Scenario
Due to the deprecation of the application impersonation role by Microsoft, you are looking to configure a new Entra ID registered application using the full_access_as_app permission for an on-premises Symprex product, but do not want to use the automated method of doing this.
Warning
This process requires knowledge of security certificates and an account with Global Administrator permissions for your Microsoft 365 tenant
Information
Newly created applications through the Microsoft admin portal can take some time to become active. We recommend waiting 24 hours between creating the application registration and configuring Email Signature Manager
Solution
This article will detail how to manually create an Entra ID registered application and assign a self-signed certificate in order to allow an on-premises Symprex product to integrate with Microsoft 365.
As part of this process, the setup wizard is able to generate a self-signed certificate and upload this to Entra. It is also possible to import an existing certificate from PFX file using a private key.
- Log on to the Entra portal at the Azure Portal and select the Microsoft Entra ID service
- Select the Manage -> App registrations menu option
- Select + New registration from the horizontal menu
- Name the application. We suggest Symprex {application name}
- Set the supported account types as required. For a single tenant select the top option
- Click the Register button to create the application
- This creates and opens the app. Select the API Permissions menu option then + Add a permission
- Select the APIs my organisation uses tab and type Office in the search box. Click the Office 365 Exchange Online option
- Select Application permissions, full_access_as_app and click Add permissions
- Select the Grant admin consent for {domain} option
- Select Yes to enable the permission for your domain
- A pop up will confirm the consent is granted, and permissions now show as Granted for {domain}
The application registration process is now completed. At this point, return to Email Signature Manager.
On starting Email Signature Manager, existing installations should select Configuration -> Environment Configuration as the screenshot below. For new installations a screen will be displayed by default, noting that the application must be configured.
- Select the correct option for your environment and click the Configure button
- Select the Use an existing Entra ID application option
- You will see the following screen. The Application and Directory ID values can be found by viewing the Application created in the steps at the start of the guide
- At this point, you can choose to select your own certificate file and enter the password for the certificate, or use the wizard to generate a self-signed certificate.
If you choose to use your own certificate, please follow the guidelines below:- A 2048-bit key length. While longer values are supported, the 2048-bit size is highly recommended for the best combination of security and performance.
- Microsoft Entra ID currently supports only the RSA cryptographic algorithm.
- The certificate should be signed using at minimum the SHA256 hash algorithm. Microsoft Entra ID also supports certificates signed with SHA384 and SHA512 hash algorithms.
- If generating a certificate using the wizard, select the validity and set the password for the certificate. You should keep a record of the password used.
- Name the certificate and save to a location on your ESM device
- The certificate details will be automatically completed in the wizard. Hit the Next button to proceed.
- You will see the completion screen, advising you that the application has been configured correctly. Click Finish to return to the main application.
- Test the mailbox access by selecting the Test Connectivity... option and selecting a mailbox to access