Configure Microsoft Exchange for Crawling and Classification
When preparing your Exchange Server for data classification, consider that for on-premise Exchange Server, Basic authentication is supported for crawling account, and for Exchange Online you can use either Modern authentication or Basic authentication. Both scenarios are described in the sections below.
This method is supported for Exchange Online and on-premise Exchange organizations. You should configure sufficient permissions that will allow the crawling account to impersonate the mailboxes that you wish to crawl. This requires the setup of two permissions:
- ApplicationImpersonation—Allows the crawling account to impersonate each of the mailboxes / users configured for collection
- Mailbox Search—Allows the crawling account to enumerate mailboxes (automatic discovery of mailboxes)
Review the related procedure that corresponds to your Exchange deployment:
- Login to the Office 365 Exchange Admin Portal
Go to Permissions, then under admin roles click the '+' symbol to add a new role and enter the Name and Description 'NetwrixCrawlerImpersonation'.
Click the '+' symbol under Roles:, select ApplicationImpersonation and Mailbox Search roles.
Click add →and then OK.
- Click the '+' symbol under Members: and select your Admin User.
- Click add → then OK.
- Login to one of the Exchange servers (RDP)
- Open a Powershell window
Run the following commands (replacing ADMINUSERNAME with the username of your crawling account):
New-ManagementRoleAssignment –Name "NetwrixCrawlerImpersonation" –Role "ApplicationImpersonation" –User ADMINUSERNAME
New-ManagementRoleAssignment –Name "NetwrixCrawlerSearch" –Role "Mailbox Search" –User ADMINUSERNAME
NOTE: If crawling Microsoft Office 365 for Small Business or many hosted Exchange systems, then it is not possible to setup Application Impersonation.
Starting with version 5.5.3, Netwrix Data Classification allows for crawling Microsoft Exchange Online organization mailboxes using Modern authentication. For that, it uses an Azure AD application which can leverage Microsoft API to connect to Exchange Online organization.
If you plan to implement the scenario that involves modern authentication, you should do the following: