From e65daeb19a99d0f886bd61d66c1e24ea6d75b44a Mon Sep 17 00:00:00 2001 From: bglay Date: Wed, 18 Mar 2026 17:43:36 +0000 Subject: [PATCH 1/3] Removed excessive permissions and settings --- .../exchangeonline/modernauth/manualconfig.md | 91 +------------------ .../exchangeonline/modernauth/modernauth.md | 2 +- .../exchangeonline/permissions.md | 69 +------------- 3 files changed, 3 insertions(+), 159 deletions(-) diff --git a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/manualconfig.md b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/manualconfig.md index f9e62d7933..78c17390e1 100644 --- a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/manualconfig.md +++ b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/manualconfig.md @@ -14,41 +14,22 @@ Review the following: - Requirements for Exchange Online Modern Authentication - Install the ExchangeOnlineManagement PowerShell Module -- Configure Exchange Online Modern Authentication Manually ## Requirements for Exchange Online Modern Authentication -General Requirements +**General Requirements** - Windows Management Framework for your OS: [Windows Management Framework 5.1](https://www.microsoft.com/en-us/download/details.aspx?id=54616) - .NET Framework 4.7.1 and above: [Download .NET Framework 4.7.1](https://dotnet.microsoft.com/download/dotnet-framework/net471) -**NOTE:** If you have the FIPS option enabled you should proceed to Manual Exchange Online -pre-configuration. See the Configure Exchange Online Modern Authentication Manually section for -additional information. - -Follow the steps to enable Exchange Online Auto Audit for mailboxes with Modern Authentication -(automatic mode). - -**Step 1 –** Install the ExchangeOnlineManagement Powershell module and dependencies (Nget package -provider). Refer to the following Microsoft article for more information: -[About the Exchange Online PowerShell V2 module](https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps). - -**Step 2 –** Generate the self-signed certificate. - -**Step 3 –** Install the certificate to the _CurrentUser/My certificate_ folder for the Local System -account. - -**Step 4 –** Install the certificate to the Microsoft Entra ID cloud application ## Install the ExchangeOnlineManagement PowerShell Module This section will be helpful for any case below: - You encountered errors related to the ExchangeOnlineManagement PowerShell module -- You have the FIPS policy enabled - You want to install the module manually Follow the steps to install the module. @@ -73,7 +54,6 @@ Install-Module ExchangeOnlineManagement Review the following Microsoft technical article for more information: [About the Exchange Online PowerShell V2 module](https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps) -See next: Configure Exchange Online Modern Authentication Manually **NOTE:** If you encountered errors executing the `Install-PackageProvider` cmdlet try to force PowerShell into TLS 1.2 mode and try again: @@ -89,72 +69,3 @@ PowerShell into TLS 1.2 mode and try again: Register-PSRepository -Default ``` -## Configure Exchange Online Modern Authentication Manually - -If you encountered errors from Netwrix Auditor during the automatic configuration of the -certificate, complete the following steps. - -**Step 1 –** In Netwrix Auditor, find your Exchange Online monitoring plan. - -**Step 2 –** Click Update to force data collection. - -If the error still persists, or you want to pre-configure the work with certificate, follow the -instructions below: - -Follow the steps to install a certificate. - -**Step 1 –** Get your certificate or generate a self-signed certificate. The name must be -_`Netwrix_Auditor_MFA_`* - -**Step 2 –** Save the certificate to the _CurrentUser/My certificate_ folder for the Local System -account. - -**Step 3 –** Upload the certificate to the application selected in your monitoring plan or configure -it automatically with Netwrix Auditor. - -Follow the steps to generate a self-signed certificate. - -**Step 1 –** Open Windows PowerShell as an Administrator and run the following commands: - -``` -# Create certificate -$mycert = New-SelfSignedCertificate -DnsName "example.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange -# Export certificate to .pfx file -$mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "your_password" -Force -AsPlainText) -# Export certificate to .cer file -$mycert | Export-Certificate -FilePath mycert.cer -``` - -**Step 2 –** Replace the `DnsName `parameter value with your certificate name -(`Netwrix_Auditor_MFA_`). - -Follow the steps to install the certificate to the CurrentUser/My certificate folder. - -**Step 1 –** Download [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to -run Windows PowerShell session under the LocalSystem account; - -**Step 2 –** Run Windows PowerShell as an Administrator, navigate to PsExec.exe installation -directory (use the 'CD' command), if necessary, and run the following command: - -``` -.\PsExec.exe -i -s powershell.exe -``` - -**Step 3 –** Verify that you are logged in as a Local System account. Run the following command: - -``` -whoami -``` - -**Step 4 –** Import the certificate. Run the following command: - -``` -Import-PfxCertificate -FilePath -CertStoreLocation  -'Cert:\CurrentUser\My' -Password (ConvertTo-SecureString -String "your_password" -AsPlainText -Force) -``` - -Where `path_to_certificate` is the full path to the certificate file. - -You can also install the certificate with the '.cer' extension to the Microsoft Entra ID Portal or -Netwrix Auditor will set it automatically during establishing a PowerShell connection with Exchange -Online. diff --git a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md index acb667896f..770a9e9eea 100644 --- a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md +++ b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md @@ -80,7 +80,7 @@ Permission assignment will depend on the data you plan to collect: | To... | Requirement | Comment | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -| Collect audit data | Microsoft Entra ID app requires the following **Application** permissions: 1. **Microsoft Graph** - Directory.Read.All - Application.ReadWrite.All - **Mail.ReadBasic.All** - **MailboxSettings.Read** 2. **Office 365 Management APIs** - **ActivityFeed.Read** 3. **Office 365 Exchange Online** - **Exchange.ManageAsApp** | To learn how to assign required permissions, see the Access Exchange Online Using Modern Authentication section for additional information. | +| Collect audit data | Microsoft Entra ID app requires the following **Application** permissions:
1. **Microsoft Graph**
- Directory.Read.All
- **Mail.ReadBasic.All**
- **MailboxSettings.Read**
2. **Office 365 Management APIs**
- **ActivityFeed.Read**
3. **Office 365 Exchange Online**
- **Exchange.ManageAsApp** | To learn how to assign required permissions, see the Access Exchange Online Using Modern Authentication section for additional information. | | Roles | _Exchange Administrator_ (_Exchange Service Administrator_) assigned to application service principal OR _Global Administrator_ assigned to application service principal | | **NOTE:** You can also assign application permissions by editing Microsoft Entra app manifest. See diff --git a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/permissions.md b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/permissions.md index 75c064b49f..825734094f 100644 --- a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/permissions.md +++ b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/permissions.md @@ -75,79 +75,12 @@ and then select **Exchange.ManageAsApp**. **Step 6 –** Grant admin consent to the tenant (that is, for the Office 365 organization whose audit data will be collected by the newly registered app). Go to the **new app settings > API -permissions** and click **Grant admin consent for\_**``\_. When prompted to confirm +permissions** and click **Grant admin consent for** *``*. When prompted to confirm granting, click **Yes**. **Step 7 –** Go to **Azure Active Directory** — **Roles and administrators** and assign **Exchange Administrator** role. -**Step 8 –** Download the PowerShell script for certificate creation, as provided in the -[Generate a self-signed certificate ](https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#generate-a-self-signed-certificate)Microsoft -article. - -**Step 9 –** To create a self-signed certificate to be used by the app, run the following command: - -``` -.\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2020-04-01 -EndDate 2022-04-01 -``` - -where: - -`CommonName` — specify _"Netwrix Auditor"_ - -`StartDate` — set to current date - -`EndDate` — set to 2 years from now - -**Step 10 –** When prompted to specify a password, click **Enter**. - -**Step 11 –** Go to **Manage > Certificates & secrets**, click **Upload certificate** and upload -the*.crt* file you have just created. - -![certificates_secrets_thumb_0_0](/images/auditor/10.7/configuration/microsoft365/exchangeonline/certificates_secrets_thumb_0_0.webp) - -**Step 12 –** To create Exchange Online connection session, you can provide certificate file path or -thumbprint. If you want to use a file path, run the following command: - -``` -Connect-ExchangeOnline -CertificateFilePath "full_path_to_certificate" --AppID "yourAppId" -Organization "Office365_tenant_name" -``` - -Application (client ID) can be found in the **Overview** page. - -![tenant_id_thumb_0_0](/images/auditor/10.7/configuration/microsoft365/exchangeonline/tenant_id_thumb_0_0.webp) - -For example: - -``` -Connect-ExchangeOnline -CertificateFilePath "C:\Path\MyCompanyName1.pfx" --AppId "402b12a2-fb2b-4222-8f54-5596def1" -Organization "myorganization123.onmicrosoft.com" -``` - -You can use certificate thumbprint instead of file path. For that, import the certificate to the -local certificate store, using the following command: - -``` -Import-PfxCertificate -FilePath "path_to_pfx_certificate" -CertStoreLocation Cert:\CurrentUser\My -``` - -Then run the command like following: - -``` -Connect-ExchangeOnline -CertificateThumbprint 6AEА5A82911ААА3F76FEE149B7B52А70DDFD88 -AppId a14a 822d-f228-412b-9222-281de23 --Organization myorganization123.onmicrosoft.com -``` - -Finally, run the following command to end the session: - -``` -Disconnect-ExchangeOnline -Confirm:$false -``` - -To automate the process described above, you can create a script comprising the corresponding -commands and schedule its launch. - ## Non-owner Mailbox Access Audit: Manual Configuration If you plan to manually apply the audit settings required to audit non-owner mailbox access in From 8d77346780056d3d0a572a834ec43a7a1082b15b Mon Sep 17 00:00:00 2001 From: bglay Date: Wed, 18 Mar 2026 17:50:17 +0000 Subject: [PATCH 2/3] Bold Directory.ReadAll --- .../microsoft365/exchangeonline/modernauth/modernauth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md index 770a9e9eea..5bd833fa39 100644 --- a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md +++ b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md @@ -80,7 +80,7 @@ Permission assignment will depend on the data you plan to collect: | To... | Requirement | Comment | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -| Collect audit data | Microsoft Entra ID app requires the following **Application** permissions:
1. **Microsoft Graph**
- Directory.Read.All
- **Mail.ReadBasic.All**
- **MailboxSettings.Read**
2. **Office 365 Management APIs**
- **ActivityFeed.Read**
3. **Office 365 Exchange Online**
- **Exchange.ManageAsApp** | To learn how to assign required permissions, see the Access Exchange Online Using Modern Authentication section for additional information. | +| Collect audit data | Microsoft Entra ID app requires the following **Application** permissions:
1. **Microsoft Graph**
- **Directory.Read.All**
- **Mail.ReadBasic.All**
- **MailboxSettings.Read**
2. **Office 365 Management APIs**
- **ActivityFeed.Read**
3. **Office 365 Exchange Online**
- **Exchange.ManageAsApp** | To learn how to assign required permissions, see the Access Exchange Online Using Modern Authentication section for additional information. | | Roles | _Exchange Administrator_ (_Exchange Service Administrator_) assigned to application service principal OR _Global Administrator_ assigned to application service principal | | **NOTE:** You can also assign application permissions by editing Microsoft Entra app manifest. See From 6f78108156eb98e4f0545e16e5c2d99602de7765 Mon Sep 17 00:00:00 2001 From: bglay Date: Wed, 18 Mar 2026 17:52:38 +0000 Subject: [PATCH 3/3] Intent --- .../microsoft365/exchangeonline/modernauth/modernauth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md index 5bd833fa39..58d0f616f9 100644 --- a/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md +++ b/docs/auditor/10.8/configuration/microsoft365/exchangeonline/modernauth/modernauth.md @@ -80,7 +80,7 @@ Permission assignment will depend on the data you plan to collect: | To... | Requirement | Comment | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -| Collect audit data | Microsoft Entra ID app requires the following **Application** permissions:
1. **Microsoft Graph**
- **Directory.Read.All**
- **Mail.ReadBasic.All**
- **MailboxSettings.Read**
2. **Office 365 Management APIs**
- **ActivityFeed.Read**
3. **Office 365 Exchange Online**
- **Exchange.ManageAsApp** | To learn how to assign required permissions, see the Access Exchange Online Using Modern Authentication section for additional information. | +| Collect audit data | Microsoft Entra ID app requires the following **Application** permissions:
1. **Microsoft Graph**
  - **Directory.Read.All**
  - **Mail.ReadBasic.All**
  - **MailboxSettings.Read**
2. **Office 365 Management APIs**
  - **ActivityFeed.Read**
3. **Office 365 Exchange Online**
  - **Exchange.ManageAsApp** | To learn how to assign required permissions, see the Access Exchange Online Using Modern Authentication section for additional information. | | Roles | _Exchange Administrator_ (_Exchange Service Administrator_) assigned to application service principal OR _Global Administrator_ assigned to application service principal | | **NOTE:** You can also assign application permissions by editing Microsoft Entra app manifest. See