Exchange Permissions

Exchange Permissions

Exchange Permissions

Client Sense requires exchange permissions to read message logs, retrieve employee information and to pull contact info from emails.


Message logs and employee information is retrieved through PowerShell and contact info is retrieved using EWS.

Office 365 / Exchange Online

Account


If the serviceaccountname account hasn't synced through to Office 365 you can manually create an account
  1. Log in to your Office 365 Administrator portal
  2. Navigate to Admin centres - Exchange
  3. Select Users > Active Users on the left
  4. Add a user
  5. Set the name and display name as appropriate
  6. Set the username to serviceaccountname@yourdomain.com
  7. Set the password to the domain account password
  8. Set the password to not expire
  9. Set the user to unlicensed
  10. Create

Multi Factor Authentication (MFA/2FA)

Client Sense doesn't support MFA prompts on the service account. The account can have MFA enabled but it needs to be configured and whitelisted for the IP address of Client Sense itself so that it isn't prompted when accessing Office 365.
  1. Enable MFA on the service account
  2. Whitelist the IP address for your organisation, assuming the Client Sense server is hosted internally
  3. Log into the service account from your organisation
  4. Configure mfa for the account using an email or mobile number
  5. Log out and back in to ensure account isn't prompted for MFA

Assigning a Role Group

We recommend creating a new role group to assign the specific permissions that Client Sense requires to function
  1. Log in to Exchange admin centre https://admin.exchange.microsoft.com/
  2. Select Roles on the left > Admin roles
  3. Click Add a role group
    1. Name: Client Sense Management
    2. Click Next
    3. Roles:
      1. View-Only Recipients
      2. Message Tracking
      3. ApplicationImpersonation
    4. Members: serviceaccountname
  4. Save the role group


Testing Roles

Ensure you have the Exchange Online PowerShell V2 Module (EXO v2 Module) available on your machine before following these steps https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Open powershell
Run the command to import the EXO module
  1. Import-Module ExchangeOnlineManagement
Run the following command to connect using the service account email
  1. Connect-ExchangeOnline -UserPrincipalName serviceaccountname@domain.com
Enter the service account password when prompted
Run command
  1. Get-Recipient
If no errors are returned and you see a list of all mailboxes in your organisation this permission has been assigned correctly
Run command
  1. Get-MessageTrace
If no errors are returned and you see a list of dated records this permission has been assigned correctly

Testing Application Impersonation

Please wait at least 15 minutes between assigning this role and testing it. This permission will be tested during the installation and configuration of Client Sense.

Use this Microsoft tool to test impersonation access
  1. Navigate to https://testconnectivity.microsoft.com/
  2. Microsoft Exchange Web Services Connectivity Tests
  3. Service Account Access (Developers)
  4. Next
  5. Target mailbox - the email of someone in your organisation to test against
  6. Service account username - serviceaccountname@domain.com
  7. Enter password
  8. Check Use Exchange Impersonation
  9. Enter the email used in Target mailbox
  10. Agree to the terms and verify the captcha
  11. Perform Test


Exchange

Assigning a Role Group

We recommend creating a new role group to assign the specific permissions that Client Sense requires to function
  1. Log in to your Exchange Control Panel (ECP), usually http://mail.yourdomain.com/ecp
  2. Select Roles & Auditing on the left
  3. Create a new role group
    1. Name: Client Sense Management
    2. Roles:
      1. View-Only Recipients
      2. Message Tracking
      3. Application Impersonation 
    3. Members: serviceaccountname
  4. Save the role group

Enable Authentication on the PowerShell Application

Authentication needs to be enabled on the Client Sense application so that it can connect using PowerShell. When using Office 365 / Exchange online this authentication method is already enabled.
  1. Log in to your Exchange Server
  2. Open Internet Information Services (IIS)
  3. Expand Servername > Sites > Default Web Site
  4. Select PowerShell
  5. Under the IIS heading double click Authentication
  6. Select Basic Authentication
  7. Select Enable on the right under Actions
Click image to view larger version

Testing Roles

Open powershell

Run command
  1. $SessionOptions = New-PSSessionOption –SkipCACheck –SkipCNCheck –SkipRevocationCheck
  2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://mail.yourdomain.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection -SessionOption $SessionOptions
Enter the serviceaccountname credentials into the dialog that appears, if the account upn has been configured correctly you should be able to use serviceaccountname@yourdomain.com


If you receive an error with no error message such as the below when trying to authenticate using the above, confirm that the account UPN in AD has been configured to the fqdn rather than the local domain.
"Connecting to remote server mail.domain.com failed with the following error message : "

Note - this is a low quality image provided by a client




Run command
  1. Import-PSSession $Session
Run command

  1. Get-Recipient

If no errors are returned and you see a list of all mailboxes in your organisation this permission has been assigned correctly
Run command

  1. Get-MessageTrackingLog

If no errors are returned and you see a list of dated records this permission has been assigned correctly

Testing Application Impersonation

Please wait at least 15 minutes between assigning this role and testing it

Use this Microsoft tool to test impersonation access
  1. Navigate to https://testconnectivity.microsoft.com/
  2. Microsoft Exchange Web Services Connectivity Tests
  3. Service Account Access (Developers)
  4. Next
  5. Target mailbox - the email of someone in your organisation to test against
  6. Service account username - serviceaccountname@yourdomain.com
  7. Enter password
  8. Check Use Exchange Impersonation
  9. Enter the email used in Target mailbox
  10. Agree to the terms and verify the captcha
  11. Perform Test