Enterprise Recon Cloud 2.12.0

How To Scan Exchange Online

The Exchange Online (EWS) (previously Office 365 Mail) Target uses the Basic Authentication method for Exchange Web Services (EWS), which is marked for retirement by Microsoft. Existing scans for Exchange Online (EWS) may start to fail once Basic Authentication access is disabled for Exchange Web Services (EWS).

You can use the Microsoft Graph implementation of Exchange Online by adding the Exchange Online (Graph) Target.

This section covers the following topics:

Overview

When Exchange Online is added as a scan Target, ER Cloud returns all Microsoft 365 groups and user accounts with active mailboxes in each group. You can select specific groups or individual users when setting up the scan schedule, and each group will be presented as a separate location for the Exchange Online Target.

Here are some scenarios which may benefit from scanning Exchange Online mailboxes by Microsoft 365 groups:

  • Users in the organization are typically managed as groups, and assigned group memberships in your Microsoft 365 environment.
  • Compliance procedures requires the capability to segregate and report scan results by business unit, division or group.
  • Head of Departments are only authorized to review and remediate non-compliant mailboxes in certain groups. This can be easily managed by delegating specific resource permissions to the user. For more information, refer to Assign Resource Permissions of the Grant User Permissions section.

You can also scan all users with mailboxes in your organization's domain by adding the "All Users" group as a scan location.

Example of Exchange Online structure: Exchange Online [domain: example.onmicrosoft.com] +- Exchange Online on target EXCHANGEONLINE:EXAMPLE.ONMICROSOFT.COM +- Group All Users +- Group Engineering +- Group Design

Licensing

For Sitewide Licenses, all scanned Exchange Online Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Exchange Online Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
  • ER 2.1 Agent and newer.
TCP Allowed Connections Port 443

Configure Microsoft 365 Account

Generate Client ID and Tenant ID Key

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, click + New registration.
  3. In the Register an application page, fill in the following fields:

    Field Description
    Name Enter a descriptive display name for ER Cloud. For example, Enterprise Recon.
    Supported account types Select Accounts in this organizational directory only.
  4. Click Register. You will be redirected to the Overview page for the newly registered app, Enterprise Recon.
  5. Take down the Application (client) ID and Directory (tenant) ID. This is required when you want to set up and scan an Exchange Online Target. Refer to Set Up and Scan an Exchange Online Target.

    Enterprise Recon app Overview in the Microsoft Azure app registration portal.

Generate Client Secret Key

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
  3. In the Manage panel, click Certificates & secrets.
  4. In the Client secrets section, click + New client secret.
  5. In the Add a client secret page, fill in the following fields:

    Field Description
    Description Enter a descriptive label for the Client Secret key.
    Expires Select a validity period for the Client Secret key.
  6. Click Add. The Value column will contain the Client Secret key.

    Newly created Client Secret key for the Enterprise Recon app.

  7. Copy and save the Client Secret key to a secure location. This is required when you want to set up and scan an Exchange Online Target. Refer to Set Up and Scan an Exchange Online Target.

Grant API Access

To scan Exchange Online Targets, you will need to grant ER Cloud permissions to access specific resource APIs.

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
  3. In the Manage panel, click API permissions.
  4. In the Configured permissions section, click + Add a permission.
  5. In the Request API permissions page, select Microsoft Graph > Application permissions.
  6. Select the following permissions for the Enterprise Recon app:

    API Permissions Description
    • Group.Read.All
    • User.Read.All
    • Directory.Read.All
    • Mail.Read
    • Contacts.Read
    • Calendars.Read
    Required for probing and scanning Exchange Online Targets.
    • Group.ReadWrite.All
    • User.ReadWrite.All
    • Directory.ReadWrite.All
    • Mail.ReadWrite
    • Contacts.ReadWrite
    • Calendars.ReadWrite
    Required for remediating Exchange Online Targets.
  7. Click Add permissions.
  8. In the Configured permissions page, click on Grant admin consent for <organization name>.
  9. In the Grant admin consent confirmation dialog, click Yes. The Status column for all the newly added API permissions will be updated to "Granted for <organization name>".

Set Up and Scan an Exchange Online Target

  1. Configure Microsoft 365 Account.
  2. From the New Scan page, add Targets. Refer to the Add Targets section.
  3. In the Select Target Type dialog box, select Microsoft 365 > Exchange Online.
  4. Fill in the following details:

    Dialog box to configure the path, credentials and proxy agent for an Exchange Online Targets.

    Field Description
    Exchange Online Domain

    Enter the Microsoft 365 domain to scan.

    Example: example.onmicrosoft.com

    Only accounts where the user principal name (UPN) shares the same domain as specified in the Exchange Online Domain field will be scanned and/or listed when probing the Target.

    For example, if Exchange Online Domain is set to example.onmicrosoft.com, user1@example2.onmicrosoft.com will not be scanned and/or listed when probing the Target even if the user belongs to a group in the example.onmicrosoft.com domain.

    To scan multiple domains within your organization's Microsoft 365 environment, add these domains as separate Exchange Online Targets.

    New Credential Label

    Enter a descriptive label for the Exchange Online credential set.

    Example: m365-exchangeonline-exampledomain

    Client ID

    Enter the Client ID.

    Example: clientid-1234-5678-abcd-6d05bf28c2bf

    For more information, refer to Generate Client ID and Tenant ID Key.

    Client Secret Key

    Enter the Client Secret key.

    Example: client~secret.key-CHvV1B5YQfr~6zDjEyv

    For more information, refer to Generate Client Secret Key.

    Tenant ID

    Enter the Tenant ID.

    Example: tenantid-1234-abcd-5678-02011df316f4

    For more information, refer to Generate Client ID and Tenant ID Key.

    Agent to act as proxy host

    Select a Windows, Linux or macOS Proxy Agent host with direct Internet access.

  5. Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.
  7. Back in the New Scan page, locate the newly added Exchange Online Target and click on the arrow next to it to display a list of available Microsoft 365 groups for the domain.
  8. Select the Target location(s) to scan:
    1. If "All Users" is selected, ER Cloud scans all user accounts in the Microsoft 365 domain.

    2. If only specific groups are selected, ER Cloud only scans user accounts in the selected groups.

  9. Click Next.
  10. On the Select Data Types page, select the data type profiles to be included in your scan (refer to the Use Data Type Profile section) and click Next.
  11. On the Set Schedule page, configure the parameters for your scan. For more information, refer to Set Schedule in the Start a Scan section.

  12. Click Next.
  13. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit Exchange Online Target Path

  1. Set Up and Scan an Exchange Online Target.
  2. In the Select Locations section, select your Exchange Online Target location and click Edit.

  3. In the Edit Exchange Online dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

    Mailbox / Folder to Scan Path
    All user accounts in a specific group

    Syntax: <Group Display Name>

    Example: Engineering (SG)

    Specific user account in group

    Syntax: <Group Display Name>/<User Principal Name>

    Example: Engineering (SG)/user1@example.onmicrosoft.com

    Specific folder for user account in group (e.g. Calendar, Contacts, Notes etc)

    Syntax: <Group Display Name>/<User Principal Name>/<Mailbox Folder>

    Example: Engineering (SG)/user1@example.onmicrosoft.com/ProjectA

    All user accounts

    Syntax: All Users

    Specific user account
    Recommended for scanning mailboxes of user accounts that do not belong to any Microsoft 365 group.

    Syntax: All Users/<User Principal Name>

    Example: All Users/user1@example.onmicrosoft.com

    Specific folder for user account (e.g. Calendar, Contacts, Notes etc)
    Recommended for scanning mailboxes of user accounts that do not belong to any Microsoft 365 group.

    Syntax: All Users/<User Principal Name>/<Mailbox Folder>

    Example: All Users/user1@example.onmicrosoft.com/ProjectA

  4. Click Test and then Commit to save the path to the Target location.

Unsupported Mailbox Types and Folders

ER Cloud currently does not support the following mailbox types and folders for the Exchange Online Target:

  • Archived mailboxes (In-Place Archives)
  • Deleted mailboxes
  • Unlicensed mailboxes
  • Microsoft 365 Group mailboxes and conversations

Remediate Matches in Exchange Online

If an Exchange Online email / message is removed using the "Deleted Permanently" remediation option, these emails / messages may still be discovered by ER Cloud in the Recoverable Items or Deleted Items folder upon rescans of the Exchange Online Target. Items in the Recoverable Items or Deleted Items folder cannot be further remediated and will be retained in Exchange Online until the retention period expires. For more information, refer to Exchange Online - Retention Limits.

To remediate matches, refer to the Perform Remedial Actions section.

For more information on the supported remedial actions, refer to the Remedial Actions in ER Cloud section.

Mailbox in Multiple Groups

This section describes the behavior of mailboxes that are members of multiple groups for the Exchange Online Target.

License Consumption

A mailbox for a user account that belongs to multiple groups

  • is scanned each time a group the user belongs to is scanned.
  • consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.

Scan Results

Matches that are found in mailboxes that belong to multiple groups will be reported as a distinct match count for each group.

Take for example a simplified Exchange Online Target for the domain "example.onmicrosoft.com" below:

EXAMPLE.ONMICROSOFT.COM 55 matches +– Engineering 30 matches +– UserA 10 matches +– UserB 20 matches +– Design 25 matches +– UserA 10 matches +– UserC 15 matches

Matches found in the mailbox for UserA will be included in the match count for both Engineering and Design groups.