Using Modern Authentication (oAuth) with Archive Shuttle 
Archive Shuttle can be configured to use oAuth to authenticate with Microsoft Office 365, using a Certificate and/or Secret. Below is a video on how to set it up, please see underneath the video for a text step-by-step guide.
Note: oAuth is currently supported over both Exchange and PowerShell endpoints in AS 10 or above.
Note: Be aware that the video contains configuring oAuth with only a secret. Please read the step-by-step guide below on how to configure oAuth using a certificate.

Note: If you would like to use oAuth, please install Azure Active Directory Powershell Module V2, as oAuth only supports Azure AD PowerShell. For more on this, click here.

Be aware you must select ONE method of authentication with your Archive Shuttle project; either basic authentication or oAuth authentication. Mixed authentication is not available. However, you still require an account with Global Administration rights with Archive Shuttle 10.0.

Configuring Modern Authentication (oAuth) with a Secret 
Step 1: Create a new Registered Application in Azure 
To get an application ID: 

  1. Go to https://portal.azure.com and log in to your Office 365 tenant with an administrator account. 
  2. From the left menu, select Azure Active Directory > App registrations. 
  3. Click New registration. 
  4. Enter a name. 
  5. From the Supported account types, select Supported Account Type – Single tenant.
  6. Select Web for the application type under the Redirect URI section. 
  7. Enter the URL value: http://localhost 
  8. Click Register. 
  9. Copy the Application (client) ID and save it somewhere you will remember and securely. You will need it later. 

Step 2: Configure Permissions and Secret 
Configure Application Permissions: Return to the Azure portal and access Azure Active Directory > App registrations > owned applications. Then find the application you created in Step 1 above. 

  1. Select your application, and then select API Permissions. 
  2. Click Add a Permission. 
  3. In the Add API access section > Select an API, choose Microsoft Graph. 
  4. Click Application Permissions
  5. In the Permissions list section, select the Permissions listed in this article to select the required API Permissions.  
  6. Click the Application Permissions 
  7. In the Permissions list section, select the Permissions listed in this article to select the required API Permissions.  
  8. Click Add permissions.
  9. Click Grant Admin consent. 

Configure Application Secret: 

  1. Go to Certificates & Secrets and click the New Client Secret button.
  2. Enter a descriptive name. 
  3. Choose an Expiry duration for the Secret. (It is recommended to set the secret not to expire) 
  4. Click Add.
  5. Copy the Secret created and save it somewhere. You will need it later. 

Step 3: Add your Application ID and Secret on the server running the Archive Shuttle O365 Import module. 
To do this: 

  1. In Archive Shuttle, open the Credential Editor while logged in as the account the module is running under. 
  2. Select the Office 365 oAuth tab and click Add. 
  3. Enter the Name (free format text), Application ID, Tenant (eg. tenant.onmicrosoft.com) and Secret. 
  4. Save and close the Credential Editor. 
  5. Open the Archive Shuttle Administrator Console. 
  6. Click Configuration > System Configuration. 
  7. Go to the O365 module settings and enable the option to Use modern authentication (oAuth). 
  8. Restart the O365 module to force settings to take immediate effect. 

Configuring oAuth with a certificate 
Step 1: Create a new Registered Application in Azure 
To get an application ID: 

  1. Go to https://portal.azure.com and log in to your Office 365 tenant with an administrator account. 
  2. From the left menu, select Azure Active Directory > App registrations. 
  3. Click New registration. 
  4. Enter a name. 
  5. From the Supported account types, select Supported Account Type – Single tenant.
  6. Select Web for the application type under the Redirect URI section. 
  7. Enter the URL value: http://localhost 
  8. Click Register. 
  9. Copy the Application (client) ID and save it somewhere you will remember and securely. You will need it later. 

Step 2: Add a certificate to the server running the O365 module. 
For this step you will need a SHA-1 certificate that will be used to establish a secure connection from this workstation to O365. This can be done with a certificate from a trusted certificate authority or a self-signed certificate. Below we assume you do not have a trusted certificate to use and need to create a certificate to use. There are many ways to create a certificate on a Windows server and below we are using PowerShell modules.
To create a self-signed certificate in Windows Server 2016: 

  1. Access the server where the O365 module is installed. 
  2. Launch PowerShell and type the following commands: 

 # Create certificate 

$cert=New-SelfSignedCertificate -Subject “CN=ArchiveShuttleoAuth” –CertStoreLocation “cert:\CurrentUser\My”-KeyExportPolicy Exportable -Provider ‘Microsoft RSA SChannel Cryptographic Provider’-NotAfter (Get-Date).AddYears(5) 

$password=ConvertTo-SecureString -String “UseSecurePasswordHere”-Force –AsPlainText 

$localPath=’D:/Temp’ 

# Used for authentication -> load it from disk 

Export-PfxCertificate -Cert $cert –FilePath ($localPath.Path+”\ArchiveShuttleSelf.pfx”) -Password $password 

# Export certificate to a .cer file: 

Export-Certificate -Type CERT -Cert $cert –FilePath ($localPath.Path+”\ArchiveShuttleServer.cer”) 

* Where “UseSecurePasswordHere” is the desired password of the certificate. 
To add an untrusted certificate to your bridgehead server’s local certificate store: 

  1. Access the server where the O365 module is installed.
  2. Open the certificates manager by start/run certlm.msc 
  3. Expand Trusted Root Certificate Authorities > Certificates. 
  4. Right-click Certificates and select All Tasks > Import… to launch the Certificate Import Wizard. 
  5. Locate the (.cer) certificate file and follow the wizard prompts. 
  6. Supply password, if required. 
  7. Right-click Certificates and select All Tasks > Import… to launch the Certificate Import Wizard. 
  8. Locate the (.pfx) certificate file and follow the wizard prompts. 
  9. Supply the password, if required. 

Step 3: Get a Thumbprint. 
To get a thumbprint: 

  1. Return to the Azure portal and access Azure Active Directory > App registrations > owned applications, and find the application you created in Step 1 above. 
  2. Select your application, and then select API Permissions. 
  3. Click Add a Permission. 
  4. In the Add API access section > Select an API, choose Exchange. 
  5. In the Select permissions > Enable Access section, select the option to Use Exchange Web Services with full access to all mailboxes(full_access_as_app) 
  6. Click Add permissions. 
  7. Click Grant Admin consent. 
  8. Go to Certificates & Secrets and click the Upload Certificate button. 
  9. Upload your certificate file from Step 2. 
  10. Copy the certificate Thumbprint and save it somewhere. You will need it later. 

Step 4: Add your Application ID and Thumbprint on the server running the Archive Shuttle module. 
To do this: 

  1. In Archive Shuttle, open the Credential Editor while logged in as the account the module is running under. 
  2. Select the Office 365 oAuth tab and click Add. 
  3. Enter the Name (free format text), Application ID, Thumbprint, and Tenant (eg. tenant.onmicrosoft.com) 
  4. Save and close the Credential Editor. 
  5. Open the Archive Shuttle Administrator Console. 
  6. Click Configuration > System Configuration. 
  7. Go to the O365 module settings and enable the option to Use modern authentication (oAuth). 
  8. Restart the O365 module to force settings to take immediate effect. 
Print Friendly, PDF & Email

2 Replies to “Using Modern Authentication (oAuth) with Archive Shuttle”

  1. Can this please be updated to use “modern authentication” more predominately displayed? I think it means the same as oAuth and reads more friendly IMHO. THanks for the consideration.