To enable data collection and use the alerting or the MyDataSecurity/MyDataManagement platform by your users, we invite you to fulfill the five prerequisites below.
The solution uses an Exchange service account to collect configuration objects on Exchange and to perform remediation.
Please note that MFA cannot be activated on this service account. If you want to add security on it, you can set up a conditional access policy: How to set up a conditional access policy without MFA? – IDECSI Help Center
Once the service account has been created, you can use the script below to create roles and assign cmdlets automatically.
Please send the login/password to (passwords can be sent using 1ty.me – One Time Self Destructing Links For Sharing Sensitive Information).
# Connexion Exchange Online
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential
# Définition des variables
$serviceAccountName = "svc_lem"
$roleGroupName = "I2A"
$roleName = "Mail Recipients - ViewOnly - I2A"
$roleName1 = "Remediation - I2A"
$roleName2 = "Remediation 2 - I2A"
# Création Role group "Mail Recipients - ViewOnly - I2A" - Droits de base
New-ManagementRole $roleName -Parent "Mail Recipients"
Get-ManagementRoleEntry ($roleName + "\*")
$data2 = Get-ManagementRoleEntry ($roleName + "\*")
foreach($data in $data2)
{
$name = ""
$name = $data.Name
if($name -NotLike "Get*")
{
Remove-ManagementRoleEntry $roleName\$name -confirm:$false
Write-Host ("done for $name")
}
}
# Création Role Group "Remédiation - I2A" - Droits remédiation 1
New-ManagementRole $roleName1 -Parent "Mail Recipients"
Get-ManagementRoleEntry ($roleName1 + "\*")
$entries = Get-ManagementRoleEntry ($roleName1 + "\*")
foreach($entry in $entries)
{
$name = ""
$name = $entry.Name
if ($name -NotLike "Remove-MailboxPermission" -And $name -NotLike "Remove-InboxRule" -And $name -NotLike "Remove-MailboxFolderPermission" -And $name -NotLike "Remove-RecipientPermission" -And $name -NotLike "Remove-ADPermission")
{
Remove-ManagementRoleEntry $roleName1\$name -Confirm:$false
Write-Host ("done for $name")
}
}
# Création Role Group "Remediation 2 - I2A" - Droits remédiation 2
New-ManagementRole $roleName2 -Parent "Mail Recipient Creation"
Get-ManagementRoleEntry ($roleName2 + "\*")
$entries = Get-ManagementRoleEntry ($roleName2 + "\*")
foreach($entry in $entries)
{
$name = ""
$name = $entry.Name
if ($name -NotLike "Set-MailboxFolderPermission")
{
Remove-ManagementRoleEntry $roleName2\$name -Confirm:$false
Write-Host ("done for $name")
}
}
Get-ManagementRoleEntry ($roleName + "\*")
Get-ManagementRoleEntry ($roleName1 + "\*")
Get-ManagementRoleEntry ($roleName2 + "\*")
New-RoleGroup -Name $roleGroupName -Roles "Audit Logs","View-Only Configuration","View-Only Recipients",$roleName,$roleName1,$roleName2 -Members $serviceAccountName
# Déconnexion Exchange Online
Disconnect-ExchangeOnlineThe solution uses Microsoft APIs to collect access to Exchange, OneDrive, SharePoint, and Teams as well as permissions on OneDrive, SharePoint, and Teams.
Remediation is also carried out via the APIs.
Granting the permissions to the IDECSI-Platform app
Please send us your TenantID, your SharePoint root site url ([yourdomain].sharepoint.com) and let us know when you have granted the app IDECSI – Platform below by clicking the following links and logging in as administrator of the tenant:
https://login.microsoftonline.com/common/adminconsent?client_id=52e3a6c9-b6cc-4854-92db-06afc774da14
Application permissions details for the granted app
| API | Permission | Minimum Permission (Read only) | Why? |
| Office 365 Management API | ActivityFeed.Read | Mandatory | Required to read Unified Audit Logs |
| Graph API | Channel.Delete.All | None Impact: It will no longer be possible to delete private or shared channels | Delete channel – Microsoft Graph v1.0 | Microsoft Learn Recommended by Microsoft |
| Graph API | ChannelMember.ReadWrite.All | ChannelMember.Read.All | Get conversationMember – Microsoft Graph v1.0 | Microsoft Learn Remove member from channel – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | ChannelSettings.Read.All | Mandatory | List channels – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | DelegatedPermissionGrant.ReadWrite.All | None Impact: It will no longer be possible to delete application consents | Delete oAuth2PermissionGrant (a delegated permission grant) – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | Directory.Read.All | Mandatory | Required for AD information (users, groups, licenses, applications, administrators) |
| Graph API | Users.Read.All | Mandatory | Required to get the user’s profile picture |
| Graph API | Files.ReadWrite.All | Files.Read.All Impact: It will no longer be possible to remove file permissions. | Remove access to an item – Microsoft Graph v1.0 | Microsoft Learn Delete permission – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | Group.ReadWrite.All | Group.Read.All Impact: It will no longer be possible to change the confidentiality of a group, change the owners or members of a Microsoft 365 Group, or delete a Microsoft 365 Group. | Remove member – Microsoft Graph v1.0 | Microsoft Learn Remove group owner – Microsoft Graph v1.0 | Microsoft Learn Add owners – Microsoft Graph v1.0 | Microsoft Learn Update group – Microsoft Graph v1.0 | Microsoft Learn Delete group – Microsoft Graph API – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | InformationProtectionPolicy.Read.All | Mandatory for tenants with sensitivity labels | List sensitivityLabels – Microsoft Graph beta | Microsoft Learn |
| Graph API | MailboxSettings.Read | Mandatory | Get user mailbox settings – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | Policy.Read.All | Mandatory | Required to read configurations |
| Graph API | Reports.Read.All | Mandatory | reportRoot: getOneDriveUsageStorage – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getOneDriveUsageFileCounts – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getSharePointSiteUsageStorage – Microsoft Graph v1.0 | Microsoft Learn reportRoot: getSharePointSiteUsageFileCounts – Microsoft Graph v1.0 | Microsoft Learn |
| SharePoint | Sites.FullControl.All | None Impact: It will no longer be possible to COLLECT or remedy direct access to documents or permissions on sites or document libraries. | Necessary to collect and remediate direct document access or permissions on sites or document libraries. |
| Graph API | Sites.Read.All | Mandatory | List sites – Microsoft Graph v1.0 | Microsoft Learn |
| Graph API | TeamSettings.Read.All | Mandatory | Get team – Microsoft Graph v1.0 | Microsoft Learn |
More information on permissions: Overview of Microsoft Graph permissions – Microsoft Graph | Microsoft Learn
To enable users to connect to their MyDataSecurity or MyDataManagement, we can integrate your identity federation. Below is the procedure with Azure AD. For other solutions, please consult the knowledge base.
Your Client Success Manager will inform you after your metadata has been integrated.
To collect your users’ information and attach their resources, we have to set up a request based on your Azure Directory content. This request allows us to automatically import the necessary data.
The request can be based on two types of information to filter the appropriate scope of users:
- AD Attributes configured for each user. The most common attributes used for the request are the Microsoft License Plans’ SkuIDs.
- One or more AD Groups containing the users
To proceed with the request setup, please provide your Client Success Manager with the relevant type of information (attribute or group). If needed, your Client Success Manager will be happy to assist you with this process.
To encourage users to adopt the solution, we propose the use of an application that will enable our platform to send e-mails from your Microsoft tenant. If not, IDECSI will use Graph API to send emails from a generic address ().
If you want to use a particular email address of your domain, we can use the Microsoft Graph API to send IDECSI emails through an application granted on your tenant.
IDECSI proposes to use the generic application “I2A Mail Sender” to send notifications.
The application used to send notifications cannot be the same as the one used for the remediation, as the permission “Mail.Send” must be scoped on the account.
Step 1: Grant permission to this application
The following step is to grant the application with Global Administrator rights. Here is the link to grant the generic IDECSI managed app :
https://login.microsoftonline.com/common/adminConsent?client_id=ba28a8f5-601a-4523-a7e9-570dc40d49d7
The only permission to be granted is:
| Permission | Display String | Description | Admin Consent required |
| Mail.Send | Send mail as a user | Allows the app to send mail as users in the organization | Yes |
More information on the permission: Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs
Step 2: Enforce a restriction policy to limit the scope of the permission
To guarantee the best possible security, and to limit the permissions of the application granted in step 2, it is necessary to limit the right to send mail to a single service account used for this purpose.
For this, it is necessary to create an ApplicationAccessPolicy.
#0. Select the application you want to configure:
$myAppId = {my app id}
#1. Connect to Exchange Online with the ExchangeOnlineManagement PowerShell module
Connect-ExchangeOnline
#2. Create a mail-enabled security group that contains all the accounts you want to send mails from
$myRestrictedGroup = New-DistributionGroup -Name "Mail service accounts" -Type "Security" -Members @("")
#3. Optionally hide the group from the address list
Set-DistributionGroup -Identity $myRestrictedGroup.Identity -HiddenFromAddressListsEnabled $true
#4. Create the application access policy to only allow sending the app mails for the specified distribution group
$params = @{
AccessRight = "RestrictAccess"
AppId = $myAppId
PolicyScopeGroupId = $myRestrictedGroup .PrimarySmtpAddress
Description = "Restrict I2A Sender Mail app permissions to only allow access to service account"
}
New-ApplicationAccessPolicy @paramsFrom this point, the application “I2A Mail Sender” will be authorized only for the sender e-mail address wanted “”
More information:
- Limiting application permissions to specific Exchange Online mailboxes – Microsoft Graph | Microsoft Docs
- Securely sending emails from PowerShell scripts with modern authentication enforced – nicolonsky tech
- New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft Docs
Step 3: Communicate to your Client Success Manager the email address authorized.
Your Client Success Manager will then configure the email address as the account used to send notifications to end-users and security teams.
- The email address that will be used to send emails (and the aliases)
To encourage user adoption, we propose using a personalized URL to access our platform. Without customization, the URL will look like this: https://dc01.i-2a.com/app/my-data-security/tenants/xxxxxxxxxx/dashboard
How to customize the URL?
- Choose the desired URL and create the corresponding entry on your DNS
- Provide us with the chosen domain name
- Provide us with the corresponding SSL certificate and the private key (.pem format if possible)
We will let you know when the redirection to your URL is done, and give you the CNAME or A information for the DNS entry.