As part of the Detox offer, IDECSI provides you with an example of a communication campaign and sample e-mails to send.
The emails sent by the platform will be campaign emails and reminders to users who have not consulted their security profile. Other e-mails should be sent using your usual tools. |
Click here to view the communication campaign kit and the sample emails that can be downloaded:
To enable data collection and the use of the MyDataSecurity/MyDataManagement platform by your users, we invite you to fulfill the seven prerequisites below.
💡 There are some differences between the requirements for MyDataSecurity and MyDataManagement. Please read carrefully the tabs below to get the right information.
💡 This tab is only relevant for MyDataSecurity. You don’t need to make any action in this tab if you are here for MyDataManagement.
The solution uses an Exchange service account to collect configuration objects on Exchange and to perform remediation.
Please note that MFA cannot be activated on this service account. If you want to add security on it, you can set up a conditional access policy: How to set up a conditional access policy without MFA? – IDECSI Help Center
Once the service account has been created, you can use the script below to create roles and assign cmdlets automatically.
Please send the login/password and your tenant’s domain to clientsuccess@idecsi.com (passwords can be sent using SMS or 1ty.me – One Time Self Destructing Links For Sharing Sensitive Information).
# Exchange Online Connexion
# This prompts for user credentials and connects to Exchange Online using those credentials.
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential
# Define variables
# These variables store:
# * The name of the service account
# * The name of the role group
# * The names of custom management roles to be created.
$serviceAccountName = "svc_lem"
$roleGroupName = "I2A"
$roleName = "Mail Recipients - ViewOnly - I2A"
$roleName1 = "Remediation - I2A"
$roleName2 = "Remediation 2 - I2A"
# Create Role: “Mail Recipients - ViewOnly - I2A”
# Creates a new management role based on the "Mail Recipients" parent role.
New-ManagementRole $roleName -Parent "Mail Recipients"
Get-ManagementRoleEntry ($roleName + "\*")
$data2 = Get-ManagementRoleEntry ($roleName + "\*")
# This loop removes all cmdlets except those starting with "Get", effectively making the role read-only.
foreach($data in $data2)
{
$name = ""
$name = $data.Name
if($name -NotLike "Get*")
{
Remove-ManagementRoleEntry $roleName\$name -confirm:$false
Write-Host ("done for $name")
}
}
# Create Role: “Remediation - I2A”
# Creates another role based on "Mail Recipients".
New-ManagementRole $roleName1 -Parent "Mail Recipients"
Get-ManagementRoleEntry ($roleName1 + "\*")
$entries = Get-ManagementRoleEntry ($roleName1 + "\*")
#This time, it keeps only specific "Remove" cmdlets (like Remove-MailboxPermission, etc.), making the role strictly focused on remediation tasks, like removing permissions or inbox rules.
foreach($entry in $entries)
{
$name = ""
$name = $entry.Name
if ($name -NotLike "Remove-MailboxPermission" -And $name -NotLike "Remove-InboxRule" -And $name -NotLike "Remove-MailboxFolderPermission" -And $name -NotLike "Remove-RecipientPermission" -And $name -NotLike "Remove-ADPermission")
{
Remove-ManagementRoleEntry $roleName1\$name -Confirm:$false
Write-Host ("done for $name")
}
}
# Create Role: “Remediation 2 - I2A”
# Creates a third custom role based on "Mail Recipient Creation".
New-ManagementRole $roleName2 -Parent "Mail Recipient Creation"
Get-ManagementRoleEntry ($roleName2 + "\*")
$entries = Get-ManagementRoleEntry ($roleName2 + "\*")
#This removes all cmdlets except Set-MailboxFolderPermission, allowing the role to only modify folder permissions, again focusing on a specific remediation use case.
foreach($entry in $entries)
{
$name = ""
$name = $entry.Name
if ($name -NotLike "Set-MailboxFolderPermission")
{
Remove-ManagementRoleEntry $roleName2\$name -Confirm:$false
Write-Host ("done for $name")
}
}
Get-ManagementRoleEntry ($roleName + "\*")
Get-ManagementRoleEntry ($roleName1 + "\*")
Get-ManagementRoleEntry ($roleName2 + "\*")
#Assign Roles to Role Group and Add Service Account
# Creates a new role group named "I2A", includes:
# * Standard built-in roles (like audit and read-only)
# * The 3 custom roles we created
# * Assigns everything to the svc_lem service account
New-RoleGroup -Name $roleGroupName -Roles "Audit Logs","View-Only Configuration","View-Only Recipients",$roleName,$roleName1,$roleName2 -Members $serviceAccountName
# Disconnect
# Ends the Exchange Online session cleanly.
Disconnect-ExchangeOnline💡 This tab is relevant for both MyDataSecurity and MyDataManagement configuration.
The solution uses Microsoft APIs to collect access to Exchange, OneDrive, SharePoint, and Teams as well as permissions on OneDrive, SharePoint, and Teams.
Remediation is also carried out via the APIs.
Granting the permissions to the IDECSI-Platform app
Please send us your TenantID, your SharePoint root site URL ([yourdomain].sharepoint.com) and let us know when you have granted the app IDECSI – Platform below by clicking the following links and logging in as administrator of the tenant:
https://login.microsoftonline.com/common/adminconsent?client_id=52e3a6c9-b6cc-4854-92db-06afc774da14
Application permissions details of the granted app
| API | Permission | Minimum Permission (Read only) | Why? |
| Office 365 Management API | ActivityFeed.Read | Mandatory | Required to read Unified Audit Logs |
| Graph API | Channel.Delete.All | None Impact: It will no longer be possible to delete private or shared channels | Delete channel – Microsoft Graph v1.0 | Microsoft Learn Recommended by Microsoft |
| Graph API | ChannelMember.ReadWrite.All | ChannelMember.Read.All | Get conversationMember – Microsoft Graph v1.0 | Microsoft Learn Remove member from channel – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | ChannelSettings.Read.All | Mandatory | List channels – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | DelegatedPermissionGrant.ReadWrite.All | None Impact: It will no longer be possible to delete application consents | Delete oAuth2PermissionGrant (a delegated permission grant) – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | Directory.Read.All | Mandatory | Required for AD information (users, groups, licenses, applications, administrators) |
| Graph API | Files.ReadWrite.All | Files.Read.All Impact: It will no longer be possible to remove file permissions. | Remove access to an item – Microsoft Graph v1.0 | Microsoft Learn Delete permission – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | Group.ReadWrite.All | Group.Read.All Impact: It will no longer be possible to change the confidentiality of a group, change the owners or members of a Microsoft 365 Group, or delete a Microsoft 365 Group. | Remove member – Microsoft Graph v1.0 | Microsoft Learn Remove group owner – Microsoft Graph v1.0 | Microsoft Learn Add owners – Microsoft Graph v1.0 | Microsoft Learn Update group – Microsoft Graph v1.0 | Microsoft Learn Delete group – Microsoft Graph API – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | InformationProtectionPolicy.Read.All | Mandatory for tenants with sensitivity labels | List sensitivityLabels – Microsoft Graph beta | Microsoft Learn |
| Graph API | MailboxSettings.Read | Mandatory | Get user mailbox settings – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | Policy.Read.All | Mandatory | Required to read configurations |
| Graph API | Reports.Read.All | Mandatory | reportRoot: getOneDriveUsageStorage – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getOneDriveUsageFileCounts – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getSharePointSiteUsageStorage – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getSharePointSiteUsageFileCounts – Microsoft Graph v1.0 | Microsoft Learn |
| SharePoint | Sites.FullControl.All | None Impact: It will no longer be possible to COLLECT any Classic SharePoint Site. Removing direct access to documents or permissions on sites or document libraries will no longer be possible. | Necessary to collect and remediate direct document access or permissions on sites or document libraries. |
| Graph API | Sites.Read.All | Mandatory | List sites – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | TeamSettings.Read.All | Mandatory | Get team – Microsoft Graph v1.0 | Microsoft Learn |
More information on permissions: Overview of Microsoft Graph permissions – Microsoft Graph | Microsoft Learn
💡 This tab is relevant for both MyDataSecurity and MyDataManagement configuration.
To enable users to connect to their MyDataSecurity or MyDataManagement, we can integrate your identity federation. Below is the procedure with Azure AD. For other solutions, please consult the knowledge base.
| 1. Go to your administrator Dashboard in Azure Active Directory | |
| and click on Active Directory > Enterprise Applications |  |
| 2. Click + Create your own application |  |
| Type a relevant name in Input Name (ie I2A Platform), select the “Integrate any other application you don’t find in the gallery (non-gallery)” option, and click Create. |  |
| 3. After this, you’re redirected to the newly created application Overview, go to Assign users and groups from the tile or the side menu. |  |
| 4. If you want to restrain the usage, you can add users and/or groups you want to access the I2A platform. We recommend adding a group with all your tenant users, I2A will recognize the users with an account. |  |
| 5. Go to Single sign-on from the side menu and select SAML as the single sign-on method. |  |
| 6. Click on Upload metadata file and select the XML file provided by your Client Success Manager. |  |
| 7. After the import, you’ll have: |  |
In the Basic SAML configuration block: Identifier (Entity ID): https://dcxx-auth.i-2a.com You can now test your authentication using the Test button. | |
| 8. Please send us the Federation metadata XML file to clientsuccess@idecsi.com |  |
Your Client Success Manager will inform you after your metadata has been integrated.
💡 This tab is relevant for both MyDataSecurity and MyDataManagement configuration.
To collect your users’ information and attach their resources, we have to set up a request based on your Azure Directory content. This request allows us to automatically import the necessary data.
The request can be based on two types of information to filter the appropriate scope of users:
- AD Attributes configured for each user. The most common attributes used for the request are the Microsoft License Plans’ SkuIDs.
- One or more AD Groups containing the users
To proceed with the request setup, please provide your Client Success Manager with the relevant type of information (attribute or group). If needed, your Client Success Manager will be happy to assist you with this process.
Anonymous reporting
💡 This prerequisite is only relevant for MyDataManagement configuration.
Microsoft reports shows anonymous user names instead of actual user names. Those reports are required for MyDataManagement collect, but the user identity is required in order to show him information about his data on his MyDataManagement profile.
Therefore, it is mandatory to deactivate the anonymous reporting on your tenant.
To do so, please follow the tutorial here.
💡 This tab is relevant for both MyDataSecurity and MyDataManagement configuration.
To encourage users to adopt the solution, we propose the use of an application that will enable our platform to send e-mails from your Microsoft tenant. If not, IDECSI will use Graph API to send emails from a generic address (alerts@idecsi.com).
If you want to use a particular email address of your domain, we can use the Microsoft Graph API to send IDECSI emails through an application granted on your tenant.
⚠ Mailing lists are not supported.
IDECSI proposes to use the generic application “I2A Mail Sender” to send notifications.
The application used to send notifications cannot be the same as the one used for the remediation, as the permission “Mail.Send” must be scoped on the account.
Step 1: Grant permission to this application
The following step is to grant the application with Global Administrator rights. Here is the link to grant the generic IDECSI managed app :
https://login.microsoftonline.com/common/adminConsent?client_id=ba28a8f5-601a-4523-a7e9-570dc40d49d7
The only permission to be granted is:
| Permission | Display String | Description | Admin Consent required |
| Mail.Send | Send mail as a user | Allows the app to send mail as users in the organization | Yes |
More information on the permission: Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs
Step 2: Enforce a restriction policy to limit the scope of the permission
To guarantee the best possible security, and to limit the permissions of the application granted in step 2, it is necessary to limit the right to send mail to a single service account used for this purpose.
For this, it is necessary to create an ApplicationAccessPolicy.
#0. Select the application you want to configure:
$myAppId = {my app id}
#1. Connect to Exchange Online with the ExchangeOnlineManagement PowerShell module
Connect-ExchangeOnline
#2. Create a mail-enabled security group that contains all the accounts you want to send mails from
$myRestrictedGroup = New-DistributionGroup -Name "Mail service accounts" -Type "Security" -Members @("senderemail@mydomain.com")
#3. Optionally hide the group from the address list
Set-DistributionGroup -Identity $myRestrictedGroup.Identity -HiddenFromAddressListsEnabled $true
#4. Create the application access policy to only allow sending the app mails for the specified distribution group
$params = @{
AccessRight = "RestrictAccess"
AppId = $myAppId
PolicyScopeGroupId = $myRestrictedGroup.PrimarySmtpAddress
Description = "Restrict I2A Sender Mail app permissions to only allow access to service account"
}
New-ApplicationAccessPolicy @paramsFrom this point, the application “I2A Mail Sender” will be authorized only for the sender e-mail address wanted “senderemail@mydomain.com”
More information:
- Limiting application permissions to specific Exchange Online mailboxes – Microsoft Graph | Microsoft Docs
- Securely sending emails from PowerShell scripts with modern authentication enforced – nicolonsky tech
- New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft Docs
Step 3: Communicate to your Client Success Manager the email address authorized.
Your Client Success Manager will then configure the email address as the account used to send notifications to end-users and security teams.
- The email address that will be used to send emails (and the aliases)
💡 This tab is relevant for both MyDataSecurity and MyDataManagement configuration.
To encourage user adoption, we propose using a personalized URL to access our platform. Without customization, the URL will look like this: https://dc01.i-2a.com/app/my-data-security/tenants/xxxxxxxxxx/dashboard
How to customize the URL?
- Choose the desired URL and create the corresponding entry on your DNS
- Provide us with the chosen domain name
- Provide us with the corresponding SSL certificate and the private key (.pem format if possible)
We will let you know when the redirection to your URL is done, and give you the CNAME or A information for the DNS entry.
💡 This tab is relevant for both MyDataSecurity and MyDataManagement configuration.
To encourage users to adopt the solution, we offer to customize the Emails, Interfaces, intended for them.
Here are the elements that can be customized on the email templates:
|  |
Loading Screen
Here are the elements that can be customized on the loading screen of MyDataSecurity:
|  |
On the Home Page
Here are the elements that can be customized on the main interface of MyDataSecurity:
|  |