Configure Microsoft Exchange for Crawling and Classification

When preparing your Exchange Server for data classification, consider that for on-premise Exchange Server, Basic authentication is supported for crawling account, and for Exchange Online you can use either Modern authentication or Basic authentication. Both scenarios are described in the sections below.

Basic Authentication

This method is supported for Exchange Online and on-premise Exchange organizations. You should configure sufficient permissions that will allow the crawling account to impersonate the mailboxes that you wish to crawl. This requires the setup of two permissions:

  • ApplicationImpersonation—Allows the crawling account to impersonate each of the mailboxes / users configured for collection
  • Mailbox Search—Allows the crawling account to enumerate mailboxes (automatic discovery of mailboxes)

Review the related procedure that corresponds to your Exchange deployment:

Exchange Online

  1. Login to the Office 365 Exchange Admin Portal
  2. Go to Permissions, then under admin roles click the '+' symbol to add a new role and enter the Name and Description 'NetwrixCrawlerImpersonation'.

  3. Click the '+' symbol under Roles:, select ApplicationImpersonation and Mailbox Search roles.

  4. Click add →and then OK.

  5. Click the '+' symbol under Members: and select your Admin User.
  6. Click add → then OK.

Exchange Server (On-Premise)

  1. Login to one of the Exchange servers (RDP)
  2. Open a Powershell window
  3. Run the following commands (replacing ADMINUSERNAME with the username of your crawling account):

    New-ManagementRoleAssignment –Name "NetwrixCrawlerImpersonation" –Role "ApplicationImpersonation" –User ADMINUSERNAME

    New-ManagementRoleAssignment –Name "NetwrixCrawlerSearch" –Role "Mailbox Search" –User ADMINUSERNAME

NOTE: If crawling Microsoft Office 365 for Small Business or many hosted Exchange systems, then it is not possible to setup Application Impersonation.

Modern Authentication

Starting with version 5.5.3, Netwrix Data Classification allows for crawling Microsoft Exchange Online organization mailboxes using Modern authentication. For that, it uses an Azure AD application which can leverage Microsoft API to connect to Exchange Online organization.

If you plan to implement the scenario that involves modern authentication, you should do the following:

  1. Create Azure AD app for Modern Authentication
  2. Configure Exchange Server source settings.