Jump to:navigation, search
Wiki





























De.png
En.png
Fr.png

Configuration in Azure AD to be able to access its users with the UMA

New

  • Client secret ID from Azure AD required



Last adaptation to the version: 3.2 (11.2021)




Requirements

  • Users in Azure AD with mail addresses to be archived

Azure AD configuration

The following steps are necessary:

  • In Azure AD, the Securepoint UMA NG must be registered as a new app
  • The following permissions are required:

    • MS-Graph / Delegated Permission:
      • User.Read (should already exist as default permission)
    • MS-Graph / Application Permissions:
      • Group.Read.All
      • MailboxSettings.Read
      • User.Read.All
      • Application.Read.All
  • A Secret Client Key must be added to the app
  • In order to archive additional mail addresses besides the original Microsoft Azure email address, these must be stored in the user profile in the Azure Active Directory in the section Contact information as Alternative email address.

    The login of the user in the Securepoint UMA NG is then done with the user principal name (user pricipal name) and the corresponding password from Azure AD.
UMA v3.1 Azure Dashboard.png
UMA v3.1 Azure Dashboard.png
UMA v3.1 Azure AD App-Registrierungen.png
Menu App registrations
UMA v3.1 Azure AD Neue Registrierung.png
Button + New registration
UMA v3.1 Azure AD Anwendung registrieren.png
  • Assigning unique name
  • Option Only accounts in this organization directory (single client)
  • A redirection URI is not required
  • Button Register
UMA v3.1 Azure AD API Berechtigungen.png
  • The following values are required later in the Securepoint UMA:
    • Application ID (Client ID)
    • Directory ID (client)
    • Client Secret ID
  • Selection menu API permissions
UMA v3.1 Azure AD API Berechtigungen hinzufügen.png
  • Button + Add Permission
  • The permission User.Read of type Delegated permission should already be entered as default permission.
UMA v3.1 Azure AD API Berechtigungen MS Graph.png
  • Button Microsoft Graph
UMA v3.1 Azure AD API Anwendungsberechtigungen.png
  • Application Permissions button
UMA v3.1 Azure AD API Anwendungsberechtigung GroupReadAll.png
  • Mark API permission Group.Read.All
  • The search bar can be used to narrow down the display of permissions.
    This lets you find the permission you need faster.
  • UMA v3.1 Azure AD API Anwendungsberechtigung MailboxSettingsRead.png
    • Mark API permission MailboxSettings.Read
  • The previously marked permission remains marked even if it is no longer displayed by another term in the search bar
  • UMA v3.1 Azure AD API Anwendungsberechtigung UserReadAll.png
    • Mark API permission User.Read.All
    • button Add permissions
    UMA v3.1.3 Azure AD Anwendungsberechtigung Application.read.all.png
    • Check API permission Application.Read.All New as of 3.1.3
    • Button Add permissions
    UMA v3.1 Azure AD API Anwendungsberechtigung Administratorzustimmung.png
  • If previously worked without Global Admin Authorization, now the approval of such is required
  • UMA v3.1 Azure AD API Anwendungsberechtigung Administratorzustimmung Ja.png
    • Grant administrator authorization
    UMA v3.1.3 Azure AD API Anwendungsberechtigungen konfiguriert.png
    • Configured API permissions
    UMA v3.1 Azure AD Zertifikate.png
    • Menu Certificates & Secrets
    UMA v3.1 Azure AD Neuer Geheimer Clientschlüssel.png
    • Button + New secret client key
    UMA v3.1 Azure AD Geheimen Clientschlüssel hinzufügen.png
    • Assigning unique name
    • Selecting desired validity period
      The Secret client Key must be renewed in a timely manner. After the validity period expires, emails will no longer be delivered to the UMA and users of the UMA DMS will no longer be able to be authenticated by Azure AD.
    • Button Add
    UMA v3.1.3 Azure AD Geheimer Clientschlüssel.png
    • The Client Secret is displayed in the Value column
    • The Client ID is displayed in the column Secret ID
  • The Client Secret value will not be displayed again later and must therefore be saved elsewhere.
    New as of 3.1.3 Both values are required for configuration in the Securepoint UMA.
  • UMA v3.1 Azure Benutzer Prinzipal AltMail.png
    • In order to archive additional mail addresses besides the original Microsoft Azure email address, these must be stored in the user profile in the Azure Active Directory in the section Contact information as Alternative email address.

      The login of the user in the Securepoint UMA NG is then done with the user principal name (user pricipal name) and the corresponding password from Azure AD.




    The preparatory configuration of the Azure AD is now complete



    Configuration in the UMA

    In the setup wizard

    caption value: Description UMA v3.1.3 Einrichtungsassistent Schritt 3.png
    Azure AD credentials in step 3 of the setup wizard
    Repository Type Azure AD Selecting Azure Active Directory as authentication source
    Mandant: ••••••• Directory ID (client) from the app registration in Azure ADUMA v3.1 Azure AD App-IDs.png
    Client-ID: ••••••• Application ID (Client ID) from the app registration in Azure AD
    Client-Secret: ••••• Value of the client secret key from the Certificates & Secrets section of Azure AD
    Client-Secret-ID: ••••• New as of 3.1.3 Secret ID of the client secret key from the Certificates & Secrets section of Azure AD
    Azure Cloud: Azure Cloud Global

    Azure Cloud USA

    Azure Cloud Deutschland

    Azure Cloud China
    Selection of the Azure Cloud that hosts the AD
    Next Verify the credentials and go to the next step


    In the menu email accounts

    Menu System Settings / Email Accounts
    caption value: Description UMA v3.1.3 System-Einstellungen E-Mail Konten AzureAD.png
    Configuration in the Admin Interface
    User repository Azure AD Selecting Azure Active Directory as authentication source
    Mandant: ••••••• Directory ID (client) from the app registration in Azure ADUMA v3.1 Azure AD App-IDs.png
    Client-ID: ••••••• Application ID (Client ID) from the app registration in Azure AD
    Client-Secret: ••••• Value of the client secret key from the Certificates & Secrets section of Azure AD
    Client-Secret-ID: ••••• New as of 3.1.3 Secret ID of the client secret key from the Certificates & Secrets section of Azure AD
    Azure Cloud: Azure Cloud Global

    Azure Cloud USA

    Azure Cloud Deutschland

    Azure Cloud China
    Selection of the Azure Cloud that hosts the AD
    Azure AD Settings Testing Verifies the credentials and opens a window showing all available user accounts on the server. The lists (Public and Private) can be searched. UMA v3.1 System-Einstellungen E-Mail Konten AzureAD Testen.png
    User accounts on the server






























    Selection of individual accounts (archive only individual accounts)
    Selection of individual accounts (archive only individual accounts)
    Activate manual selection Selecting this option allows a limit to archiving of individual accounts
  • When removing mail accounts from the archive, it is important to consider whether legal retention requirements are affected !
  • UMA 3.2 Konten AD Auswahl einzelner Konten-en.png
    Archived user accounts
    Archived user accounts
    Manage subscriptions
    Enables read permission on public folders

    UMA 3.2 Konten AD Abonnements verwalten-en.png
    UMA 3.2 Konten AD Archivierte Benutzerkonten-en.png
    Show advanced settings
    Other functions after activation:
    Edit user
    Action:
    Move
    In case of a move, the archive mailbox will be renamed and/or the type will be changed. The purpose of this is, for example, to allow access to archive folders whose owners have been made inactive or deleted in AD: A private archive is changed to public. Afterwards the archive can be made accessible to an active user under Manage subscriptions. UMA 3.2 Konten AD Benutzer bearbeiten-en.png
    Dialog Edit user
    New name: New archive name. If the username is not changed in the Azure AD, direct access to the archive is no longer possible
    New type: User mailbox type: private or public
    Reason: The reasoning is recorded in the log and remains visible for an unlimited period of time
    Action:
    Merge
    Transfers the archived mails of one archive account to another archive account
  • If the user account still exists unchanged in the Azure AD, new incoming mails are received in the original archive again
  • UMA v3.2 Benutzer Zusammenführen-en.png
    Merging of user accounts
    Data transferred to: type/target account User account to which the mails are to be transferred
    Reason: The reasoning is recorded in the log and remains visible for an unlimited period of time
    Delete When deleting mail accounts from the archive, it must be noted whether legal regulations for retention are affected!
    In order to prevent unintentional or incorrect deletions, the administrator password must also be entered.
    UMA 3.2 Konten AD Benutzer löschen-en.png
    Dialog Delete user
    UMA 3.2 Konten AD Admin-Passwort-en.png
    Check admin password
    LDAP search settings
    LDAP search settings
    Referrals
    LDAP-Referrals provides a reference to an alternate location where an LDAP request can be processed.
    Enabling this is only useful in extremely rare cases and should usually be avoided.
    UMA v3.2 Konten LDAP Sucheinstellungen-en.png
    LDAP search settings

    Troubleshooting

    Error messages when testing Azure AD settings:


    Error message Description
    Insufficient privileges to complete the operation. In this case, make sure that all Permissions have been set correctly
    The requested user is invalid. Self-explanatory. User names must exist and be permissible.
    Not allowed is for example: '@ttt-point.onmicrosoft.com
    To many requests were made. Please try again later. Throttling. Happens rarely to never. The Microsoft Graph API can handle a lot of requests in a short time. If not, it helps to wait a bit.
    Unlicensed user. Mails will not get delivered until there has been a valid license assigned. Occurs when the queried account does not have a valid license. This results in the mailboxSettings attribute not being able to be queried. This is necessary to check whether the account is a shared mailbox. If the attribute cannot be queried, it is uncertain whether the account must be archived as public or private.
    An unknown error occured. This is the fallback if the error could not be identified. This happens rarely. The Microsoft Graph API does not send a valid json in incredibly rare situations. Please try again.