Office 365: Exchange Online
This section covers the following topics:
Prerequisites
| Component | Description | 
|---|---|
| Proxy Agent | Proxy Agent host with direct internet access. Recommended Proxy Agents: • Windows Agent • Linux Agent | 
| TCP Allowed Connections | Port 443 | 
Configure Microsoft 365 account
This topic describes how to generate the client ID, tentant key ID, and client secret key. These are required to register DDC with Microsoft 365 account. The topic also describes how to grant API permisisons to DDC to access specific resource APIs.
Generate client ID and tenant ID
To generate the client ID and tenant ID:
- Log on to the Azure app registration portal as an administrator account. After you log on successfully, you are redirected to the home page. 
- In the left pane, select the Microsoft Entra ID service. Alternatively, you can search for Microsoft Entra ID in the search bar. 
- Under Manage, click App registrations. The App registrations page is displayed. 
- Click + New registration. The Register an application page is displayed. 
- Specify the following: - Name: Display name for your application. 
- Supported account types: Select Accounts in this organizational directory only. 
 
- Click Register. The Overview page of the newly registered application is displayed. 
- Note down the values of Application (client) ID and Directory (tenant) ID. These values will be required when configuring a connection for the data store. 
Generate client secret key
- Under Manage, click Certificates & secrets. 
- On the Client secrets tab, click + New client secret. The Add a client secret dialog box is displayed. 
- Specify the following: - Description: Description for the client secret key. 
- Expires: Validity for the client secret key. The recommended validity is 180 days (6 months). 
 
- Click Add. The client secret key is added. The Value column displays the client secret key. 
- Copy the client secret key and save it to a secure location. This secret key will be required when configuring a connection for the data store. 
Warning
Save the client secret key in a secure location. You cannot access this client secret key after you navigate away from the page.
Grant API access
To scan Exchange Online targets, you need to grant permissions to DDC to access specific resource APIs.
- Under Manage, click API permissions. 
- In the Configured permissions section, click + Add a permission. The Request API permissions dialog box is displayed. 
- On the Microsoft APIs tab, click Microsoft Graph > Application permissions. 
- Select the following API permissions for your app: - Permissions - Description - • Group.Read.All 
 • User.Read.All
 • Directory.Read.All
 • Mail.Read
 • Contacts.Read
 • Calendars.Read- Permissions required for scanning Exchange Online targets. - • Group.ReadWrite.All 
 • User.ReadWrite.All
 • Directory.ReadWrite.All
 • Mail.ReadWrite
 • Contacts.ReadWrite
 • Calendars.ReadWrite- Permissions required for remediating Exchange Online targets. - Tip - To add permissions: - In the search box, type the permission you want to add. 
- Select the check box to the left of the permission. Similarly, select all the required permissions. 
- Click Add permissions. 
 
- In the Configured permissions section, click Grant admin consent for <organization name>. The Grant admin consent confirmation dialog box is displayed. 
- Click Yes. 
The Status column for all the newly added API permissions is updated to Granted for <organization name>.
Add Exchange Online data store
To add the Exchange Online data store:
- Log on to the CipherTrust Manager GUI. 
- Open the Data Discovery & Classification application. 
- Click Data Stores > Data Stores > Add Data Store. The Add Data Store screen is displayed. 
- Complete the following steps: 
Select Type & Category
- Under Select Data Store Category, select Cloud. 
- From Select Cloud Type, select Office 365: Exchange Online. 
- Click Next. 
General Info
- Specify the following details: - Data Store Name: Name for the data store. 
- Description (Optional): Description for the data store. 
- Location Name: Location of the data store. 
- Add Location: Click Add Location to add new locations to the Location Name drop-down. Refer to Adding Locations for detailed steps. 
- Sensitivity Level (Optional): Sensitivity level for the data store. Refer to Sensitivity Levels for details. 
- Enable Data Store: Whether to enable the newly added data store. Select the check box to enable the data store. 
 
- Click Next. 
Configure Connection
- Specify the credentials of the Exchange Online domain: - Field - Description - Exchange Online Domain - Microsoft 365 domain to scan (for example, - example.onmicrosoft.com).
 Only accounts where the user principal name (UPN) shares the same domain as specified in the Exchange Online Domain field will be scanned.
 For example, if Exchange Online Domain is set to- example.onmicrosoft.com,- user1@example2.onmicrosoft.comwill not be scanned even if the user belongs to a group in the- example.onmicrosoft.comdomain.
 To scan multiple domains within your organization's Microsoft 365 environment, add these domains as separate Exchange Online targets.- Client ID - Client ID (application ID) of Exchange Online. For example, - clientid-1234-5678-abcd-6d05bf28c2bf. Refer to Generate Client ID and Tenant ID for the client ID.- Client Secret Key - Exchange Online client secret key. For example, - client~secret.key-CHvV1B5YQfr~6zDjEyv. Refer to Generate Client Secret Key for the client secret key.- Tenant ID - Tenant ID of Exchange Online. Your Microsoft 365 tenant ID is a globally unique identifier (GUID) that is different than your organization name or domain. For example, - tenantid-1234-abcd-5678-02011df316f4. Refer to Generate Client ID and Tenant ID for the tenant ID.
- In the Select Number of Agents field, set the minimum and maximum number of agents for the data store. Refer to Agents for more information. - Warning - As there is no limit on the number of minimum and maximum agents that you can set, you should exercise caution so that you do not impact the system performance by using too many resources for a single scan.
- You will not be able to add a datastore if the minimum number of agents cannot be assigned.
- A scan will fail if the assigned agent is unavailable after adding the datastore.
- The minimum number of agents must be less than or equal to the maximum number of agents.
 
- (Optional) In the Add Label field, enter a label. You can also remove an existing label. 
- Click Next. 
Add Access Control & Tags
- (Optional) Grant the - All groups (default)access for reports. Alternatively, select a group.
- Click Save. 
The data store is added to the Data Stores page. If the Ready to Scan column shows Ready, then data store is properly configured.
For more information on Access control and Tags, expand the section below.
Access Control & Tags
The Access Control & Tags tab on the Add Data Store screen allows you to grant access rights to your data store and add tags. More details below:
- ACCESS CONTROL - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are: - All groups: All groups of users can access the data store through reports. This is the default setting. 
- Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups. 
 
- TAGS - Select a tag from the Add Tag drop-down. See the list of prebuilt tags in Predefined tags section. - Tip - New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down. 
- Add as many tags as needed. 
- To remove a tag, click the close icon in the tag name. 
 
Note
- Only accounts where the user principal name (UPN) shares the same domain as specified in the Exchange Online Domain field will be scanned. 
- To scan multiple domains, you need to add the domains in a new data store and add this data store in the scan setting. 
- A group can have an email associated with it. If the group has a domain similar to the configured Exchange Online Domain, then only the group will be scanned. 
- A group may not have an email configured. The group will be scanned if the users in the group have the same domain as configured in Exchange Online Domain. Users with a different domain won't be scanned. - For example, security groups don't need an email, they will still be scanned. However, the users that belong to this group should have the same domain as the group domain to be scanned. Users that belong to this group, but have a different domain, will not be scanned. 
- A group, which has the same email as the group domain, may contain users with different domains. In this case, only the users that share the same domain as the group domain will be scanned. 
Add Exchange Online scan
To add a scan for the Exchange Online:
- Open the Data Discovery & Classification application. 
- Click Scans > Add Scan. The Add Scan screen is displayed. 
- Complete the following steps: - Refer to Scans for the description of sections of the Add Scan screen. 
General Info
- Specify a Name for the scan. 
- (optional) Add a Description for the scan. 
- Expand Advanced Configuration and specify advanced configurations such Scan Priority, Memory Usage Limit, and Amount of Data Object Volume. Refer to Advanced Configuration for details. 
- Click Next. 
Select Data Stores
- Under Data Store Name, select the desired data store that is Ready for scanning. You can select multiple data stores, if required. 
- Click Next. 
Add Targets
- To add a scan target, do one of the following: - Under the Add Target field, specify the correct target path and click Apply. - If no specific target is added, the entire data store will be scanned. - The following table lists target paths and syntax to specify them with examples. - Target Path to Scan - Syntax - Example - Complete data store - <Empty_Path> - All user accounts in a specific group - <Group Display Name> - TEST_GROUP - Specific user account in group - <Group Display Name>/<User Principal Name> - TEST_GROUP/user1@example.onmicrosoft.com - Specific folder for user account in group (e.g. Calendar, Contacts, Notes etc.) - <Group Display Name>/<User Principal Name>/<Mailbox Folder> - TEST_GROUP/user1@example.onmicrosoft.com/Inbox - All user accounts - <All Users> - All Users - Specific user account (Recommended for user accounts that do not belong to any group.) - < All Users/User Principal Name - All Users/user1@example.onmicrosoft.com - Specific folder for user account (e.g. Calendar, Contacts, Notes etc.) (Recommended for user accounts that do not belong to any group.) - <All Users/<User Principal Name>/<Mailbox Folder>> - All Users/user1@example.onmicrosoft.com/Inbox - Note - Target paths are case-sensitive. Target paths can be groups user principal name and specific folders and files. 
- If multiple Microsoft 365 groups with the same display name exist in your domain, then only the first instance of the group will be retrieved. For example, if three groups have the same display name, "TESTGROUP", then the first "TESTGROUP" group for the Exchange Online target will be scanned. 
 
- Navigate and add target paths. - Click Browse to navigate target paths from the root level. - Alternatively, provide an initial path in the Add Target Path field and click Browse to navigate targets from that point onward. 
- In the left pane, navigate and select the desired target path. 
- Click Add Path to add the target path to the right pane. Similarly, add other target paths. 
- Click Add. 
 - Tip - Either navigate the target paths from the root level (without specifying any path in the Add Target Path field) or make sure you provide the correct path to navigate further locations within it. 
 
- Click Next. 
Select Profiles
- Under Classification Profile Name, select the desired classification profiles to search for in the data store. You can select multiple data stores, if required. Refer to Classification Profiles for details on classification profiles. 
- Click Next. 
Add Filters
This step is optional.
Note
Filters only apply to the scan entities found until the specified folder name in the target path. It doesn't include anything inside that folder or beyond it.
- Select the desired filter from the Select Filter drop-down list. - To filter the locations to scan an Exchange Online data store, consider the following syntax. - Note - Exclude Path/DO by prefix, suffix, and expression filters support wildcard characters. See Using Wildcard Characters to learn how wildcards work. - Exclude Path/DO by prefix - Excludes paths or data objects that begin with a given string. It can be used to exclude entire directory trees. Specify - <string>.- Filter Item - Example - Group - All Users - User/Account - All Users/sample@sjcpl.onmicrosoft.com 
 Wildcard usage
 *sample@sjcpl.onmicrosoft.com — Applies all paths ending with 'sample@sjcpl.onmicrosoft.com' as prefix.- Folder - All Users/sample@sjcpl.onmicrosoft.com/inbox 
 Wildcard usage
 *inbox — Applies all paths ending with 'inbox' as prefix.
 Note: Folder name is not case-sensitive.- Attachment - All Users/sample@sjcpl.onmicrosoft.com/Inbox/Mail a/2021-02-22T06:40:18Z/maildir-a.zip All Users/sample@sjcpl.onmicrosoft.com/folder_name/subject — This filters out a specific mail and all its content with a corresponding subject name.  All Users/sample@sjcpl.onmicrosoft.com/Inbox/Mail a/2021-02-22T06:40:18Z
 -  All Users/sample@sjcpl.onmicrosoft.com/Inbox/Mail a/*/maildir-a.zip — Applies all paths starting with 'All Users/sample@sjcpl.onmicrosoft.com/Inbox/Mail a/' and ending with '/maildir-a.zip' as prefix. It is recommended to the use string to avoid manually checking email's date and time and converting it to required format.  *maildir-a.zip — Applies all paths ending with 'maildir-a.zip' as prefix. This filters out all data objects with attachment maildir-a.zip.  *subject — Applies all paths ending with 'subject' as prefix. 
 
- Exclude Path/DO by suffix - Excludes paths or data objects that end with a given string. Specify - <string>.- Filter Item - Example - Group - All Users* — Applies all paths starting with 'All Users' as suffix. - User/Account - sample@sjcpl.onmicrosoft.com* — Applies all paths starting with 'sample@sjcpl.onmicrosoft.com' as suffix 
 *sample@sjcpl.onmicrosoft.com* — Applies all paths containing 'sample@sjcpl.onmicrosoft.com' as suffix.- Folder - inbox* — Applies all paths starting with 'inbox' as suffix. - Attachment - maildir-a.zip 
 Wildcard usage-  All Users/sample@sjcpl.onmicrosoft.com/Inbox/Mail a/*/maildir-a.zip* — Applies all paths starting with 'All Users/sample@sjcpl.onmicrosoft.com/Inbox/Mail a/' and containing '/maildir-a.zip' anywhere in the followed path as suffix  *maildir-a.zip* — Applies all paths containing 'maildir-a.zip' as suffix.
 
- Exclude Path/DO by expression - This filter is majorly used with wildcard characters. - Excludes paths or data objects that matches the given expression. Specify - <string>.- For example, to exclude locations that contain 'blob' in their path, use expression *blob*. - Filter Item - Example - Group - All Users* (Use a trailing - *to exclude a given location.)- User/Account - All Users/sample@sjcpl.onmicrosoft.com* or *sample@sjcpl.onmicrosoft.com* - Folder - All Users/sample@sjcpl.onmicrosoft.com/inbox* or *inbox* - Attachment - • All Users/sample@sjcpl.onmicrosoft.com/Inbox/Mail a/2021-02-22T06:40:18Z/maildir-a.zip or 
 • All Users/sample@sjcpl.onmicrosoft.com/Inbox/Mail a/*\/maildir-a.zip* or
 • *maildir-a.zip*
- Include DO modified recently - Includes data objects modified within N number of days from the current date, where the value of N ranges from 1 to 99 days. After selecting this filter, specify Days from current date. 
- Exclude DO greater than size - Excludes data objects that are larger than a given file size (in MB). After selecting this filter, specify the file size in MB. 
- Include DO's within modification date - Includes data objects modified within a given range of dates. After selecting this filter, specify Start and End dates. 
 
- Click Apply. 
- Repeat the above steps to apply multiple filters. Click Remove to remove any applied filter. 
- Click Next. 
Schedule Run
- Specify the scan run frequency. The two options are: - Manual: This is the default option. Select this option run the scan manually. Select the Run Now check box to start the scan run after you save the changes. 
- Scheduled: Select this option to configure the scan to run automatically at the specified time. 
 - Refer to Schedule Scan for more details on scheduling scan runs. 
- Click Save. 
Note
API request default quota for SharePoint Exchange Online is 800 per minute. If this limit is exceeded, API request will fail and scan run may encounter different issues.
Unsupported mailboxes and folders
Currently, DDC doesn't support the following mailbox types and folders for the Exchange Online target:
- Inactive mailboxes 
- Disabled mailboxes 
- Unlicensed mailboxes