Permissions
To use the synchronize
, collect
, or view
fetch actions, you must grant the following permissions.
Access to LDAP
To retrieve a list of mailboxes through LDAP, the user that accesses LDAP (specified by the Username
or LDAPUsername
parameter in the Exchange Web Service Connector configuration file) must have read access to the directory.
Access to Mailboxes
The user that connects to the Exchange Web Service (specified by the Username
or WSUsername
parameter in the Exchange Web Service Connector configuration file) requires the following permissions:
- The user must have their own mailbox.
-
The user must have permission to read messages from the mailboxes that you want to retrieve. To grant this permission, use one of the following methods:
- In Exchange, grant the user permission to impersonate other users. Then, in the connector’s configuration file, set
ImpersonateMailboxOwner=true
(true
is the default value). - In Exchange, grant the user "Full Access Permissions" on each mailbox that you want to retrieve. Then, in the connector’s configuration file, set
ImpersonateMailboxOwner=false
. - In Exchange, grant the user "Reviewer" access to each folder in each mailbox that you want to index. The user must have "Reviewer" access on all folders below the root of the mailbox (or the folder specified by the connector’s
BaseMailboxFolder
configuration parameter). If the user does not have access to a mailbox folder, that folder and its contents cannot be indexed. In the connector’s configuration file, setImpersonateMailboxOwner=false
.
- In Exchange, grant the user permission to impersonate other users. Then, in the connector’s configuration file, set
Access to Mailboxes (using OAuth)
The connector can authenticate with the Exchange Web Service using Basic Authentication or using OAuth. To use OAuth, you must register an application in Azure Active Directory. The application must be granted the following Application API permissions by an administrator:
- Exchange -
full_access_as_app
- Exchange -
Calendars.Read
- Exchange -
Mail.Read
- Exchange -
User.Read.All
Using the tokens that are generated when the application is created, set the configuration parameters WSTenantID
, WSClientID
, and WSClientSecret
. There is no need to run the OAuth configuration tool for configuring authentication with the Exchange Web Service. For more information about setting up a task to retrieve data from Exchange Online, see Retrieve Data from Exchange Online.