Salesforce

[en] Configuring Microsoft Exchange Email Accounts

Printable View
« Go Back
Information
[en] Configuring Microsoft Exchange Email Accounts
UUID-e7279c14-3e05-eec5-7c50-bc74e765be98
Article Content

[en] Modern authentication is a method of identity management that offers more secure user authentication and authorization between a client and a server. Within a single OneTrust account, Microsoft can support either basic authentication or modern authentication, but not both simultaneously. OneTrust therefore recommends configuring Microsoft Exchange email accounts for modern authentication. If using modern authentication, the following procedures must be completed to successfully set up configuration between your Microsoft Exchange email account and the OneTrust application.

Nota

[en] This article offers general guidance for setting up Microsoft Exchange Online. Links to Microsoft’s documentation are referenced throughout this article for additional information. Questions specific to your Microsoft account should be directed to Microsoft.

[en] In order to configure Microsoft Exchange Email Accounts using modern authentication, each of the following steps must be completed.

[en] Prerequisites

[en] The following steps must be completed before beginning configuration in Azure Active Directory (Azure AD) and the OneTrust application.

[en] Enable modern authentication in Exchange Online

[en] To begin setting up configuration between your Microsoft Exchange email account and the OneTrust application, you will need to ensure that modern authentication is enabled in Exchange Online. Complete the Enable or disable modern authentication in Exchange Online for client connections in Outlook 2013 or later procedure in this Microsoft article and run the command to enable modern authentication connections.

[en] Disable basic authentication in Exchange Online

[en] Within a single OneTrust account, Microsoft can support either basic authentication or modern authentication, but not both simultaneously. Since OneTrust recommends configuring Microsoft Exchange email accounts for modern authentication, it is also recommended to disable basic authentication. For more information on this process, see this Microsoft article.

[en] Step 1: Register an Application in Azure AD

[en] Once the prerequisites above are complete, you can begin setting up the configuration in Azure AD. You will need register an application using the following steps.

Nota

[en] For more information on this process, see Microsoft's Quickstart: Register an application with the Microsoft identity platform article.

  1. [en] Log in to your Azure AD account and navigate to the Azure AD Portal by clicking Portal on the main navigation menu.

    Azure_AD_-_Portal.png

  2. [en] Click the View button under the Manage Azure Active Directory tile.

    Manage_Azure_Active_Directory.png

    [en] The Overview screen for your account appears.

    Azure_Home_screen.png

  3. [en] On the main navigation menu, click App Registrations. The App registrations screen appears.

    Azure_AD_-_App_Registrations.png

  4. [en] Click the New registration button. The Register an application screen appears. Complete the fields, as necessary. For more information, you can find a detailed description of the entries required for each field in the following table.

    Azure_AD_-_Register_an_application.png

    [en] Field

    [en] Description

    [en] Name

    [en] Enter a name for the application you are registering.

    [en] Supported account types

    [en] Select the Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) option.

  5. [en] Click the Register button. Once complete, the screen will refresh titled with the name you defined in the step above. On this screen, you'll find the application details within the Essentials section. The Application (client) ID field and the Directory (tenant) ID field will be used in the Configure the Microsoft Exchange Account in the OneTrust Application step below.

    Azure_AD_-_Registration_Details.png

[en] Step 2: Define API Permissions in Azure AD

[en] Next you'll define the API permissions for the application you registered.

Nota

[en] For more information on this process, see Microsoft's Microsoft Graph permissions reference article.

  1. [en] On the main navigation menu, click API Permissions. The API Permissions screen appears.

    Azure_AD_-_API_Permissions.png

  2. [en] In the Configured permissions section, click the Add a permission button. The Request API permissions pane appears.

    Azure_AD_-_Microsoft_Graph.png

  3. [en] Select Microsoft Graph. The What type of permissions does your application require field appears.

    Azure_AD_-_Request_API_permissions.png

  4. [en] Select Delegated permissions. Then search for and add the User.Read permission.

    Azure_AD_-_Select_permissions.png

  5. [en] Select Application permissions. Then search for and add the Mail.Send permission.

    Nota

    [en] For more information on this permission, see Microsoft's Send mail article.

    Azure_AD_-_Application_permissions.png

  6. [en] Click the Add permissions button. The permissions are visible in the Configured permissions section.

    Azure_AD_-_Configured_permissions.png

  7. [en] Click the Grant admin consent button. A confirmation modal appears.

    Azure_AD_-_Grant_consent_confirmation.png

  8. [en] Click the Yes button. A confirmation notification will appear when complete.

[en] Step 3: Create a Client Secret in Azure AD

[en] Now you'll create a Client Secret Key that you'll use when setting up the Microsoft Exchange email account in the OneTrust application.

  1. [en] On the main navigation menu, select Certificates & secrets. The Certificates & secrets screen appears.

    Azure_AD_-_Certificates___secrets.png

  2. [en] Click the New client secret button. The Add a client secret pane appears, where you'll enter a description for the client secret and an expiration.

    Azure_AD_-_Add_a_client_secret.png

  3. [en] Click the Add button. The client secret you created will appear in the Client secrets section with the Client Secret in the Value column.

    Aviso

    [en] The Client Secret details should be saved to a secure location. The Client Secret will be used to set up configuration in the OneTrust application. The Client Secret will not be able to be retrieved once lost and a new secret key will need to be generated.

    Azure_AD_-_Client_secret.png

[en] Step 4: Create a Service Account and Mail-Enabled Security Group in Azure AD

[en] Once you've registered the application in the Azure AD Portal, you'll then need to create a service account and a mail-enabled security group in Azure AD.

Nota

[en] The service account will require a mailbox license.

[en] To create a service account

  1. [en] Navigate back to the Overview screen for your Azure AD account.

    Azure_Home_screen.png

  2. [en] On the main navigation menu, select Users. The All users (Preview) screen appears.

    Azure_AD_-_All_users_preview.png

  3. [en] Click the New user button and complete the fields on the New user screen, as necessary.

  4. [en] Click the Create button to finish creating the service account.

[en] To create a Mail-Enabled Security Group

  1. [en] On the main navigation menu, select Groups. The All groups screen appears.

    Azure_AD_-_All_groups.png

  2. [en] Click the New group button. The New Group screen appears.

    Azure_AD_-_New_Group_screen.png

    [en] Field

    [en] Description

    [en] Group type

    [en] Select Mail-enabled securityy.

    [en] Group name

    [en] Enter a name for the security group.

    [en] Group description

    [en] Enter a description for the security group, if needed.

    [en] Membership type

    [en]Assigned is selected by default, but can be changed based on the needs of your organization.

    [en] Members

    [en] Click the link in the Members field. On the Add members pane, search for and select the service account that you created in the procedure above. Then click the Select button. The selected service account appears in the Members field.

  3. [en] Click the Create button to finish creating the mail-enabled security group.

[en] Step 5: Create an Authentication Policy and Assign it to the Service Account

[en] Next you'll create an authentication policy via PowerShell and then assign the policy to the service account you created above.

Nota

[en] For more information on this process, see Microsoft's Disable Basic authentication in Exchange Online article.

[en] To create an authentication policy

  1. [en] Connect to Exchange Online PowerShell.

    Nota

    [en] For more information, see Microsoft's Connect to Exchange Online PowerShell article.

  2. [en] Run the following command in PowerShell, replacing <PolicyName> with the name for your authentication policy.

    New-AuthenticationPolicy -Name "<PolicyName>"

    [en] The following is an example command to create an authentication policy named Block Basic Auth.

    New-AuthenticationPolicy -Name "Block Basic Auth"

[en] To assign the authentication policy to the service account

  • [en] Run the following command in PowerShell, replacing <User Identity> with the service account you created in Step 4 and <PolicyName> with the name you defined for your authentication policy.

    Set-User -Identity <UserIdentity> -AuthenticationPolicy "<PolicyName>"

    [en] The following is an example command to assign the authentication policy Block Basic Auth to the user account rwest@gilberthughes.com.

    Set-User -Identity rwest@gilberthughes.com -AuthenticationPolicy "Block Basic Auth"

    Nota

    [en] Assigning the authentication policy to the service account may take up to 24 hours to take effect.

[en] Step 6: Configure an Application Access Policy

[en] Now you'll configure an application access policy and limit the scope of application permissions. To do this, you will need the Application (client) ID and the mail-enabled security group that you created. Then complete the Configure Application Access Policy procedure in Microsoft's Scoping application permissions to specific Exchange Online mailboxes article.

[en] Step 7: Configure the Microsoft Exchange Account in the OneTrust Application

[en] After you've finished configuring the necessary settings in Azure AD and PowerShell, you can complete the Microsoft Exchange email account setup in the OneTrust application.

  1. [en] Click the gear icongear-icon_global-settings.png in the upper right-hand corner to access Global Settings.

  2. [en] On the Global Settings menu, select Email and Branding > Email Settings. The Email Settings screen appears.

  3. [en] On the Accounts tab, click the Add button. The New Email Account screen appears.

    New_Email_Account_-_MS_Exchange.png

  4. [en] Select Microsoft Exchange. Then click the Next button.

  5. [en] Configure the fields, as needed. For more information, you can find a detailed description of the entries required for each field in the following table.

    Account_Details_-_MS_Exchange.png

    [en] Field

    [en] Description

    [en] Account Name

    [en] Enter a name to identify the Microsoft Exchange email account configuration.

    [en] Client ID

    [en] Enter the application ID that was assigned to your application in the Azure AD Portal. In Azure AD, copy the value for the Application (client) ID field in the Essentials section of your registered application.

    [en] Client Secret

    [en] Enter the Client Secret that you created in Step 3: Create a Client Secret in Azure AD above.

    [en] Tenant ID

    [en] Enter the Azure AD tenant GUID identifier that was assigned to your application in the Azure AD Portal. In Azure AD, copy the value for the Directory (tenant) ID field in the Essentials section of your registered application.

    [en] Email Identifier

    [en] Enter the email address that will be used to send OneTrust notification emails.

  6. [en] Click the Test button to test the configuration.

  7. [en] Click the Create button.
 
Article Visibility
8,726
Translation
Spanish
Not Checked
Powered by