To allow ELOxc to connect to Microsoft 365 with Modern Authentication (OAuth 2.0), an app registration in the tenant (TNNT) is required, which administratively acts as the service principal of ELOxc and is assigned the Exchange administrator role. The app registration has an ID that is used to recognize that external authentication has taken place. The key is a locally generated certificate whose public key (CER file) must be added to the app registration. The API permissions of the app registration determine which functions are available to ELOxc in Microsoft 365.

Create

1. Sign in to the Microsoft Azure Portal:

2. Select Manage Azure Active Directory > View.

3. Select App registrations on the ribbon and click the New registration tab.

The Register an application dialog box opens.

4. Enter ELO XC as the display name for the application.

5. Under Supported account types, select Accounts in this organizational directory only ....

ELOxc is now registered as an application and listed in the Microsoft Azure overview. Save the application ID (XCAPP).

Upload certificate

App registration in Microsoft Azure requires a certificate file. Refer to the Self-signed certificates section of the PowerShell documentation to learn how to create them in PowerShell.

1. Select the Certificates & secrets tab on the ribbon.

2. Click Upload certificate.

3. Select a locally stored certificate and click Add.

Please note: App registrations only allow public certificate keys, which CER files are. PFX files contain public and private keys, which is why they cannot be used.

You will find the uploaded certificates in the Microsoft Azure overview of ELOxc certificates and secrets. At this point, you can also check the fingerprint again, which must match Z4.

API permissions

In this section, you will learn which API permissions are required and how to grant them.

1. Select the API permissions tab on the ribbon.

2. Click Add a permission and select Microsoft Graph on the Microsoft APIs tab.

3. Select Application permissions in Microsoft Graph.

4. Add the following permissions: Directory.Read.All, User.Read, User.Read.All.

5. Click Add a permission again.

6. In the APIs my organization uses tab, select the Office 365 Exchange Online application.

7. Click Application permissions and select the following application permissions: full_access_as_app, Exchange.ManageAsApp.

8. Click Grant admin consent for <name of tenant> and click Yes to confirm.

Once admin consent is granted, the status in the API permissions overview changes to Granted for.

The full_access_as_app permission allows full access to all mailboxes.

To limit access to specific Exchange online mailboxes, you need to generate application access policies.

The process is described here:

If you are using an Azure catalog, the API permissions for Microsoft Graph must be configured as follows:

'Exchange Administrator' role

A ServicePrincipal is automatically created during the app registration. With the API permissions, ELOxc is authorized to get proxy access to mailboxes and read their permission settings to find delegates in shared mailboxes. To establish a connection with the Connect-ExchangeOnline cmdlet, the service principal needs the Exchange administrator role.

1. In the Microsoft Azure Active Directory ribbon, select the Roles and administrators tab.

2. Select the Exchange administrator role.

3. Assign ELOxc to the created app registration.

ELOxc has now been assigned the role of Exchange administrator.