Registering IBM StoredIQ as a Microsoft service application for access to Exchange Online

For harvesting Exchange Online mailboxes, IBM StoredIQ must be registered as a service application with Microsoft.

Before you begin

This procedure requires administrator access to the Microsoft Azure portal.

About this task

Register IBM StoredIQ to integrate it with the Microsoft identity platform for secure login and authorization when accessing Microsoft Exchange Online volumes.

Procedure

To set up OAuth authentication and obtain the authentication information for use in IBM StoredIQ, complete these steps:

  1. Log in to https://portal.azure.com.
    Make note of the login ID. This user ID is set up as the mailbox impersonator. You'll need this information for the Exchange Online volume configuration in IBM StoredIQ.
  2. Select Azure Active Directory service.
  3. Select App registrations > New registration.
  4. On the Register an application page, enter IBM StoredIQ as the display name for the application.
  5. Under Supported account types, select Accounts in any organizational directory (Any Azure directory - Multitenant).
  6. Do not specify a redirect URI.
  7. Click Register.
    This generates a unique application (client) ID that you can see on the Overview page. Make a note of this ID, you'll need it for the volume configuration in IBM StoredIQ.
  8. Configure permissions for the application.
    1. On the Overview page, select API permissions from the menu on the left and then click Add a permission.
    2. On the Request API permissions page, select Microsoft APIs. In the Commonly used Microsoft APIs section, look for Microsoft Graph and select it.
    3. On the Request API permissions page for Microsoft Graph, select Delegated permissions.
    4. Look for EWS and expand that section.
    5. Select the EWS.AccessAsUser.All checkbox and click Add permissions.
      You return to the API permissions page, where you can now see the granted permissions listed.
    6. On the API permissions page, click Add a permission.
    7. On the Request API permissions page, select APIs my organization uses. Look for Office 365 Exchange Online and select it.
    8. On the Request API permissions page for Office 365 Exchange Online, select Application permissions.
    9. Look for Other permissions and expand that section.
    10. Select the full_access_as_app checkbox and click Add permissions.
      You return to the API permissions page, where you can now see the granted permissions listed.
    11. Click Grant admin consent for tenant_name, where tenant_name is your company’s tenant name.
  9. Add credentials to the application.
    1. On the Overview page, select Certificates & secrets from the menu on the left.
    2. Click New client secret.
    3. Optionally, add a description for your client secret.
    4. Set the client secret to never expire.
    5. Click Add.
    The table now shows the description, the expiration date, and the newly created client secret value.
    Important: Be sure to copy this value for use in IBM StoredIQ. As soon as you leave this page, the value is obscured and no longer accessible. You'll need the client secret value for configuring Exchange Online volumes in IBM StoredIQ.
  10. Save all changes.

Results

IBM StoredIQ is now properly registered with Microsoft.