The Exchange Online inventory requires an Azure App. This App is the interface between Docusnap and Exchange Online. The required Azure App is created within Docusnap - in the Exchange Online Scan Wizard. Alternatively, apps can be created and edited in Docusnap Management.
Information and requirements for creating the app
The user used to start Docusnap must be a local administrator, as PowerShell modules are imported to create the app: ExchangeOnlineManagement
|
Docusnap must be running on a system with a 64-bit operating system with .NET Framework 4.8 or higher and PowerShell 5.0 or higher to create the app and inventory Exchange Online. |
The Azure Administrator used must have the Azure role Global Administrator. This user is required to create the app. The app that is created does not have the permissions of the administrator, only the Exchange.ManageAsApp, full_Access_as_app and Global Reader permissions.
The app is referred to in Azure as Docusnap_EXO_Inventory_App_ and a One-time App ID. The label cannot be customized. If the label is changed in Azure, the inventory can no longer be performed.
In the wizard, a company and a domain must be selected for which the inventoried data should be displayed. The app can only be used for one domain in one database. To inventory the same Exchange Online environment for additional Docusnap instances, a new app must be created.
A self-signed certificate is created in connection with the app. The certificate is valid two years after creation. The certificate is stored in the Docusnap database (tAzureOAuthApps)
Active Scripting must be enabled in the Internet Security Settings. Security Settings - Internet Zone - Scripting - Active Scripting. This setting is only required for registering the app. After the app has been successfully registered, Active Scripting can be disabled again. The security settings for the Internet zone should be set to medium to high at most. The browser cache should be cleared.
Inventory
To start the wizard for inventorying the Exchange Online Information, click the Exchange Online button. The Exchange Online step will be displayed after you have selected a company and a domain (see: Basic Steps).
The Exchange Online Inventory gives an overview of the following information:
- Mailboxes including permissions and size
- Public folders including permissions and size
- Distribution groups and e-mail contacts
Clicking the Register App button opens the dialog for creating the app. By clicking the Create New App button, the Azure Tenant and Azure Administrator can be entered. For the inventory, the Azure Administrator with the Azure role Global Administrator must be used.
After entering the credentials, clicking the Register App button establishes the Azure connection and starts the creation of the previously described app. An already existing app will be re-registered by clicking on this button. If jobs have already been scheduled for a domain with the specified Exchange environment, Docusnap will re-register the app in the background and the jobs can continue to run.
In the window that appears, the password of the previously entered Azure administrator must be entered. If multi-factor authentication has been set up, it must also be performed, as it is required for registering the app. Subsequently, the inventory of Exchange Online can be performed automatically with the Docusnap Server or Discovery Service, even with multi-factor authentication.
The requested permissions must be checked and confirmed. For this purpose, it could be necessary to authenticate again with the Azure Administrator entered previously.
Now the required app for the Exchange Online inventory has been created and you can execute or schedule the inventory. Since the certificate expires after two years, the app must be re-registered then. Clicking the OK button closes the dialog.
By clicking the New button, one of the created apps can be selected to be used for the inventory. If no app has been created for the selected domain yet, the dialog for creating and registering the apps can be opened. This is the same dialog that is opened via the Register App button.
If an Optional Display Name is defined, it will be listed in the tree when displayed. You can choose whether the Exchange permissions are to be captured during the inventory.
