Configuring Exchange module for certificate-based authentication

Certificate-based authentication (CBA) provides a secure method for mobile devices to access Office 365 Exchange ActiveSync (EAS) without using traditional usernames and passwords. This authentication mechanism is commonly implemented in enterprise environments to support iOS, Android, and Windows devices that connect to Exchange Online in Microsoft 365.

About this task

For example, the organization integrates the EAS module with Office 365 by using the ExchangeOnlineManagement PowerShell module. Customers provide service account credentials through the CE configuration tool to allow the system to retrieve Exchange mailbox, device, and policy information, perform device management actions (approve, block, quarantine), and synchronize policy updates from the MaaS360 portal back to Exchange. This approach requires customers to disable MFA and security defaults on the service accounts, which contradicts Microsoft’s best practices.

With certificate based authentication, you can use application level credentials in the PowerShell ExchangeOnlineManagement.

Configure settings for the Exchange module for certificate-based authentication.

Procedure

  1. Open the Cloud Extender® Configuration Tool and select Exchange.
  2. Select Office 365, and click Next.
  3. Enter Email Server Configuration, and click Next.
  4. Select Certificate from the type of credentials.
  5. On the Certificate Configuration page, you must provide the Organization ID and the Client ID created in the Microsoft Entra ID Portal. Also, update the Certificate path and password.
    To use certificate type of credentials, you must register the application in Microsoft Entra ID, assign API permissions to the application, and generate a self-signed certificate.
    Follow the steps to create IDs in the Microsoft Entra ID portal.
    1. Log in to the Microsoft Entra ID portal and select App registrations in the Service section.
    2. On the App registrations page, select New registration.
    3. Register your application.
      Important:

      Copy the Organization ID and the Client ID from the Microsoft Entra ID portal. Also, the application must be a member of Global administrator.

      For more information about creating and registering an application, see Microsoft documentation

    4. Select the registered application on the Microsoft Entra ID portal and grant API permissions. Follow these steps to grant API permissions to the application.
      1. On the app Overview page, select Manage > API permissions.
      2. Click the +Add a Permission. The Request API permissions window is displayed.
      3. Go to the APIs my organization uses > Office 365 Exchange Online > Application permissions and select Exchange.ManageAsApp > Add permissions.
      4. Click Grant admin consent for <your application> to grant the permission.

      For more information about API permissions, see Microsoft Documentation

    5. Generate a self-signed certificate and upload the public key certificate in the Cetificates section. For more information about generating a self-signed certificate, see Microsoft Documentation.
  6. Enter the certificate path that you generated in the Microsoft Entra ID portal and add the authentication certificate password.
    Note: Only .p12 certificate files are supported.
  7. Click Validate Certificate to run the validation checks against Office 365.
    The Cloud Extender runs validation checks against Office 365.

    The Cloud Extender checks for connectivity, validity of credentials, and permissions for each configured service account, including any accounts with issues. Make sure that all service accounts are functional.

    If validation fails, you can review the appropriate error messages.

  8. Click Save to complete the setup and return to the Cloud Extender Summary page.