# Microsoft Exchange Online ### Overview {% hint style="info" %} **Prerequisites:** Exchange Online is an optional service within the Azure integration. You must first have a working [Azure integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md) configured before enabling Exchange Online discovery. {% endhint %} This extension to the Microsoft Azure integration enables visibility into Exchange Online mailboxes, permissions, and distribution groups. It uses Exchange Online REST APIs to execute PowerShell cmdlets remotely, providing insights into mail-related permissions and access controls within Microsoft 365. This includes: * Mapping Exchange Online users to Azure AD identities * Discovering mailbox delegations and permissions * Identifying shared mailbox access * Showing distribution group configurations * Visibility to folder-level permission **Architecture**: The integration connects to Exchange Online using Azure service authentication patterns and makes REST API calls that execute PowerShell cmdlets. All data collection is read-only and focuses on mailbox permissions, folder permissions, and distribution group configurations. The integration uses client credential flow with Azure to obtain OAuth tokens for Exchange Online API access, with the requested scope: `https://outlook.office365.com/.default` ### Azure Integration Requirements #### Azure App Configuration The Exchange Online integration uses a configured [Azure integration's](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md) for certificate-based authentication. You will need to: Grant additional API permissions to the existing Azure application: * Add Application permission: **Office 365 Exchange Online** > `Exchange.ManageAsApp` * Grant admin consent for the permission in your organization Assign the following Microsoft Entra roles to the application: * Exchange Administrator {% hint style="info" %} `Exchange.ManageAsApp` enables app-only authentication to Exchange Online but does not grant cmdlet access on its own. Microsoft also requires an Entra directory role assigned to the service principal to authorize cmdlet execution. Veza uses read-only cmdlets only. {% endhint %} {% hint style="warning" %} **Important:** The Exchange Administrator role must be assigned to the **Enterprise Application** (service principal), not the App Registration. In Microsoft Entra ID, navigate to **Roles and administrators > Exchange Administrator > Assignments** and verify your Enterprise Application is listed. Do not confuse it with the App Registration of the same name. If the role was recently assigned, allow 5–15 minutes for propagation before retesting. {% endhint %} ### Enable Exchange Online for the Azure Integration To enable extraction for Exchange Online, you will need to enable the optional service for your Azure integration: 1. On the Veza **Integrations** page, find the Azure integration and click **Actions** > **Edit** 2. In the configuration details, scroll down to **Limit Services** 3. Click **Limited Services** 4. In the **Select Services** dropdown, select **Exchange Online** 5. Ensure that all other services you want to extract are selected. 6. Click **Save Configuration** at the top right to update the integration settings ![Enabling optional services for the Azure integration](/files/QDvpojPiLbCJ9TWDUmiV) Note that Exchange is not enabled by default when **All Services** is chosen. ### Notes and Supported Entities The Exchange Online integration supports the following relationships between graph entities: User Relationships: Azure AD users are mapped to their corresponding Exchange Online user or mail user accounts. Exchange Online Instances have direct relationships to: * Users (HAS\_USER) * Mail Users (HAS\_MAIL\_USER) * Mailboxes (HAS\_MAILBOX) * Distribution Groups (HAS\_DISTRIBUTION\_GROUP) Users and Mail Users can have permissions: 1. **Mailbox Permissions** (HAS\_MAILBOX\_PERMISSION) * Controls overall mailbox access * Points to target mailbox via ON\_MAILBOX relationship 2. **Folder Permissions** (HAS\_MAILBOX\_FOLDER\_PERMISSION) * Controls access to specific folders * Points to target folder via ON\_MAILBOX\_FOLDER relationship 3. **Recipient Permissions** (HAS\_RECIPIENT\_PERMISSION) * Can target either mailboxes or distribution groups * Uses ON\_MAILBOX or ON\_DISTRIBUTION\_GROUP relationships 4. **Send-on-Behalf Permissions** (HAS\_SEND\_ON\_BEHALF\_PERMISSION) * Allows sending mail as another identity * Can target mailboxes or distribution groups Mailbox Structure: * Mailboxes contain folders (HAS\_MAILBOX\_FOLDER) * Each folder can have its own permissions * Folders maintain parent-child relationships through folder IDs #### Exchange Online Instance Root entity representing an Exchange Online environment. | Attribute | Type | Description | | ------------------------------ | ------- | ----------------------------------- | | *Standard instance properties* | Various | Common properties for all instances | #### Exchange Online User Represents users with Exchange Online mailboxes. | Attribute | Type | Description | | -------------------------------- | --------- | ------------------------ | | guid | String | Global unique identifier | | identity | String | User identity | | entity\_name | String | Display name | | alias | String | Email alias | | email\_addresses | String\[] | List of email addresses | | primary\_smtp\_address | String | Primary email address | | recipient\_type\_details | String | Type of recipient | | created\_at | Timestamp | Creation timestamp | | updated\_at | Timestamp | Last update timestamp | | user\_principal\_name | String | User principal name | | exchange\_user\_account\_control | String | Account control settings | | account\_disabled | Boolean | Account status | | identity\_type | String | Type of identity | | is\_active | Boolean | Active status | **Notable Field Values:** * `recipient_type_details`: Includes "UserMailbox" for standard user mailboxes * `identity_type`: Default is "human" #### Exchange Online Mail User Represents external mail users (without mailboxes). | Attribute | Type | Description | | -------------------------------- | --------- | ------------------------ | | guid | String | Global unique identifier | | identity | String | User identity | | entity\_name | String | Display name | | alias | String | Email alias | | email\_addresses | String\[] | List of email addresses | | primary\_smtp\_address | String | Primary email address | | recipient\_type\_details | String | Type of recipient | | created\_at | Timestamp | Creation timestamp | | updated\_at | Timestamp | Last update timestamp | | user\_principal\_name | String | User principal name | | exchange\_user\_account\_control | String | Account control settings | | account\_disabled | Boolean | Account status | | identity\_type | String | Type of identity | | is\_active | Boolean | Active status | **Notable Field Values:** * `identity_type`: Default is "human" * `is_active`: Inverse of account\_disabled value #### Exchange Online Mailbox Represents email mailboxes. | Attribute | Type | Description | | ------------------------------------- | --------- | ------------------------ | | guid | String | Global unique identifier | | identity | String | Mailbox identity | | entity\_name | String | Display name | | alias | String | Email alias | | email\_addresses | String\[] | List of email addresses | | primary\_smtp\_address | String | Primary email address | | recipient\_type\_details | String | Type of recipient | | created\_at | Timestamp | Creation timestamp | | updated\_at | Timestamp | Last update timestamp | | hidden\_from\_address\_lists\_enabled | Boolean | Hidden from GAL status | | is\_mailbox\_enabled | Boolean | Mailbox enabled status | | is\_resource | Boolean | Resource mailbox flag | | is\_shared | Boolean | Shared mailbox flag | | linked\_master\_account | String | Linked master account | | role\_assignment\_policy | String | Role assignment policy | #### Exchange Online Mailbox Folder Represents folders within mailboxes. | Attribute | Type | Description | | ------------------ | --------- | --------------------- | | identity | String | Folder identity | | folder\_path | String | Full folder path | | entity\_name | String | Folder name | | folder\_type | String | Type of folder | | items\_in\_folder | Number | Item count | | created\_at | Timestamp | Creation timestamp | | updated\_at | Timestamp | Last update timestamp | | folder\_id | String | Unique folder ID | | parent\_folder\_id | String | Parent folder ID | | container\_class | String | Container class | **Notable Field Values:** * `container_class`: Common values include "IPF.Note" (mail), "IPF.Calendar", "IPF.Contact", "IPF.Task" #### Exchange Online Distribution Group Represents email distribution groups. | Attribute | Type | Description | | ---------------------------------------- | --------- | ------------------------ | | guid | String | Global unique identifier | | identity | String | Group identity | | entity\_name | String | Display name | | alias | String | Email alias | | email\_addresses | String\[] | List of email addresses | | primary\_smtp\_address | String | Primary email address | | recipient\_type\_details | String | Type of recipient | | created\_at | Timestamp | Creation timestamp | | updated\_at | Timestamp | Last update timestamp | | group\_type | String | Type of group | | hidden\_group\_membership\_enabled | Boolean | Hidden membership status | | hidden\_from\_address\_lists\_enabled | Boolean | Hidden from GAL status | | require\_sender\_authentication\_enabled | Boolean | Require sender auth | | managed\_by | String\[] | List of managers | #### Exchange Online Send-On-Behalf Permission Represents send-as rights. | Attribute | Type | Description | | -------------------------- | ---- | ----------- | | *No additional properties* | - | - | #### Exchange Online Mailbox Permission Controls access to mailboxes. | Attribute | Type | Description | | ----------------- | --------- | --------------------- | | inheritance\_type | String | Type of inheritance | | access\_rights | String\[] | List of access rights | | deny | String | Deny flag | | is\_inherited | Boolean | Inheritance status | **Notable Field Values:** * `inheritance_type`: * "None" * "All" (default) * "Children" * "Descendents" * "SelfAndChildren" * `access_rights`: * "ChangeOwner" * "ChangePermission" * "DeleteItem" * "ExternalAccount" * "FullAccess" * "ReadPermission" #### Exchange Online Recipient Permission Controls access to mailboxes or distribution groups. | Attribute | Type | Description | | --------------------- | --------- | ---------------------- | | access\_control\_type | String | Type of access control | | access\_rights | String\[] | List of access rights | | inheritance\_type | String | Type of inheritance | | is\_inherited | Boolean | Inheritance status | **Notable Field Values:** * `inheritance_type`: Same values as Mailbox Permission #### Exchange Online Mailbox Folder Permission Controls access to specific folders. | Attribute | Type | Description | | -------------------------- | --------- | ------------------------ | | identity | String | Permission identity | | access\_rights | String\[] | List of access rights | | folder\_name | String | Associated folder name | | sharing\_permission\_flags | String | Sharing permission flags | **Notable Field Values:** * `access_rights`: * "None" - No access * "CreateItems" - Create items in folder * "CreateSubfolders" - Create subfolders * "DeleteAllItems" - Delete all items * "DeleteOwnedItems" - Delete own items * "EditAllItems" - Edit all items * "EditOwnedItems" - Edit own items * "FolderContact" - Folder contact * "FolderOwner" - Folder owner * "FolderVisible" - View folder * "ReadItems" - Read items * "AvailabilityOnly" - View calendar availability * "LimitedDetails" - View availability with subject/location **Pre-defined Permission Roles:** * Author: CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems * Contributor: CreateItems, FolderVisible * Editor: CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems * NonEditingAuthor: CreateItems, DeleteOwnedItems, FolderVisible, ReadItems * Owner: All permissions * PublishingAuthor: CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems * PublishingEditor: CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems * Reviewer: FolderVisible, ReadItems --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/exchange-online.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.