Exchange Hybrid
The Exchange Hybrid connectivity package supports governing and managing Exchange Hybrid instances. It allows you to register and onboard any number of Exchange Hybrid instances, load information about mailboxes, distribution groups, and admin roles, and automate the provisioning and de-provisioning of Exchange Hybrid mailboxes access, mailboxes, and distribution groups memberships.
Exchange Hybrid Connectivity retrieves user, equipment, room and shared mailboxes, permission access to these mailboxes, distribution groups/members, and admin role groups. The Exchange Hybrid connectivity always runs a full data import. Delta mode is not supported.
This connectivity package supports all Exchange Hybrid versions currently supported by Microsoft, as the service is continuously updated as part of Microsoft 365. The administration is performed through the Exchange Hybrid PowerShell V3 (EXO V3) module, which uses REST-based cmdlets. This modern approach replaces legacy remote PowerShell (WinRM) and is recommended by Microsoft for all current administrative operations for its improved performance and security.
Supported objects and operations
Exchange Hybrid Connectivity retrieves user, equipment, room and shared mailboxes, permission access to these mailboxes, distribution groups/members, and admin role groups.
| Microsoft Exchange object | Omada data model | Operations |
|---|---|---|
| User Mailbox | Resource assignments | There are no actions available. User Mailboxes are assigned through licenses in Microsoft Entra ID. |
| Equipment Mailbox | Resource | Create, read, delete |
| Equipment Mailbox | Resource assignments | Create, read, delete |
| Room Mailbox | Resource | Create, read, delete |
| Room Mailbox | Resource assignments | Create, read, delete |
| Shared Mailbox | Resource | Create, read, delete |
| Shared Mailbox | Resource assignments | Create, read, delete |
| Distribution group | Resource | Create, read, delete |
| Distribution group members | Resource assignments | Create, read, delete |
| Admin Roles | Resources | Read |
| Admin Role memberships | Resource assignments | Read |
Minimum required permissions
Review the Prerequisites section to learn how to assign the Exchange Administrator role for the app.
Implementation notes
N/A
Network requirements
N/A
Prerequisites
Register a new application in Azure Portal
-
In the Azure portal (the default URL: https://portal.azure.com), go to your directory. In the Manage section, find the App registrations, then click New registration.
-
In the Register an application dialog box, enter a Name. In the Supported account types section, choose Accounts in this organizational directory only (Single tenant).
-
Click Register. Copy and store the Application ID. You must use this Application ID when you onboard the system to Omada Identity.
infoThe Application ID shown in the following image is only an example. Your Application ID contains a different value.
Add Graph API
The connectivity add-on uses the Office 365 Exchange Online to read and write information to the directory. Add the Office 365 Exchange Online for the registered application:
-
Go to API permissions and select +Add a permission.
-
From the APIs organization uses tab, choose Office 365 Exchange Hybrid.
-
Select Application permissions, and then Exchange.ManageAsApp.
-
Click the Add permissions button.
The table below presents the minimum required permissions for the correct connection between Exchange Online and Omada Identity.
MICROSOFT GRAPH
Permission Type Description Exchange.ManageAsApp Application The Exchange.ManageAsApp permission allows the application to access and manage Exchange Online mailboxes and settings without user interaction, using app-only authentication. -
After adding the permission, grant consent to the permissions. Click the Grant admin consent button.
Generate and export a certificate for app authentication
To authenticate Omada Identity with Exchange Online, create and export a certificate that will be used during the app registration process in Azure. Review the following example of a PowerShell script to export both the .pfx and .cer versions of the certificate:
# Define the output paths and password for the .pfx file
$exportCertSplat = @{
FilePath = 'C:\<Path>\OmadaExchangeCert.pfx'
# <-- Replace <Path> with your desired export location
Password = (ConvertTo-SecureString -String "<StrongPassword>" -AsPlainText -Force)
# <-- Replace <StrongPassword> with your desired password
}
# Locate the certificate by subject name
$mycert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object { $_.Subject -eq 'CN=<CertificateName>' }
# <-- Replace <CertificateName> with your actual certificate name
# Export the certificate to a .pfx file (includes private key)
$mycert | Export-PfxCertificate @exportCertSplat
# Export the certificate to a .cer file (public key only)
$mycert | Export-Certificate -FilePath 'C:\<Path>\OmadaExchangeCert.cer'
# <-- Replace <Path> with your desired export location
The password defined in the $exportCertSplat block (<StrongPassword>) is used to protect the .pfx file and will be required later when configuring the certificate-based authentication in Omada Identity. Be sure to store this password securely along with the generated .pfx and .cer files. Without it, the .pfx file cannot be imported or used.
Create a certificate
- In the Azure portal, go to Certificates & secrets. Select Certificates.
- Select Upload certificate. Choose the certificate file to upload. Click Add. Once the certificate is uploaded, the details are displayed.
Assigning Exchange Administrator role to the app
To allow the application to manage Exchange Online, you must assign the Exchange Administrator role to the app’s Enterprise Application in Microsoft Entra ID.
-
In the Azure portal, click Microsoft Entra ID and then Roles and administrators.
-
Click Exchange Administrator.
-
Click + Add assignments.
-
In the search box, enter the name of the application you have created. Click Add.
Register a new system in Omada Identity
- In Omada Identity, go to Setup > Systems > All systems.
- In the top left-hand corner, click New. In the dialog box, enter a name and system ID. Both values must be unique. Select New as the category and Exchange Online in the collector technology. In the content section, choose Access Rights. In the trusts section, choose Microsoft Entra ID. Click OK.