An initial onboarding is required for authentication using application objects. Application and Service principal are used interchangeably, but an application is like a class object while a service principal is like an instance of the class.

For more information on Application and service principal objects in Azure Active Directory, see Application and service principal objects in Azure Active Directory. For a detailed visual flow about creating applications in Azure AD, see Create an Azure Active Directory application and service principal that can access resources.

To set up Certificate-based authentication or app-only authentication, perform the following steps:
  1. Register the application in Azure AD.
  2. Assign API permissions to the application.

    For the application object to access resources, it needs to have the Application permission Exchange.ManageAsApp and Mail.ReadWrite.

  3. Generate a self-signed certificate and grant access to private key.

    Create and configure a self-signed X.509 certificate, which is used to authenticate your Application against Azure AD, while requesting the app-only access token. Next Generation (CNG) certificates aren’t supported for app-only authentication with Exchange. CNG certificates are created by default in modern Windows versions. You must use a certificate from a CSP key provider. (-Provider = 'Microsoft Strong Cryptographic Provider').

  4. Attach the certificate to the Azure AD application.
  5. Assign Azure AD roles to the application.

    The application needs to have the Compliance Administrator Azure AD role assigned.

  6. Create a new service principal.

Step 1: Register the application in Azure AD

  1. Open the Azure AD portal.
  2. In the Search box at the top of the page, type App registrations.
  3. Select App registrations from the results in the Services section.

    Alternatively, you can navigate to the App registrations page by using https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.

  4. On the App registrations page, select New registration.
  5. In theRegister an application page, configure the following settings:
    Field Description
    Name Enter something descriptive. For example, ExO PowerShell CBA.
    Supported account types Verify that Accounts in this organizational directory only (<YourOrganizationName> only - Single tenant) is selected.

    To make the application multi-tenant for Exchange Online delegated scenarios, select the value Accounts in any organizational directory (Any Azure AD directory - Multitenant).
  6. After completing the App registration, select Register and close the app page.

Step 2: Assign API permissions to the application

The procedures in this section replace any default permissions that were automatically configured for the new app. The app doesn't need the default permissions that were replaced.

  1. On the app page,select Manifest under Management.
  2. In the Manifest page, find the requiredResourceAccess entry (on or about line 47).
  3. Modify the resourceAppId, resourceAccess id, and resourceAccess type values as shown in the following code snippet:
    "requiredResourceAccess": [
		{
			"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
			"resourceAccess": [
				{
					"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
					"type": "Role"
				}
			]
		},
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "e2a3a72e-5f79-4c64-b1b1-878b674786c9",
					"type": "Role"
				}
			]
		}
	],
  4. Select Save.
  5. On the Manifest page, select API permissions under Management.
  6. On the API permissions page, fill in the fields.
    Field Description
    API / Permissions name Verify the value Exchange.ManageAsApp and Mail.ReadWrite is shown.
    Status The current incorrect value is Not granted for <Organization>, and this value needs to be changed.

    Select Grant admin consent for <Organization>, read the confirmation dialog that opens, and then select Yes.

    The Status value should now be Granted for <Organization>.
  7. Close the current API permissions page (not the browser tab) to return back to the App registrations page.

Step 3: Generate a self-signed certificate and grant access to private key

Create a self-signed x.509 certificate by performing the following:
  • Use the New-SelfSignedCertificate, Export-Certificate, and Export-PfxCertificate cmdlets in an elevated (run as administrator) Windows PowerShell session to request a self-signed certificate and export it to .cer and .pfx (SHA1 by default). For example:
    # Create certificate
$mycert = New-SelfSignedCertificate -DnsName "snowsecops.onmicrosoft.com" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddYears(2) -KeySpec KeyExchange -Provider "Microsoft Strong Cryptographic Provider"

# Generate password fro private key
$mypwd = ConvertTo-SecureString -String '<password>' -Force -AsPlainText

# Export certificate to .pfx file
$mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $mypwd

# Export certificate to .cer file
$mycert | Export-Certificate -FilePath mycert.cer
  • Provide private key access to MID service user by using the following steps:
    1. Open MMC (Microsoft Management Console).
    2. From your Microsoft Management Console (MMC), navigate to Certificates(Local Computer) > Personal > Certificates.

      (If MMC has no menu item, then add it by navigating to File > Add Remove snap-in.

    3. Right-click on the certificate that you have generated.
    4. Expand All Tasks > Manage Private Keys
    5. Add the MID service user to the accessors list.

Step 4: Attach the certificate to the Azure AD application

After you register the certificate with your application, you can use the thumbprint for authentication.
  1. From the Owned applications tab on the Apps registration page at the end of Step 2, select your application.

    If you need to go back to Apps registration page, use https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/%7E/RegisteredApps, verify the Owned applications tab is selected, and then select your application.

  2. Select Certificates & secrets under Manage.
  3. On the Certificates & secrets page that opens, select Upload certificate.
  4. Browse to the self-signed certificate (.cer file) that you created in Step 3.
  5. After completing, select Add.

    The certificate is now shown in the Certificates section.

  6. Note down CertificateThumbPrint and close the current Certificates & secrets page.

Step 5: Assign Azure AD roles to the application

  1. Open the Azure AD portal.
  2. In the Search field at the top of the page, look for Roles and Administrators.
  3. Select Azure AD roles and administrators from the results in the Services section.

    Alternatively, you can navigate to the Azure AD roles and administrators page by using https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade.

  4. On the Azure AD roles and administrators page, find and select one of the supported roles by clicking on the name of the role (not the check box) in the results.

    Find and select the Compliance Administrator role.

  5. On the Assignments page, select Add assignments.
  6. In the Add assignments pop-up, find and select the app that you created in Step 1.
  7. After completing, select Add.
  8. Go back to the Assignments page, verify that the role has been assigned to the app.

Step 6: Create a new service principal

Important: Ensure that you’ve connected to Security & Compliance PowerShell before completing steps to create a new service principal. Creating a new service principal without connecting to PowerShell won't work (your Azure App ID and Object ID are needed to create the new service principal).
  1. Run the following command to store the details of the Azure application that you registered in Step 1 (<AppName>) in a variable:
    Install-Module -Name AzureAD 
Import-Module -Name AzureAD 
Connect-AzureAD 
$AADApp = Get-AzureADServicePrincipal -SearchString"<AppName>"

    For detailed syntax and parameter information, see Get-AzureADServicePrincipal.

  2. In the same PowerShell window, connect to Security & Compliance PowerShell:
    Import-Module ExchangeOnlineManagement
Connect-IPPSSession -CertificateThumbPrint "<Your_Certificate_ThumbPrint>" -AppID $AADApp.AppId -Organization "<Your_organization>
    Run the following commands to create a service principal object for the Azure application:
    New-ServicePrincipal -AppId $AADApp.AppId -ObjectId $AADApp.ObjectId -DisplayName "<Descriptive Name>"

    For detailed syntax and parameter information, see New-ServicePrincipal.