07b. Synctool Exchange sources

Introduction

Exchange sources are commonly used to create Zivver user accounts based on Exchange user mailboxes and functional accounts based on Exchange shared mailboxes.

The synchronization is executed in one way: from Exchange to Zivver, not the other way around. You can determine which (shared) mailboxes are synchronized from Exchange to Zivver with filters. Filters can currently only be email addresses.

Source details

  1. Enter a Source name.
    For example “Microsoft Exchange Online” or “Microsoft Exchange on-premise 2019”.
  2. Enter a Source description.
    For example the name of administrator who configured this Exchange source.

Connection

These settings allow the Synctool to connect to your Exchange server.

Check the Synctool prerequisites to find out what is needed, to connect to your Exchange server.

Exchange type
Choose the Exchange type you want to use as a source to synchronize functional accounts to Zivver.

Set up a connection to Exchange Online manually

Select Exchange Online with MFA login.

Admin user name
Fill in the username for the account that can be used to log into Exchange Online. The account must meet the criteria in the Synctool prerequisites. The username for Exchange Online is always an email address.

Set up a connection to Exchange Online automatically with certificate

Set up Certificate Based Authentication for unattended applications
Make sure app-only authentication for unattended scripts is already configured before attempting to connect the Zivver Synctool to Exchange Online.

Select Exchange Online with Certificate login.

  • Certificate location
    Fill in the location of the .pfx file created at step 3: Generate a self-signed certificate including the name. For example C:\mycert.pfx.

    Pay attention to the run path in PowerShell
    The directory from which you run the PowerShell cmdlet needed to create a certificate is also where the .pfx file will be stored. For example if you run the cmdlet from C:\Windows\System32, then the file location will be C:\Windows\System32\mycert.pfx
  • Certificate password
    Fill in the password that you used to secure the .pfx file at step 3: Generate a self-signed certificate. Make sure the password is at least 12 characters long and store the password somewhere safe.

  • Application ID
    Fill in the application ID of the App registration created at step 1: Application registration in Entra ID.

    1. Go to portal.azure.com.
    2. Select Entra ID.
    3. Select the tab App registrations.
    4. Select the App registration created for the Synctool from the list.
    5. Copy the Application (client) ID.
  • Exchange Organization name
    Fill in the Microsoft domain of you Entar ID tenant. It usually looks like yourcompany.onmicrosoft.com.

    1. Go to portal.azure.com.
    2. Select Entra ID.
    3. Select the tab Overview.
    4. Look for the primary .onmicrosoft.com domain on the tenant information tile.

Set up a connection to Exchange on-premise

Select Exchange on premise.

  • Exchange address
    Fill in the Exchange address. The Synctool will use this address to set up a remote connection.

    What should the Exchange address look like?
    The address should look like http://ServerFQDN/PowerShell/. Replace ServerFQDN with the fully qualified domain name of your Exchange server.
    For example exchange01.example.com.
  • User name
    Fill in the username for the account that can be used to log into Exchange. The account must meet the criteria in the Synctool prerequisites. The username often is preceded by the domain.
    For example company\name_exchange_account.

  • Password
    Enter the password for the Exchange on-premise account.

  • Use Kerberos
    Select Yes. Using Kerberos is the default way to authenticate for Exchange on-premise.

Use Get-EXOMailbox command

To improve the performance speed from the Synctool while fetching data from Exchange, we recommend to select the option Use Get-EXOMailbox command. If you are using Exchange properties that are not in the minimum set retrieved by this command, you can specify additional Properties or Property Sets. Read more about this in the Microsoft documentation.

Select extra PowerShell commands to get more member/delegation data

You can select extra PowerShell commands to get more members or delegations for your mailboxes.

  • Use Get-ADGroupMember if you delegate access to mailboxes in Exchange Server via Active Directory Security Groups.
  • Use Get-ADPermissionSendAs to retrieve Active Directory access control lists (ACLs) in Exchange Server. This is a legacy feature and usage is not recommended.
  • Use Get-DistributionGroupMember (recommended) if you delegate access to mailboxes in Exchange Server/Online via mail-enabled security groups or distribution groups
  • Use Get-Recipient if mail-enabled objects from Exchange Server/online are missing in the synchronization that should be present based on filtering options. This is a legacy feature and usage is not recommended.

Users

User Field Mapping (Exchange) allows you to synchronize different types of Exchange mailboxes to Zivver as user accounts. By default only the UserMailbox type is enabled, as this usually reflects the users that need to login to Zivver to send or receive sensitive data.

If you are using Microsoft ADFS as Identity Provider, you need to select the option to Base64 encode the ZivverAccountKey value. ADFS will provide Zivver with the Base64 encoded version of this value when the user logs in with Single Sign-On.

The following fields are mapped to the values that are standard in Exchange sources:

  • IsActive
    Mapped to the property AccountDisabled.
  • Aliases
    Mapped to the property EmailAddresses(smtp).
  • Delegates
    Mapped to the mailbox permissions (retrieved with the Get-MailboxPermissions command).

Groups

Group Field Mapping (Exchange) allows you to synchronize different types of Exchange mailboxes to Zivver as functional accounts.

By default only SharedMailbox type is enabled. Other mailbox types are often not used to send or receive sensitive data, and therefore a Zivver functional account is not required.

Tick the box Replace nested shared mailboxes and nested security groups with their members when your organization assigns mailbox permissions to nested security groups (groups in groups) or nested shared mailboxes.

Organizational Units

Organizational Units Mapping maps functional accounts from your Exchange source to an organizational units (OU) in Zivver.

If your organization does not use organizational units in Zivver, leave the default None or Excel selected.

How do I find out if my organization uses organizational units in Zivver?
If your organization uses organizational units in Zivver, you should have access to the Organization Units tab in Zivver. If you don’t have access, either your organization doesn’t use organizational units in Zivver, or you don’t have administrator rights.

If your organization uses organizational units in Zivver, then select an option based on your configuration of OUs in the Zivver admin panel.

How do I find out if Domain or Custom OU Identifier should be used?
You can check the Organizational Unit Identifier by browsing to the Organization Units tab in Zivver, clicking on one of the OUs present and edit edit the Organizational Unit. You will see the identifier in a popup under Organization Unit Identifier.

Source Filter

Object Filter (Exchange) allows you to filter on email addresses.

Add all email addresses to be filtered on in a list, with each email address on a separate row. Add this list to the Filter Text to filter all email addresses in the list.

  1. Check Enable Exchange Source filtering.
  2. Enter the filter value(s) at Filter Text.
    If you want to enter more than one filter value, add each value on a separate line.
  3. Choose between a positive filter (include) or negative filter (exclude).
    You can’t include and exclude in the same filter.

View the results at Data Preview.

Merge Settings

Use Source Merge Settings to choose what Synctool should do if distinct sources (e.g. an Exchange source and Excel source) contain identical entries.

If this is the first source in the Source Overview then no merge settings are available.

  • Overwrite
    Objects found in the currently selected source overwrite duplicate objects from previous sources.
  • Ignore
    Objects found in the currently selected source are overwritten by duplicate objects from previous sources.
  • Conflict
    Prompt the admin to resolve duplicates before synchronizing.

Data Preview

Source Data Preview (Exchange) allows you to preview all functional accounts found in your Exchange source.

Click Load the data now to get a preview of all functional accounts found in your Exchange source.

Next steps

If the data preview is returned as you would expect, you can either configure another source, or go to Syncing.