Configure OAuth Authentication (Graph API)

The connector retrieves messages through the Exchange Web Service. The connector can also use the Microsoft Graph API to enable some optional features.

The following features require the connector to make requests to the Microsoft Graph API:

  • Retrieving a list of mailboxes from Exchange Online (CrawlExchangeOnlineMailboxes=TRUE). If you are connecting to Exchange Online but do not want to use the Graph API, you must list the mailboxes to synchronize by setting the configuration parameter ExchangeOnlineMailbox.
  • Resolving Exchange Online e-mail addresses into domain user names before generating ACLs for Mapped Security (ExchangeOnlineAclUseOnPremiseSID=TRUE).

The Microsoft Graph API requires OAuth authentication. This topic describes how to configure OAuth authentication for the Graph API. For information about how to configure OAuth authentication for the Exchange Web Service, see Access to Mailboxes (using OAuth).

To use the Microsoft Graph API, you must go to the Azure portal and register an application to represent the connector. Full instructions about how to create an application are available in the Microsoft documentation.

The Exchange Web Service Connector has the following requirements:

  • Register an application > Redirect URI. Configure the redirect URI to match the value that you use with the OAuth configuration tool (by default, http://localhost:7878/oauth). The "type" of the redirect URI should be "Web".
  • Client ID and Secret. After you register the application, make a note of the Application (client) ID. Then, go to the Certificates & secrets page and generate a client secret. You will need these to configure OAuth authentication.
  • API Permissions. The connector requires the following delegated permissions for the Microsoft Graph API:

    • Directory.Read.All
    • Group.Read.All
    • User.Read.All

NOTE: The connector installation program can help you configure the connector. There is no need to complete this procedure if you ran the OAuth configuration tool when the connector was installed.

To configure OAuth authentication

  1. Open the folder where you installed the connector.
  2. Open the file oauth_tool.cfg in a text editor.
  3. In the [Default] section, specify any SSL or proxy settings required to access the Microsoft Graph API:

    SSLMethod The version of SSL/TLS to use.
    ProxyHost The host name or IP address of the proxy server that the connector must use.
    ProxyPort The port of the proxy server that the connector must use.

    For example:

    SSLMethod=NEGOTIATE
    ProxyHost=10.0.0.1
    ProxyPort=8080
  4. In the [OAuthTool] section, set the following parameters:

    AppKey The application key you obtained when you created the application to represent the connector.
    AppSecret The application secret you obtained when you created the application to represent the connector.
  5. Save and close the file.
  6. Open a command-line window and run oauth_tool.exe.

    Your default web browser opens to the Microsoft web site.

  7. Authorize the application to access the API. You must use the username and password of an account that has permission to view everything that you want to ingest (such as an administrator account).

    Microsoft provides the OAuth tokens, and the OAuth configuration tool creates a file named oauth.cfg. This contains the parameters that the connector requires to authenticate. These parameters are automatically included in the connector configuration file, because the connector configuration file includes the following line to import the parameters into the task configuration section:

    [MyTask1] < "oauth.cfg" [OAUTH]

    For more information about including parameters from another file, see Include an External Configuration File. The OAuth tool also prints the parameters it has set to the command-line window so that you can set these directly in the connector's configuration file if you prefer.