Microsoft 365 Exchange Admin Center plugin provides the ability to manage mail flow rules (transport rules) shown within the MS365 Exchange Admin Center and manage a mailbox’s inbox rules.
This plugin supports operations to:
- Retrieve a mail flow rule.
- Enable a mail flow rule.
- Disable a mail flow rule.
- Update the configuration of a mail flow rule.
- Retrieve all inbox rules for a mailbox.
- Retrieve an inbox rule for a mailbox.
- Enable an inbox rule for a mailbox.
- Disable an inbox rule for a mailbox.
- Create a new inbox rule for a mailbox.
- Modify an inbox rule for a mailbox.
- Delete an inbox rule from a mailbox.
- Retrieve all permissions for a mailbox.
- Retrieve a user’s or security group’s permissions for a mailbox.
- Add permissions for a user or security group to a mailbox.
- Remove permissions for a user or security group from a mailbox.
- Reset permissions for a mailbox.
Instance Configuration Parameters
- Service Starts
- PowerShell Started
If the PowerShell fails to start, the plugin remains active. A PowerShell connection will be attempted on any use of the Microsoft 365 Exchange nodes.
Microsoft 365 Exchange Node Behavior
The node uses a remote PowerShell connection to the Exchange Admin Center to perform its operations. The following steps describe the behavior of the plugin instance when a message is received at a node.
- Node receives a message
- If PowerShell is not running:
- Start PowerShell
- Wait for PowerShell to start
- On failure, log failure and break out
The failure will be logged to the Incident Timeline.
- Perform the requested operation
- Return results of operation
Certificate Based Authentication (CBA) Permissions
The application associated with the Certificate Based Authentication must have the ability to manage mail flow rules in the Exchange Admin Center. Read through the following section for details on configuring an application with Azure AD to grant it access to manage mail flow rules. The same permissions give the application the ability to manage a mailbox’s inbox rules.
Azure AD Application Configuration for Certificate Based Authentication
The following steps can be used to configure an application within Azure AD with the appropriate permissions and role to manage the Exchange Admin Center.
- Navigate to the Azure Active Directory admin center. Login using your existing admin account.
- Select Azure Active Directory in the left-hand navigation, then select App registrations under Manage.
Select New registration. On the Register an application page, set the values as follows.
Set Name to something meaningful, such as
Nevelex Labs Security Flow EAC.
- By default, Supported account types is set to Accounts in this organizational directory only. Set Supported account types to Accounts in any organizational directory, if multi-tenant support is desired.
- Redirect URI (optional) may be left blank.
- Click the Register button.
- Set Name to something meaningful, such as
Select API permissions. Follow the following sequence of steps to assign the
Exchange.ManageAsApppermission to the newly registered application.
- Click the Add a permission button.
- In the newly opened Request API permissions pane, select the APIs my organization uses tab.
Office 365 Exchange Onlineand click it when found.
- Click the Application permissions button.
Exchange.ManageAsAppand select the associated checkbox when found.
- Click the Add permissions button. This will close the Request API permissions pane and add the permission to the application.
Click the Grant admin consent for <tenant> button to enable the
Exchange.ManageAsApppermission. Click the Yes button to confirm granting admin consent for the permission.
Create a self-signed certificate or obtain a certificate utilizing the standard IT procedures of your organization to associate a public certificate with the application. PowerShell or OpenSSL may be used to create a self-signed x.509 certificate in PFX format. The following example illustrates the processing for creating a self-signed certificate on Windows using PowerShell.
# Create a certificate which is valid for one year. $SelfSignedCert = New-SelfSignedCertificate -DnsName "yourdomain.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange # Export certificate to MS365_SelfSigned.pfx file with a password. $SelfSignedCert | Export-PfxCertificate -FilePath MS365_SelfSigned.pfx -Password $(ConvertTo-SecureString -String "the password" -Force -AsPlainText) # Export the public certificate to MS365_SelfSigned.cer file for importing into the application in Azure AD. $SelfSignedCert | Export-Certificate -FilePath MS365_SelfSigned.cer
Import the public certificate file,
MS365_SelfSigned.cerfrom the example above, by performing the following steps.
- Click the Certificates & Secrets button within the application’s Azure AD page.
Click the Upload certificate button and Add the
Assign the application to a security group with a role, such as Exchange administrator to allow access to the Exchange Admin Center. The following steps describe creating a new security group and assigning the application to it.
- From the main Azure Active Directory blade, select Groups.
- Click the New Group button.
Select a Group type of
Enter a meaningful name, such as
Security Flow Exchange Admin, for the Group name.
Ensure the Azure AD roles can be assigned to the group (Preview) is set to
- Click the No members selected link and add the application. It may be found by name or application ID. Once selected, click the Select button.
- Click the No roles selected link and add, for example, the Exchange administrator role. Assign a role which meets the lowest necessary level of access. Once selected, click the Select button.
- Click the Create button to create the new security group. Click the Yes button to confirm creating a group to which Azure AD roles can be assigned.
For additional information, read through the Microsoft App-only authentication for unattended scripts in the EXO V2 module page.
Basic Authentication Permissions
The user must have the ability to manage mail flow rules in the Exchange Admin Center. There are a number of existing roles which support this, but Exchange administrator is a reasonable choice. Assign a role which meets the lowest necessary level of access.