Onboarding Using App Registration

With this onboarding method, we will create an Active Directory App Registration in your Microsoft 365 tenant and limit the scope of API mail access to only the shared mailboxes you are onboarding.

NOTE: this document uses our demo 365 tenant, Pin Nilly (pinnilly.com) for the examples. You will see your own tenant’s name during your onboard.

In Azure Active Directory, choose Add → Enterprise application.
Choose Create your own application:
Enter a name (any name is OK; we’ll use “Emailgistics”), select Register an application to integrate with Azure AD (App you’re developing), and click Create:
Choose Accounts in this organizational directory only (Pin Nilly only – Single tenant) and click Register:
From App Registrations, open your newly-created application.
Select API permissions.
Click Add a permission, choose Microsoft Graph, then choose Application permissions.
Find and check the following permissions:: • Mail.ReadWrite
• Mail.Send
• MailboxSettings.ReadWrite
• User.Read.All
Click Add permissions. The status for each permission should then show “Granted for…” your tenant.
In the left-hand menu, choose Certificates & secrets.
Click New client secret.
Enter a description and expiration and click Add.
Copy the Client Secret Value to Notepad for later use (call it Secret).
Click Overview in the left-hand menu.
Copy the Application (client) ID value to Notepad for later use (call it AppID).

In Exchange Admin Center, choose Groups from the Recipients menu.
Click Add a group, choose Mail-enabled security for the type, and click Next.
Give the group a name and click Next.
Assign one or more owners who will be able to add and remove mailboxes from the security group and click Next.
Click Add members and add the shared mailboxes you want to onboard to Emailgistics, then click Next.
Give the group an email address and click Next. Save the address in Notepad for later use (call it GroupEmail).
Click Create group.
Open Windows PowerShell and connect to your tenant with the command:: Connect-ExchangeOnline
Copy the following command, replace the two replaceMeWith… values using the saved values from above, and execute it in Windows PowerShell.: New-ApplicationAccessPolicy -AppId replaceWithAppID -PolicyScopeGroupId replaceWithGroupEmail -AccessRight RestrictAccess -Description "Restrict this app to shared mailboxes."

Now you are ready to onboard the mailbox to Emailgistics!

To onboard Emailgistics, most of the work is done through a PowerShell script. If you are using Microsoft Windows, PowerShell is typically pre-installed. If not, you can download it from Microsoft’s app store. Please ensure that you have PowerShell version 5.1 or later to run the script. To check your PowerShell version, open PowerShell and enter $PSVersionTable in the command line.

Since our PowerShell script accesses Exchange Online and MSOnline, the admin executing the scripts should ensure that they have the necessary permissions in PowerShell before onboarding. You can check your permissions by running the following commands in PowerShell: Connect-ExchangeOnline and Connect-MsolService.

If you use any network-related antivirus software, such as Sentinel One, we recommend that you allow the execution of PowerShell scripts that access Exchange Online. This will ensure that Emailgistics can access the necessary resources to provide you with a seamless onboarding experience.

Once you confirm everything in our onboard checklist, you are ready to onboard your mailbox with Emailgistics.

Download Onboard Checklist

Navigate to the Emailgistics web page by going to www.emailgistics.com.
From the Emailgistics home page click on sign in.: You will authenticate with Microsoft single sign-on (SSO).
If you are a new customer, you will be required to create a new customer account, simply click on Create New Account
Provide the name of the organization and name of Shared mailbox and click Add Mailbox
You will be redirected to a page that requires you to confirm if you are a Global Admin in O365. If not, you will have to have a Global Admin from your organization execute the rest of the onboard process.
Once the Administrator is confirmed, they will have access to download our PowerShell script which will need to be extracted from the ZIP file and run using PowerShell 5.1 on Windows 10 or later.
Download the PowerShell script and extract it from its zip file. Ensure that both the Onboard.ps1 file and the Customer.JSON file are extracted to the same location.
Right-click on the Onboard.ps1 file and select “Run with PowerShell“. Note that some networks or VPNs may require you to run the script as an administrator or while on the organization’s network.
The script will prompt you for all required steps within PowerShell. Simply follow the prompts to complete the onboarding process.
After the PowerShell script has finished running, go back to the browser window where you initiated the onboarding process and click “I’ve finished running PowerShell script.”
The Azure AD app page appears.
Paste in the AppID, the Secret Value and the Secret Expiry that you saved in Notepad earlier and click Validate App.
Follow the rest of the PowerShell prompts.
When PowerShell takes you back to web page, click “Set up mailbox.”
Congratulations, your mailbox has been successfully added! You are now ready to check out our administration center.