1. Home
  2. Archive Shuttle
  3. Archive Shuttle KB
  4. Using OAuth with Archive Shuttle

Using OAuth with Archive Shuttle

Using OAuth with Archive Shuttle 

Archive Shuttle can be configured to use OAuth to authenticate with Microsoft Office 365, using a Certificate and/or Secret. Below is a video on how to set it up, please see underneath the video for a text step-by-step guide.

Note: OAuth is currently supported over the EWS endpoints. Support for PowerShell is anticipated in the future.

Note: Be aware that the video contains configuring OAuth with only a secret. Please read the step-by-step guide below on how to configure OAuth using a certificate.

 

 

Configuring OAuth with a Secret 

Step 1: Get an Application ID. 

To get an application ID: 

  1. Go to https://portal.azure.com and log in to your O365 tenant with an administrator account. 
  2. From the left menu, select Azure Active Directory > App registrations. 
  3. Click New application registration. 
  4. Enter a descriptive name. 
  5. Select the Accounts in any organizational directory option. 
  6. Select Web for the application type under the Redirect URI section. 
  7. Enter the URL value: http://localhost 
  8. Click Register. 
  9. Copy the Application (client) ID and save it somewhere you will remember and securely. You will need it later. 

 

Step 2: Configure Permissions and Secret 

Configure Application Permissions: 

  1. Return to the Azure portal and access Azure Active Directory > App registrations > owned applications. Then find the application you created in Step 1 above. 
  2. Select your application, and then select API Permissions. 
  3. Click Add a Permission. 
  4. In the Add API access section > Select an API, choose Exchange. 
  5. Click Application Permissions 
  6. In the Permissions list section, select the option ( full_access_as_app ) to Use Exchange Web Services with full access to all mailboxes 
  7. Click Add permissions. 
  8. Click Grant Admin consent. 

 

Configure Application Secret: 

  1. Go to Certificates & Secrets and click the New Client Secret button.
  2. Enter a descriptive name. 
  3. Choose an Expiry duration for the Secret. (It is recommended to set the secret not to expire) 
  4. Click Add.
  5. Copy the Secret created and save it somewhere. You will need it later. 

 

Step 3: Add your Application ID and Secret on the server running the Archive Shuttle O365 Import module. 

To do this: 

  1. In Archive Shuttle, open the Credential Editor while logged in as the account the module is running under. 
  2. Select the Office 365 OAuth tab and click Add. 
  3. Enter the Name (free format text), Application ID, Tenant (eg. tenant.onmicrosoft.com) and Secret. 
  4. Save and close the Credential Editor. 
  5. Open the Archive Shuttle Administrator Console. 
  6. Click Configuration > System Configuration. 
  7. Go to the O365 module settings and enable the option to Use modern authentication (OAuth). 
  8. Restart the O365 module to force settings to take immediate effect. 

 

Configuring OAuth with a certificate 

Step 1: Get an Application ID. 

To get an application ID: 

  1. Go to https://portal.azure.com and log in to your O365 tenant with an administrator account. 2.
  2. From the left menu, select Azure Active Directory > App registrations.
  3. Click New application registration.
  4. Enter a descriptive name.
  5. Select the Accounts in any organizational directory option.
  6. Select Web for the application type under the Redirect URI section.
  7. Enter the URL value: http://localhost
  8. Click Register.
  9. Copy the Application (client) ID and save it somewhere. You will need it later. 

 

Step 2: Add a certificate to the server running the O365 module. 

For this step you will need a SHA-1 certificate that will be used to establish a secure connection from this workstation to O365. This can be done with a certificate from a trusted certificate authority or a self-signed certificate. Below we assume you do not have a trusted certificate to use and need to create a certificate to use. There are many ways to create a certificate on a Windows server and below we are using PowerShell modules.
To create a self-signed certificate in Windows Server 2016: 

  1. Access the server where the O365 module is installed. 
  2. Launch PowerShell and type the following commands: 

 # Create certificate 

$cert=New-SelfSignedCertificate -Subject “CN=ArchiveShuttleOAuth” –CertStoreLocation “cert:\CurrentUser\My”-KeyExportPolicy Exportable -Provider ‘Microsoft RSA SChannel Cryptographic Provider’-NotAfter (Get-Date).AddYears(5) 

$password=ConvertTo-SecureString -String “UseSecurePasswordHere”-Force –AsPlainText 

$localPath=’D:/Temp’ 

# Used for authentication -> load it from disk 

Export-PfxCertificate -Cert $cert –FilePath ($localPath.Path+”\ArchiveShuttleSelf.pfx”) -Password $password 

# Export certificate to a .cer file: 

Export-Certificate -Type CERT -Cert $cert –FilePath ($localPath.Path+”\ArchiveShuttleServer.cer”) 

* Where “UseSecurePasswordHere” is the desired password of the certificate. 

To add an untrusted certificate to your bridgehead server’s local certificate store: 

  1. Access the server where the O365 module is installed.
  2. Open the certificates manager by start/run certlm.msc 
  3. Expand Trusted Root Certificate Authorities > Certificates. 
  4. Right-click Certificates and select All Tasks > Import… to launch the Certificate Import Wizard. 
  5. Locate the (.cer) certificate file and follow the wizard prompts. 
  6. Supply password, if required. 
  7. Right-click Certificates and select All Tasks > Import… to launch the Certificate Import Wizard. 
  8. Locate the (.pfx) certificate file and follow the wizard prompts. 
  9. Supply the password, if required. 

 

Step 3: Get a Thumbprint. 

To get a thumbprint: 

  1. Return to the Azure portal and access Azure Active Directory > App registrations > owned applications, and find the application you created in Step 1 above. 
  2. Select your application, and then select API Permissions. 
  3. Click Add a Permission. 
  4. In the Add API access section > Select an API, choose Exchange. 
  5. In the Select permissions > Enable Access section, select the option to Use Exchange Web Services with full access to all mailboxes(full_access_as_app) 
  6. Click Add permissions. 
  7. Click Grant Admin consent. 
  8. Go to Certificates & Secrets and click the Upload Certificate button. 
  9. Upload your certificate file from Step 2. 
  10. Copy the certificate Thumbprint and save it somewhere. You will need it later. 

 

Step 4: Add your Application ID and Thumbprint on the server running the Archive Shuttle module. 

To do this: 

  1. In Archive Shuttle, open the Credential Editor while logged in as the account the module is running under. 
  2. Select the Office 365 OAuth tab and click Add. 
  3. Enter the Name (free format text), Application ID, Thumbprint, and Tenant (eg. tenant.onmicrosoft.com) 
  4. Save and close the Credential Editor. 
  5. Open the Archive Shuttle Administrator Console. 
  6. Click Configuration > System Configuration. 
  7. Go to the O365 module settings and enable the option to Use modern authentication (OAuth). 
  8. Restart the O365 module to force settings to take immediate effect. 

 

Print Friendly, PDF & Email
Updated on May 15, 2020

Was this article helpful?

Related Articles

Leave a Comment