For reading an on-prem AD and syncing directly to Exchange on-prem mailboxes we will need following:An on-prem service account
- With access to the on-prem AD (we will use this user to run itrezzo services and read the on-prem AD)
- Member of the “local administrator” group on the server where the software will be installed
- Grant “log-on as service” rights on the server where the software will be installed
- Mail enabled – will be used to store majority of the itrezzo UCM software configuration, including licenses
- Able to receive mail from internet (for licensing)
- With Application Impersonation role
- All retention policies and archiving must be disabled on this mailbox
For reading an on-prem AD and syncing directly to Office 365 mailboxes we will need following:An on-prem user
- With access to the on-prem AD (we will use this user to run itrezzo services and read the on-prem AD)
- Member of the “local administrator” group on the server where the software will be installed
- Grant “log-on as service” rights on the server where the software will be installed
An O365 service account
- Mail enabled – will be used to store majority of the itrezzo UCM software configuration, including licenses
- Able to receive mail from internet (for licensing)
- With Application Impersonation role
- All retention policies and archiving must be disabled on this mailbox
We have two options for authenticating access to targeted user mailboxes:
- MS access token
- issued using Azure consent framework
- requires token renewal in 90-day period
- Certificate Based Authentication
- certificate can be created using the tool available in itrezzo Admin and can be set with desired expiration date
- certificate creation will require Global Admin approval
- certificate overview: https://itrezzo.com/support/certificate-based-authorization-with-itrezzo-ucm/)
- with this option, after the initial set up, Application Impersonation role could be removed from the O365 service account
For reading an on-prem AD and syncing directly to both Exchange on-prem and O365 mailboxes we will need following:An on-prem service account
- With access to the on-prem AD (we will use this user to run itrezzo services and read the on-prem AD)
- Member of the “local administrator” group on the server where the software will be installed
- Grant “log-on as service” rights on the server where the software will be installed
- Mail enabled – will be used to store majority of the itrezzo UCM software configuration, including licenses
- Able to receive mail from internet (for licensing)
- With Application Impersonation role
- All retention policies and archiving must be disabled on this mailbox
An O365 service account
- Without Exchange Online license
- With Application Impersonation role
We have two options for authenticating access to targeted user mailboxes:
- MS access token
- issued using Azure consent framework
- requires token renewal in 90-day period
- Certificate Based Authentication
- certificate can be created using the tool available in itrezzo Admin and can be set with desired expiration date
- certificate creation will require Global Admin approval
- certificate overview: https://itrezzo.com/support/certificate-based-authorization-with-itrezzo-ucm/)
- with this option, after the initial set up, Application Impersonation role could be removed from the O365 service account
Cloud only configuration – reading Azure AD and syncing directly to Office 365 mailboxes:An O365 service account
- Mail enabled – will be used to store majority of the itrezzo UCM software configuration, including licenses
- Able to receive mail from internet (for licensing)
- With Application Impersonation role
- All retention policies and archiving must be disabled on this mailbox
We will use Graph API to read Azure AD which will require Admin approval. Following are permissions used for accessing Azure AD:
- Read directory data
- Read users profiles
- Access organization directory
Please note that set up in this environment does not need a dedicated on-prem user. System account will be used to start itrezzo services and itrezzo server Admin user to access UCM Admin application. Additional role based users can be added using UCM Admin Security configuration.We have two options for authenticating access to targeted user mailboxes:
- MS access token
- issued using Azure consent framework
- requires token renewal in 90-day period
- Certificate Based Authentication
- certificate can be created using the tool available in itrezzo Admin and can be set with desired expiration date
- certificate creation will require Global Admin approval
- certificate overview: https://itrezzo.com/support/certificate-based-authorization-with-itrezzo-ucm/)
- with this option, after the initial set up, Application Impersonation role could be removed from the O365 service account
NOTE: The Service Account MUST NOT be a ‚Managed Service Account (MSA). An MSA’s password is not managed by any Administrator, but the server itself. Since the password is managed by the server, the password is automatically changed every 30 days. This causes all itrezzo UCM services to stop working every 30 days.