Prerequisites for Detox

As part of the Detox offer, IDECSI provides you with an example of a communication campaign and sample e-mails to send.

The emails sent by the platform will be campaign emails and reminders to users who have not consulted their security profile.

Other e-mails should be sent using your usual tools.

You can download the communication campaign and sample emails here:

Communication kit – FR

1 file(s) 854 KB

Download Communication Kit – FR

Email templates – FR

1 file(s) 260 KB

Download Email Templates – FR

To enable data collection and the use of the MyDataSecurity/MyDataManagement platform by your users, we invite you to fulfill the five prerequisites below.

The solution uses an Exchange service account to collect configuration objects on Exchange and to perform remediation.

Please note that MFA cannot be activated on this service account. If you want to add security on it, you can set up a conditional access policy: How to set up a conditional access policy without MFA? – IDECSI Help Center

Once the service account has been created, you can use the script below to create roles and assign cmdlets automatically.

Please send the login/password and your tenant’s domain to (passwords can be sent using SMS or 1ty.me – One Time Self Destructing Links For Sharing Sensitive Information).

# Connexion Exchange Online
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential

# Définition des variables
$serviceAccountName = "svc_lem"
$roleGroupName = "I2A"
$roleName = "Mail Recipients - ViewOnly - I2A"
$roleName1 = "Remediation - I2A"
$roleName2 = "Remediation 2 - I2A"

# Création Role group "Mail Recipients - ViewOnly - I2A" - Droits de base
New-ManagementRole $roleName -Parent "Mail Recipients"
Get-ManagementRoleEntry ($roleName + "\*")
$data2 = Get-ManagementRoleEntry ($roleName + "\*")
foreach($data in $data2)
{
$name = ""
$name = $data.Name
if($name -NotLike "Get*")
{
Remove-ManagementRoleEntry $roleName\$name -confirm:$false
Write-Host ("done for $name")
}
}

# Création Role Group "Remédiation - I2A" - Droits remédiation 1
New-ManagementRole $roleName1 -Parent "Mail Recipients"
Get-ManagementRoleEntry ($roleName1 + "\*")
$entries = Get-ManagementRoleEntry ($roleName1 + "\*")
foreach($entry in $entries)
{
$name = ""
$name = $entry.Name
if ($name -NotLike "Remove-MailboxPermission" -And $name -NotLike "Remove-InboxRule" -And $name -NotLike "Remove-MailboxFolderPermission" -And $name -NotLike "Remove-RecipientPermission" -And $name -NotLike "Remove-ADPermission")
{
Remove-ManagementRoleEntry $roleName1\$name -Confirm:$false
Write-Host ("done for $name")
} 
}

# Création Role Group "Remediation 2 - I2A" - Droits remédiation 2
New-ManagementRole $roleName2 -Parent "Mail Recipient Creation"
Get-ManagementRoleEntry ($roleName2 + "\*")
$entries = Get-ManagementRoleEntry ($roleName2 + "\*")
foreach($entry in $entries)
{
$name = ""
$name = $entry.Name
if ($name -NotLike "Set-MailboxFolderPermission")
{
Remove-ManagementRoleEntry $roleName2\$name -Confirm:$false
Write-Host ("done for $name")
} 
}

Get-ManagementRoleEntry ($roleName + "\*")
Get-ManagementRoleEntry ($roleName1 + "\*")
Get-ManagementRoleEntry ($roleName2 + "\*")

New-RoleGroup -Name $roleGroupName -Roles "Audit Logs","View-Only Configuration","View-Only Recipients",$roleName,$roleName1,$roleName2 -Members $serviceAccountName

# Déconnexion Exchange Online
Disconnect-ExchangeOnline

The solution uses Microsoft APIs to collect access to Exchange, OneDrive, SharePoint, and Teams as well as permissions on OneDrive, SharePoint, and Teams.

Remediation is also carried out via the APIs.

Granting the permissions to the IDECSI-Platform app

Please send us your TenantID, your SharePoint root site url ([yourdomain].sharepoint.com) and let us know when you have granted the app IDECSI – Platform below by clicking the following links and logging in as administrator of the tenant:

https://login.microsoftonline.com/common/adminconsent?client_id=52e3a6c9-b6cc-4854-92db-06afc774da14

Application permissions details of the granted app

Here is the IDECSI – Platform application’s set of rights. The “Minimum permission (Read only)” column allows you to modify the application’s level of rights on your tenant, if you wish. The impact of the modification is shown below.

API	Permission	Minimum Permission (Read only)	Why?
Office 365 Management API	ActivityFeed.Read	Mandatory	Required to read Unified Audit Logs
Graph API	Channel.Delete.All	None Impact: It will no longer be possible to delete private or shared channels	Delete channel – Microsoft Graph v1.0 \| Microsoft Learn Recommended by Microsoft
Graph API	ChannelMember.ReadWrite.All	ChannelMember.Read.All	Get conversationMember – Microsoft Graph v1.0 \| Microsoft Learn Remove member from channel – Microsoft Graph v1.0 \| Microsoft Learn
Graph API	ChannelSettings.Read.All	Mandatory	List channels – Microsoft Graph v1.0 \| Microsoft Learn
Graph API	DelegatedPermissionGrant.ReadWrite.All	None Impact: It will no longer be possible to delete application consents	Delete oAuth2PermissionGrant (a delegated permission grant) – Microsoft Graph v1.0 \| Microsoft Learn
Graph API	Directory.Read.All	Mandatory	Required for AD information (users, groups, licenses, applications, administrators)
Graph API	Files.ReadWrite.All	Files.Read.All Impact: It will no longer be possible to remove file permissions.	Remove access to an item – Microsoft Graph v1.0 \| Microsoft Learn Delete permission – Microsoft Graph v1.0 \| Microsoft Learn
Graph API	Group.ReadWrite.All	Group.Read.All Impact: It will no longer be possible to change the confidentiality of a group, change the owners or members of a Microsoft 365 Group, or delete a Microsoft 365 Group.	Remove member – Microsoft Graph v1.0 \| Microsoft Learn Remove group owner – Microsoft Graph v1.0 \| Microsoft Learn Add owners – Microsoft Graph v1.0 \| Microsoft Learn Update group – Microsoft Graph v1.0 \| Microsoft Learn Delete group – Microsoft Graph API – Microsoft Graph v1.0 \| Microsoft Learn
Graph API	InformationProtectionPolicy.Read.All	Mandatory for tenants with sensitivity labels	List sensitivityLabels – Microsoft Graph beta \| Microsoft Learn
Graph API	MailboxSettings.Read	Mandatory	Get user mailbox settings – Microsoft Graph v1.0 \| Microsoft Learn
Graph API	Policy.Read.All	Mandatory	Required to read configurations
Graph API	Reports.Read.All	Mandatory	reportRoot: getOneDriveUsageStorage – Microsoft Graph v1.0 \| Microsoft Learn reportRoot: getOneDriveUsageFileCounts – Microsoft Graph v1.0 \| Microsoft Learn reportRoot: getSharePointSiteUsageStorage – Microsoft Graph v1.0 \| Microsoft Learn reportRoot: getSharePointSiteUsageFileCounts – Microsoft Graph v1.0 \| Microsoft Learn
SharePoint	Sites.FullControl.All	None Impact: It will no longer be possible to COLLECT any Classic SharePoint Site. Removing direct access to documents or permissions on sites or document libraries will no longer be possible.	Necessary to collect and remediate direct document access or permissions on sites or document libraries.
Graph API	Sites.Read.All	Mandatory	List sites – Microsoft Graph v1.0 \| Microsoft Learn
Graph API	TeamSettings.Read.All	Mandatory	Get team – Microsoft Graph v1.0 \| Microsoft Learn

More information on permissions: Overview of Microsoft Graph permissions – Microsoft Graph | Microsoft Learn

To enable users to connect to their MyDataSecurity or MyDataManagement, we can integrate your identity federation. Below is the procedure with Azure AD. For other solutions, please consult the knowledge base.

1. Go to your administrator Dashboard in Azure Active Directory
and click on Active Directory > Enterprise Applications
2. Click + Create your own application
Type a relevant name in Input Name (ie I2A Platform), select the “Integrate any other application you don’t find in the gallery (non-gallery)” option, and click Create.
3. After this, you’re redirected to the newly created application Overview, go to Assign users and groups from the tile or the side menu.
4. If you want to restrain the usage, you can add users and/or groups you want to access the I2A platform. We recommend adding a group with all your tenant users, I2A will recognize the users with an account.
5. Go to Single sign-on from the side menu and select SAML as the single sign-on method.
6. Click on Upload metadata file and select the XML file provided by your Client Success Manager.
7. After the import, you’ll have:
In the Basic SAML configuration block: Identifier (Entity ID): https://dcxx-auth.i-2a.com Reply URL (Assertion Consumer Service URL): https://dcxx-auth.i-2a.com/tenants/YourTenant/federations/saml/assertion-consumer-service You can now test your authentication using the Test button.
8. Please send us the Federation metadata XML file to

Your Client Success Manager will inform you after your metadata has been integrated.

To collect your users’ information and attach their resources, we have to set up a request based on your Azure Directory content. This request allows us to automatically import the necessary data.

The request can be based on two types of information to filter the appropriate scope of users:

AD Attributes configured for each user. The most common attributes used for the request are the Microsoft License Plans’ SkuIDs.
One or more AD Groups containing the users

To proceed with the request setup, please provide your Client Success Manager with the relevant type of information (attribute or group). If needed, your Client Success Manager will be happy to assist you with this process.

To encourage users to adopt the solution, we propose the use of an application that will enable our platform to send e-mails from your Microsoft tenant. If not, IDECSI will use Graph API to send emails from a generic address ().

If you want to use a particular email address of your domain, we can use the Microsoft Graph API to send IDECSI emails through an application granted on your tenant.

IDECSI proposes to use the generic application “I2A Mail Sender” to send notifications.

The application used to send notifications cannot be the same as the one used for the remediation, as the permission “Mail.Send” must be scoped on the account.

Step 1: Grant permission to this application

The following step is to grant the application with Global Administrator rights. Here is the link to grant the generic IDECSI managed app :

https://login.microsoftonline.com/common/adminConsent?client_id=ba28a8f5-601a-4523-a7e9-570dc40d49d7

The only permission to be granted is:

Permission	Display String	Description	Admin Consent required
Mail.Send	Send mail as a user	Allows the app to send mail as users in the organization	Yes

More information on the permission: Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs

Step 2: Enforce a restriction policy to limit the scope of the permission

To guarantee the best possible security, and to limit the permissions of the application granted in step 2, it is necessary to limit the right to send mail to a single service account used for this purpose.

For this, it is necessary to create an ApplicationAccessPolicy.

#0. Select the application you want to configure:

$myAppId = {my app id}

#1. Connect to Exchange Online with the ExchangeOnlineManagement PowerShell module

Connect-ExchangeOnline

#2. Create a mail-enabled security group that contains all the accounts you want to send mails from

$myRestrictedGroup = New-DistributionGroup -Name "Mail service accounts" -Type "Security" -Members @("")

#3. Optionally hide the group from the address list

Set-DistributionGroup -Identity $myRestrictedGroup.Identity -HiddenFromAddressListsEnabled $true

#4. Create the application access policy to only allow sending the app mails for the specified distribution group

$params = @{
     AccessRight = "RestrictAccess"
     AppId = $myAppId
     PolicyScopeGroupId = $myRestrictedGroup .PrimarySmtpAddress
     Description = "Restrict I2A Sender Mail app permissions to only allow access to service account"
}

New-ApplicationAccessPolicy @params

From this point, the application “I2A Mail Sender” will be authorized only for the sender e-mail address wanted “”

More information:

Step 3: Communicate to your Client Success Manager the email address authorized.

Your Client Success Manager will then configure the email address as the account used to send notifications to end-users and security teams.

- The email address that will be used to send emails (and the aliases)

To encourage user adoption, we propose using a personalized URL to access our platform. Without customization, the URL will look like this: https://dc01.i-2a.com/app/my-data-security/tenants/xxxxxxxxxx/dashboard

How to customize the URL?

Choose the desired URL and create the corresponding entry on your DNS
Provide us with the chosen domain name
Provide us with the corresponding SSL certificate and the private key (.pem format if possible)

We will let you know when the redirection to your URL is done, and give you the CNAME or A information for the DNS entry.

To encourage users to adopt the solution, we offer to customize the Emails, Interfaces, intended for them.

Email

Here are the elements that can be customized on the email templates:

Your logo. Dimensions are max 150px * max 90px
The background color of the header
Text and signature
Footer: Please provide us with the name and email address of your internal support team.

Loading Screen

Here are the elements that can be customized on the loading screen of MyDataSecurity:

Company Logo: JPG or PNG. Dimensions are 260px * 54px.
Background picture: JPG or PNG. The resolution must be 1920 x 1080. Size should be inferior to 250Ko for quick loading times.

On the Home Page

Here are the elements that can be customized on the main interface of MyDataSecurity:

Company logo: JPG or PNG. It can be different from the loading screen. Dimensions are 260px * 54px.
Display/Hide the “Applications” element of the tabs.
The background color of the header: Please provide us the HEX code or RGB code for the desired color.
Font color of the header