Certificate-based authentication (CBA) provides a secure method for mobile devices to
access Office 365 Exchange ActiveSync (EAS) without using traditional usernames and passwords. This
authentication mechanism is commonly implemented in enterprise environments to support iOS, Android,
and Windows devices that connect to Exchange Online in Microsoft 365.
About this task
For example, the organization integrates the EAS module with Office 365 by using the
ExchangeOnlineManagement PowerShell module. Customers provide service account credentials through
the CE configuration tool to allow the system to retrieve Exchange mailbox, device, and policy
information, perform device management actions (approve, block, quarantine), and synchronize policy
updates from the MaaS360 portal back to Exchange. This approach requires customers to disable MFA
and security defaults on the service accounts, which contradicts Microsoft’s best practices.
With certificate based authentication, you can use application level credentials in the
PowerShell ExchangeOnlineManagement.
Configure settings for the Exchange module for certificate-based
authentication.
Procedure
-
Open the Cloud Extender®
Configuration Tool and select
Exchange.
- Select Office 365, and click
Next.
- Enter Email Server Configuration, and click Next.
- Select Certificate from the type of credentials.
- On the Certificate Configuration page, you must provide the
Organization ID and the Client ID created in the
Microsoft Entra ID Portal. Also, update the Certificate path and password.
To use
certificate type of credentials, you must register the application in Microsoft Entra ID, assign API
permissions to the application, and generate a self-signed certificate.
Follow the steps to create
IDs in the Microsoft Entra ID portal.
- Log in to the Microsoft Entra ID portal and select App
registrations in the Service section.
- On the App registrations page, select New
registration.
- Register your application.
Important:
Copy the Organization ID and the Client ID from the
Microsoft Entra ID portal. Also, the application must be a member of Global administrator.
For more information about creating and registering an application, see Microsoft
documentation
- Select the registered application on the Microsoft Entra ID portal and grant API permissions.
Follow these steps to grant API permissions to the application.
- On the app Overview page, select .
- Click the +Add a Permission. The Request API
permissions window is displayed.
- Go to the and select
.
- Click Grant admin consent for <your application> to grant the
permission.
For more information about API permissions, see Microsoft
Documentation
- Generate a self-signed certificate and upload the public key certificate in the
Cetificates section. For more information about generating a self-signed
certificate, see Microsoft Documentation.
- Enter the certificate path that you generated in the Microsoft Entra ID portal and add
the authentication certificate password.
Note: Only .p12 certificate files are supported.
- Click Validate Certificate to run the validation checks against
Office 365.
The
Cloud
Extender
runs validation checks against Office 365.
The Cloud
Extender checks for
connectivity, validity of credentials, and permissions for each configured service account,
including any accounts with issues. Make sure that all service accounts are functional.
If
validation fails, you can review the appropriate error messages.
- Click Save to complete the setup and return to the Cloud
Extender
Summary page.