netwrix · bglay · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
@@ -14,41 +14,22 @@ Review the following:
 
 - Requirements for Exchange Online Modern Authentication
 - Install the ExchangeOnlineManagement PowerShell Module
-- Configure Exchange Online Modern Authentication Manually
 
 ## Requirements for Exchange Online Modern Authentication
 
-General Requirements
+**General Requirements**
 
 - Windows Management Framework for your OS:
   [Windows Management Framework 5.1](https://www.microsoft.com/en-us/download/details.aspx?id=54616)
 - .NET Framework 4.7.1 and above:
   [Download .NET Framework 4.7.1](https://dotnet.microsoft.com/download/dotnet-framework/net471)
 
-**NOTE:** If you have the FIPS option enabled you should proceed to Manual Exchange Online
-pre-configuration. See the Configure Exchange Online Modern Authentication Manually section for
-additional information.
-
-Follow the steps to enable Exchange Online Auto Audit for mailboxes with Modern Authentication
-(automatic mode).
-
-**Step 1 –** Install the ExchangeOnlineManagement Powershell module and dependencies (Nget package
-provider). Refer to the following Microsoft article for more information:
-[About the Exchange Online PowerShell V2 module](https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps).
-
-**Step 2 –** Generate the self-signed certificate.
-
-**Step 3 –** Install the certificate to the _CurrentUser/My certificate_ folder for the Local System
-account.
-
-**Step 4 –** Install the certificate to the Microsoft Entra ID cloud application
 
 ## Install the ExchangeOnlineManagement PowerShell Module
 
 This section will be helpful for any case below:
 
 - You encountered errors related to the ExchangeOnlineManagement PowerShell module
-- You have the FIPS policy enabled
 - You want to install the module manually
 
 Follow the steps to install the module.
@@ -73,7 +54,6 @@ Install-Module ExchangeOnlineManagement
 Review the following Microsoft technical article for more information:
 [About the Exchange Online PowerShell V2 module](https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps)
 
-See next: Configure Exchange Online Modern Authentication Manually
 
 **NOTE:** If you encountered errors executing the `Install-PackageProvider` cmdlet try to force
 PowerShell into TLS 1.2 mode and try again:
@@ -89,72 +69,3 @@ PowerShell into TLS 1.2 mode and try again:
 Register-PSRepository -Default
 ```
 
-## Configure Exchange Online Modern Authentication Manually
-
-If you encountered errors from Netwrix Auditor during the automatic configuration of the
-certificate, complete the following steps.
-
-**Step 1 –** In Netwrix Auditor, find your Exchange Online monitoring plan.
-
-**Step 2 –** Click Update to force data collection.
-
-If the error still persists, or you want to pre-configure the work with certificate, follow the
-instructions below:
-
-Follow the steps to install a certificate.
-
-**Step 1 –** Get your certificate or generate a self-signed certificate. The name must be
-_`Netwrix_Auditor_MFA_<your*tenant_name>`*
-
-**Step 2 –** Save the certificate to the _CurrentUser/My certificate_ folder for the Local System
-account.
-
-**Step 3 –** Upload the certificate to the application selected in your monitoring plan or configure
-it automatically with Netwrix Auditor.
-
-Follow the steps to generate a self-signed certificate.
-
-**Step 1 –** Open Windows PowerShell as an Administrator and run the following commands:
-
-```
-# Create certificate
-$mycert = New-SelfSignedCertificate -DnsName "example.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(1) -KeySpec KeyExchange
-# Export certificate to .pfx file
-$mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $(ConvertTo-SecureString -String "your_password" -Force -AsPlainText)
-# Export certificate to .cer file
-$mycert | Export-Certificate -FilePath mycert.cer
-```
-
-**Step 2 –** Replace the `DnsName `parameter value with your certificate name
-(`Netwrix_Auditor_MFA_<your_tenant_name>`).
-
-Follow the steps to install the certificate to the CurrentUser/My certificate folder.
-
-**Step 1 –** Download [PsExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to
-run Windows PowerShell session under the LocalSystem account;
-
-**Step 2 –** Run Windows PowerShell as an Administrator, navigate to PsExec.exe installation
-directory (use the 'CD' command), if necessary, and run the following command:
-
-```
-.\PsExec.exe -i -s powershell.exe
-```
-
-**Step 3 –** Verify that you are logged in as a Local System account. Run the following command:
-
-```
-whoami
-```
-
-**Step 4 –** Import the certificate. Run the following command:
-
-```
-Import-PfxCertificate -FilePath <path to your certificate> -CertStoreLocation 
-'Cert:\CurrentUser\My' -Password (ConvertTo-SecureString -String "your_password" -AsPlainText -Force)
-```
-
-Where `path_to_certificate` is the full path to the certificate file.
-
-You can also install the certificate with the '.cer' extension to the Microsoft Entra ID Portal or
-Netwrix Auditor will set it automatically during establishing a PowerShell connection with Exchange
-Online.
@@ -80,7 +80,7 @@ Permission assignment will depend on the data you plan to collect:
 
 | To...              | Requirement                                                                                                                                                                                                                                                                                                                   | Comment                                                                                                                                     |
 | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| Collect audit data | Microsoft Entra ID app requires the following **Application** permissions: 1. **Microsoft Graph** - Directory.Read.All - Application.ReadWrite.All - **Mail.ReadBasic.All** - **MailboxSettings.Read** 2. **Office 365 Management APIs** - **ActivityFeed.Read** 3. **Office 365 Exchange Online** - **Exchange.ManageAsApp** | To learn how to assign required permissions, see the Access Exchange Online Using Modern Authentication section for additional information. |
+| Collect audit data | Microsoft Entra ID app requires the following **Application** permissions:<br/>1. **Microsoft Graph**<br/>&nbsp;&nbsp;- **Directory.Read.All**<br/>&nbsp;&nbsp;- **Mail.ReadBasic.All**<br/>&nbsp;&nbsp;- **MailboxSettings.Read**<br/>2. **Office 365 Management APIs**<br/>&nbsp;&nbsp;- **ActivityFeed.Read**<br/>3. **Office 365 Exchange Online**<br/>&nbsp;&nbsp;- **Exchange.ManageAsApp** | To learn how to assign required permissions, see the Access Exchange Online Using Modern Authentication section for additional information. |
 | Roles              | _Exchange Administrator_ (_Exchange Service Administrator_) assigned to application service principal OR _Global Administrator_ assigned to application service principal                                                                                                                                                     |                                                                                                                                             |
 
 **NOTE:** You can also assign application permissions by editing Microsoft Entra app manifest. See

@@ -75,79 +75,12 @@ and then select **Exchange.ManageAsApp**.
 
 **Step 6 –** Grant admin consent to the tenant (that is, for the Office 365 organization whose audit
 data will be collected by the newly registered app). Go to the **new app settings > API
-permissions** and click **Grant admin consent for\_**`<tenant name>`\_. When prompted to confirm
+permissions** and click **Grant admin consent for** *`<tenant name>`*. When prompted to confirm
 granting, click **Yes**.
 
 **Step 7 –** Go to **Azure Active Directory** — **Roles and administrators** and assign **Exchange
 Administrator** role.
 
-**Step 8 –** Download the PowerShell script for certificate creation, as provided in the
-[Generate a self-signed certificate ](https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#generate-a-self-signed-certificate)Microsoft
-article.
-
-**Step 9 –** To create a self-signed certificate to be used by the app, run the following command:
-
-```
-.\Create-SelfSignedCertificate.ps1 -CommonName "MyCompanyName" -StartDate 2020-04-01 -EndDate 2022-04-01
-```
-
-where:
-
-`CommonName` — specify _"Netwrix Auditor"_
-
-`StartDate` — set to current date
-
-`EndDate` — set to 2 years from now
-
-**Step 10 –** When prompted to specify a password, click **Enter**.
-
-**Step 11 –** Go to **Manage > Certificates & secrets**, click **Upload certificate** and upload
-the*.crt* file you have just created.
-
-![certificates_secrets_thumb_0_0](/images/auditor/10.7/configuration/microsoft365/exchangeonline/certificates_secrets_thumb_0_0.webp)
-
-**Step 12 –** To create Exchange Online connection session, you can provide certificate file path or
-thumbprint. If you want to use a file path, run the following command:
-
-```
-Connect-ExchangeOnline -CertificateFilePath "full_path_to_certificate"
--AppID "yourAppId" -Organization "Office365_tenant_name"
-```
-
-Application (client ID) can be found in the **Overview** page.
-
-![tenant_id_thumb_0_0](/images/auditor/10.7/configuration/microsoft365/exchangeonline/tenant_id_thumb_0_0.webp)
-
-For example:
-
-```
-Connect-ExchangeOnline -CertificateFilePath "C:\Path\MyCompanyName1.pfx"
--AppId "402b12a2-fb2b-4222-8f54-5596def1" -Organization "myorganization123.onmicrosoft.com"
-```
-
-You can use certificate thumbprint instead of file path. For that, import the certificate to the
-local certificate store, using the following command:
-
-```
-Import-PfxCertificate -FilePath "path_to_pfx_certificate" -CertStoreLocation Cert:\CurrentUser\My
-```
-
-Then run the command like following:
-
-```
-Connect-ExchangeOnline -CertificateThumbprint 6AEА5A82911ААА3F76FEE149B7B52А70DDFD88 -AppId a14a 822d-f228-412b-9222-281de23
--Organization myorganization123.onmicrosoft.com
-```
-
-Finally, run the following command to end the session:
-
-```
-Disconnect-ExchangeOnline -Confirm:$false
-```
-
-To automate the process described above, you can create a script comprising the corresponding
-commands and schedule its launch.
-
 ## Non-owner Mailbox Access Audit: Manual Configuration
 
 If you plan to manually apply the audit settings required to audit non-owner mailbox access in