Permissions

To use the synchronize, collect, or view fetch actions, you must grant the following permissions.

Access to LDAP

To retrieve a list of mailboxes through LDAP, the user that accesses LDAP (specified by the Username or LDAPUsername parameter in the Exchange Web Service Connector configuration file) must have read access to the directory.

Access to Mailboxes

The user that connects to the Exchange Web Service (specified by the Username or WSUsername parameter in the Exchange Web Service Connector configuration file) requires the following permissions:

  • The user must have their own mailbox.
  • The user must have permission to read messages from the mailboxes that you want to retrieve. To grant this permission, use one of the following methods:

    • In Exchange, grant the user permission to impersonate other users. Then, in the connector’s configuration file, set ImpersonateMailboxOwner=true (true is the default value).
    • In Exchange, grant the user "Full Access Permissions" on each mailbox that you want to retrieve. Then, in the connector’s configuration file, set ImpersonateMailboxOwner=false.
    • In Exchange, grant the user "Reviewer" access to each folder in each mailbox that you want to index. The user must have "Reviewer" access on all folders below the root of the mailbox (or the folder specified by the connector’s BaseMailboxFolder configuration parameter). If the user does not have access to a mailbox folder, that folder and its contents cannot be indexed. In the connector’s configuration file, set ImpersonateMailboxOwner=false.

Access to Mailboxes (using OAuth)

The connector can authenticate with the Exchange Web Service using Basic Authentication or using OAuth. To use OAuth, you must register an application in Azure Active Directory. The application must be granted the following Application API permissions by an administrator:

  • Exchange - full_access_as_app
  • Exchange - Calendars.Read
  • Exchange - Mail.Read
  • Exchange - User.Read.All

Using the tokens that are generated when the application is created, set the configuration parameters WSTenantID, WSClientID, and WSClientSecret. There is no need to run the OAuth configuration tool for configuring authentication with the Exchange Web Service. For more information about setting up a task to retrieve data from Exchange Online, see Retrieve Data from Exchange Online.