Exchange Online
The Exchange Online Connectivity supports importing and provisioning data to and from Microsoft Exchange Online. It collects data from Microsoft Exchange via Omada Data Warehouse (ODW) and provisions data through Omada Provisioning Service (OPS). You can customize the functionality of the connector both in ODW and OPS.
Exchange Online Connectivity requires a trust to Microsoft Entra ID, because it references users and groups in that system. It is required that this system is already successfully onboarded in Omada Identity.
Supported objects and operations
Exchange Online Connectivity retrieves user, equipment, room and shared mailboxes, permission access to these mailboxes, distribution groups/members, and admin role groups. The Exchange Online Connectivity always runs a full data import. Delta mode is not supported.
| Microsoft Exchange object | Omada data model | Operations |
|---|---|---|
| User Mailbox | Resource Assignments | There are no available actions. User Mailboxes are assigned through licenses in Microsoft Entra ID |
| Equipment Mailbox | Resource Assignments | Create, read, update, delete |
| Room Mailbox | Resource Assignments | Create, read, update, delete |
| Shared Mailbox | Resource Assignments | Create, read, update, delete |
| Distribution group | Resource | Create, read, update, delete |
| Distribution group members | Resource assignments | Create, read, update, delete |
| Admin Roles | Resources | Read |
| Admin Role memberships | Resource Assignments | Read |
Accounts are not imported from Exchange. Instead, they are looked up and referred from Microsoft Entra ID.
The following Microsoft Exchange objects are not managed by Exchange Online Connectivity:
- Public Folders
- Contacts
Mailbox delegation
| Mailbox type | Permissions |
|---|---|
| User Mailbox | Send As, Send on Behalf, Full Access |
| Equipment Mailbox | Send As, Send on Behalf, Full Access |
| Room Mailbox | Send As, Send on Behalf, Full Access |
| Shared Mailbox | Send As, Full Access |
The appropriate permission for a mailbox can be requested only after it has be confirmed through the import.
Minimum required permissions
Provision Mailboxes before access (Send as, Send on behalf, Full Access) is assigned to them.
Implementation notes
You can upgrade or perform migration of the legacy Exchange Connectivity to the new Exchange Hybrid Connectivity, but upgrading or migrating to Exchange Online Connectivity is not supported.
Example use cases of administering assignments
-
User Mailboxes
- Send as, Send on behalf, Full Access permissions to other users’ mailboxes can be requested via the Request Access process and provisioned via OPS
-
Equipment, Room and Shared Mailboxes
- Equipment, Room and Shared Mailboxes can be requested via Request Access process and provisioned via OPS
- Send as, Send on behalf, Full Access permissions to these mailboxes can be requested via Request Access process and provisioned via OPS
Network requirements
If you encounter issues with configuring the connection, verify your network configuration including physical and software firewalls. PowerShell uses the following TCP ports by default:
- 5985 or 80 for HTTP
- 5986 or 443 for HTTPS
Prerequisites
To utilize the certificate authentication, install the ExchangeOnlineManagement PowerShell module. Additionally, when using the certificate authentication with thumbprint, install a valid certificate on the servers where OPS and ODW reside. The certificates are imported via the Management Portal.
The Exchange connectivity relies on Microsoft Entra ID Connectivity for the correct operation. Configure and import data from Microsoft Entra ID before importing data from Microsoft Exchange. You can manage more than one Exchange system.
-
For each Exchange system, configure:
- the connection details
- the Microsoft Entra ID trust
- the provisioning type
-
Exchange connectivity integrates with Exchange using remote PowerShell. Specify all of the parameters required by the selected authentication method.
-
After the initial load from Exchange, the new Exchange system is created in Omada Identity. It is then ready for the remaining configuration.
-
Configure the Microsoft Entra ID trust by specifying the system's domain that the Exchange system integrates with.
-
Configure the Exchange system to use OPS for provisioning of resource assignments.
Set-up certificate authentication
-
Create app/certificate, see App-only authentication for unattended scripts in the EXO V2 module in Microsoft documentation.
-
If you chose to create a certificate with a password, convert the certificate into PEM format (see OpenSSL). Conversion command example:
openssl pkcs12 -in filename.pfx -out cert.pem -nodes
Edit attributes to resolve display values for customer setting
Configure the Omada Identity Portal to display human readable values for access to other users' mailboxes.
- In the Omada Identity Portal, go to Setup > Administration > More... > Customer Settings.
- Edit the customer setting Attributes to resolve display values for in the Role and Policy Engine group.
- Add MAILBOXREF to the comma-separated list of attributes and click OK to save.