessible to an active user under Manage subscriptions. |  | |
| New name: | New archive name. If the username is not changed in the Azure AD, direct access to the archive is no longer possible | ||
| New type: | User mailbox type: private or public | ||
| Reason: | The reasoning is recorded in the log and remains visible for an unlimited period of time | ||
| Action: Merge |
Transfers the archived mails of one archive account to another archive account |
 | |
| Data transferred to: | User account to which the mails are to be transferred | ||
| Reason: | The reasoning is recorded in the log and remains visible for an unlimited period of time | ||
| Delete | When deleting mail accounts from the archive, it must be noted whether legal regulations for retention are affected! In order to prevent unintentional or incorrect deletions, the administrator password must also be entered. |
  | |
LDAP search settings LDAP search settings
| |||
| Referrals | LDAP-Referrals provides a reference to an alternate location where an LDAP request can be processed. Enabling this is only useful in extremely rare cases and should usually be avoided. |
 | |
|
| |||
Troubleshooting
Error messages when testing Azure AD settings:
| Error message | Description |
|---|---|
| Insufficient privileges to complete the operation. | In this case, make sure that all Permissions have been set correctly |
| The requested user is invalid. | Self-explanatory. User names must exist and be permissible. Not allowed is for example: '@ttt-point.onmicrosoft.com |
| To many requests were made. Please try again later. | Throttling. Happens rarely to never. The Microsoft Graph API can handle a lot of requests in a short time. If not, it helps to wait a bit. |
| Unlicensed user. Mails will not get delivered until there has been a valid license assigned. | Occurs when the queried account does not have a valid license. This results in the mailboxSettings attribute not being able to be queried. This is necessary to check whether the account is a shared mailbox. If the attribute cannot be queried, it is uncertain whether the account must be archived as public or private. |
| An unknown error occured. | This is the fallback if the error could not be identified. This happens rarely. The Microsoft Graph API does not send a valid json in incredibly rare situations. Please try again. |