cls # Name of the mail security group that will be created. Change this if you need something custom. $MAIL_SECURITY_GROUP_NAME = "SigParser Mailboxes Group" # Name of the application SigParser will created in Azure $SIGPARSER_APP_NAME = "SigParser Mailboxes App" Write-Host @" SIGPARSER MICROSOFT 365 SETUP TOOL -------------------- This tool will help you configure either the on premise mining engine or the cloud mining engine with Microsoft 365. You will need to be an IT administrator to use this. Feel free to read thru the script to see what it is doing. You can change this .ps1 file if you need to change the defaults options. Current values: `$MAIL_SECURITY_GROUP_NAME = $MAIL_SECURITY_GROUP_NAME `$SIGPARSER_APP_NAME = $SIGPARSER_APP_NAME Please answer the following questions: "@ Write-Host "" # Read inputs Write-Host "Question: What mailbox to you want to add to the group to start with for testing purposes? (don't use the domain, must just be the username) example: mark.rogers" $upn = Read-Host Write-Host "" Write-Host "Question: What mailbox should be tested to confirm it is NOT accessible after this setup runs? This will be used for test. (don't use the domain, must be the username) example: john.smith " $upnDenyAccess = Read-Host Write-Host "" Write-Host "" Write-Host "----------------------" Write-Progress -Activity "Install Azure Active Directory" -PercentComplete 5 Write-Host "INSTALL AZURE ACTIVE DIRECTORY" Write-Host " Installing AzureAD if not already installed" Write-Host " Accept the installation of Nuget and trust the gallery if asked." Install-Module AzureAD -Scope CurrentUser -Repository PSGallery -Force Write-Progress -Activity "Login to Azure Active Directory" -PercentComplete 15 Write-Host "" Write-Host "----------------------" Write-Host "LOGIN TO AZURE WITH AN ACCOUNT THAT CAN CREATE AN APP REGISTRATION" Connect-AzureAD Write-Progress -Activity "Create app registration" -PercentComplete 25 Write-Host "" Write-Host "----------------------" Write-Host "CREATE APP REGISTRATION" if(!($myApp = Get-AzureADApplication -Filter "DisplayName eq '$($SIGPARSER_APP_NAME)'" -ErrorAction SilentlyContinue)) { $myApp = New-AzureADApplication -DisplayName $SIGPARSER_APP_NAME -ReplyUrls $appReplyURLs } $myAppId = $myApp.AppId Write-Host "Create secret" $startDate = Get-Date $endDate = $startDate.AddMonths(23).AddDays(25) $secret = New-AzureADApplicationPasswordCredential -ObjectId $myApp.ObjectId -CustomKeyIdentifier "SigParser Mailboxes Secret" -StartDate $startDate -EndDate $endDate $secretValue = $secret.Value Start-Sleep -Seconds 2 Write-Progress -Activity "Add permissions" -PercentComplete 35 Write-Host "" Write-Host "----------------------" Write-Host "ADD PERMISSIONS" # Examples: https://stackoverflow.com/questions/42164581/how-to-configure-a-new-azure-ad-application-through-powershell # Lookup the service princple for the graph $servicePrincipleMicrosoftGraph = Get-AzureADServicePrincipal -All $true | ? { $_.AppId -match "00000003-0000-0000-c000-000000000000"} # Microsoft Graph $servicePrincipleMicrosoftGraphObjectID = $servicePrincipleMicrosoftGraph.ObjectId Write-Host "$servicePrincipleMicrosoftGraphObjectID" $msGraph = Get-AzureADServicePrincipal -ObjectId $servicePrincipleMicrosoftGraphObjectID $msGraphPermissions = $msGraph.AppRoles $req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" $permCalendarsId = ($msGraphPermissions | ? { $_.Value -eq "Calendars.Read" })[0].Id $accCalendars = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$permCalendarsId","Role" $permContactsRead = ($msGraphPermissions | ? { $_.Value -eq "Contacts.Read" })[0].Id $accContactsRead = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$permContactsRead","Role" $permGroupMemberReadAll = ($msGraphPermissions | ? { $_.Value -eq "GroupMember.Read.All" })[0].Id $accGroupMemberReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$permGroupMemberReadAll","Role" $permMailRead = ($msGraphPermissions | ? { $_.Value -eq "Mail.Read" })[0].Id $accMailRead = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$permMailRead","Role" $permUsersReadAll = ($msGraphPermissions | ? { $_.Value -eq "User.Read.All" })[0].Id $accUsersReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "$permUsersReadAll","Role" $req.ResourceAccess = $accCalendars,$accUsersReadAll,$accContactsRead,$accGroupMemberReadAll,$accMailRead $req.ResourceAppId = "00000003-0000-0000-c000-000000000000" Set-AzureADApplication -ObjectId $myApp.ObjectId -RequiredResourceAccess @($req) Write-Progress -Activity "Install Exchange Powershell Module" -PercentComplete 50 Write-Host "" Write-Host "----------------------" Write-Host "INSTALL EXCHANGE POWERSHELL MODULE" Install-Module -Name ExchangePowerShell -Scope CurrentUser -Repository PSGallery -Force Write-Host "Login to the Exchange account where your Groups are set. We'll use this to add groups." Connect-ExchangeOnline # Create mail enabled security group Write-Progress -Activity "Create mail enabled security group" -PercentComplete 55 Write-Host "" Write-Host "----------------------" Write-Host "CREATE MAIL ENABLED SECURITY GROUP ($MAIL_SECURITY_GROUP_NAME)" if(!($mailSecGroup = Get-DistributionGroup $MAIL_SECURITY_GROUP_NAME -ErrorAction SilentlyContinue)) { Write-Host "Created security group" $mailSecGroup = New-DistributionGroup -Name $MAIL_SECURITY_GROUP_NAME -Alias sigparser-mailboxes -Type security } else { Write-Host "Security group already exists" } Get-DistributionGroup -Identity $mailSecGroup.PrimarySmtpAddress $mailSecGroupId = $mailSecGroup.ExternalDirectoryObjectId; $user = Get-User -Identity $upn if(!(Get-DistributionGroupMember -Identity $mailSecGroup.Id | ? { $_.Name -eq $user })) { Add-DistributionGroupMember -Identity $mailSecGroup.Id -Member $upn } Write-Progress -Activity "Install Exchange Online Management Powershell tool" -PercentComplete 75 Write-Host "" Write-Host "----------------------" Write-Host "INSTALL EXCHANGE ONLINE POWERSHELL TOOL" Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser -Repository PSGallery -Force Import-Module ExchangeOnlineManagement Write-Progress -Activity "Create application access policy" -PercentComplete 85 Write-Host "" Write-Host "----------------------" Write-Host "CREATE APPLICATION ACCESS POLICY (if you get duplicate error ignore it)" if(!(Get-ApplicationAccessPolicy | ? { $_.AppId -eq $myApp.AppId -And $_.ScopeIdentity -eq $mailSecGroup.Id})) { New-ApplicationAccessPolicy -PolicyScopeGroupId $mailSecGroup.PrimarySmtpAddress -AppId $myApp.AppId -AccessRight RestrictAccess -Description "Restrict SigParser's access" } else { Write-Warning "Not creating ApplicationAccessPolicy because the policy already exists" } Write-Progress -Activity "Create application access policy" -PercentComplete 85 Write-Host "" Write-Host "----------------------" Write-Host "TEST ALLOW ACCESS TO MAILBOX ($upn)" $testResult = Test-ApplicationAccessPolicy -Identity $upn -AppId $myApp.AppId Write-Host "$testResult" if($testResult -and $testResult.AccessCheckResult -eq "Granted") { Write-Host "Success, confirmed $upn has access." -ForegroundColor Green } else { Write-Host "Error: $upn does not have access." -ForegroundColor Red } Write-Host ($testResult | ConvertTo-Json) Write-Host "" Write-Host "" Write-Host "TEST DENY ACCESS TO MAILBOX ($upnDenyAccess)" Test-ApplicationAccessPolicy -Identity $upnDenyAccess -AppId $myApp.AppId $testResult = Test-ApplicationAccessPolicy -Identity $upnDenyAccess -AppId $myApp.AppId Write-Host "$testResult" if($testResult -and $testResult.AccessCheckResult -eq "Denied") { Write-Host "Success, confirmed $upnDenyAccess mailbox is not accessible." -ForegroundColor Green } else { Write-Host "Error: $upnDenyAccess mailbox is granted access. You should confirm the user is not in the group ""$MAIL_SECURITY_GROUP_NAME"" already." -ForegroundColor Red } Write-Host ($testResult | ConvertTo-Json) Write-Progress -Activity "Get tenant ID" -PercentComplete 90 Write-Host "" Write-Host "----------------------" Write-Host "GET TENANT ID" $tenant = Get-AzureADTenantDetail $tenantID = $tenant.ObjectId Write-Progress -Activity "Done" -PercentComplete 100 Write-Host "" Write-Host "----------------------" Write-Host "SUCCESS!!!!" -ForegroundColor Green Write-Host "" Write-Host "" Write-Host "----------------------" Write-Host "MANUAL STEPS" Write-Host "" Write-Host "1. Open your browser and go to https://portal.azure.com." Write-Host "2. Find the App ""$SIGPARSER_APP_NAME"" and go to ""API Permissions"" and click ""Grant admin consent for ???""" Write-Host "3. Copy and paste the values into the website fields" Write-Host "" Write-Host "Security Group ID: $mailSecGroupId" Write-Host "Application (Client) ID: $myAppId" Write-Host "Directory (Tenant) ID: $tenantID" Write-Host "Client secret: $secretValue" Write-Host "" Write-Host "" Write-Host "" Write-Host "4. Add users to the new group called ""$MAIL_SECURITY_GROUP_NAME""" Write-Host "" Write-Host "" Write-Host "Hit Enter when done. You can run this again and you'll get the same values." Read-Host