An easy way to give access to the D&MCS is to create a service account with delegation rights and full access to target accounts
A service account with delegation rights has access to the delegated user's mail account. This enables the D&MCS to scan the mail accounts.
The mail account should be scanned by D&MCS must be delegated to a service account. The service account is then used by D&MCS to access all the accounts
Step 1. Set up a new service account with a valid e-mail.
We recommend the name for the account to be: GDPRscan@yourdomain.xx
- Make sure that the service account can send and receive emails
- Do NOT enable multi-factor authentication.
- Set the password to "do not expire"
Step 2. Option 1 Assigning Access using Delegation
To access the individual mailboxes and shares we use a customized GDPR Scanner account with minimum rights. To create the GDPRscan account do the following:
- Log in with the global admin account
- Go to user admin and create a normal user account with a valid e-mail.. Please name it GDPRscan@yourdomain.com
- Go to Exchange Admin Center -> Permissions -> Discovery management and add the account GDPRscan@yourdomain.com
The above three steps will allow D&M to see the accounts in your Exchange Server, but it will not be able to scan the content of the accounts. To read the actual content of an Outlook account, each of the accounts that should be scanned must be delegated to the GDPRscan@yourdomain.com. This will enable the GDPRscan@yourdomain.com to read the content of users mailboxes.
To set up Delegation for a specific account follow the steps below:
- log in with a global admin account or use an account with a user admin role.
- Go to the user that you want to scan
- Edit user -> Mail Settings -> Mailbox permissions
- Add GDPRscan@yourdomain.com to the user Read and Manage
- Continue delegating the users that you want to add to the D&M Toolbox
- Wait for the rights to be propagated through Echange
Step 2 - Option 2. Assigning “Full Access” using Powershell
Customise the script below to fit your organisaionts specific installation.
$serviceAccount = "GDPRscan@corperatedomain.xxx" #Account to assign full mailbox access permissions to.
$globalAdminUser = "TheGlobaladmin@corperateadom.xxx" #Account with rights to assign permissions
$globalAdminPassword = "EnterPasswordHere" #Password for account with rights to assign permissions
$securePassword = ConvertTo-SecureString $globalAdminPassword -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential($globalAdminUser, $securePassword)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} |
ForEach {Add-MailboxPermission -Identity $_.SAMAccountName -User $serviceAccount -AccessRights FullAccess -InheritanceType all -WarningAction SilentlyContinue}
Remove-PSSession $Session
Remember to enable basic authentication for EWS on the Exchange Server
Before setting up the service account and delegating access, it is important to check if your Exchange server has been configured correctly to use the 'Recycle bin'.
This ensures that deleted items can be recovered if needed. Microsoft provides comprehensive guides on how to configure the 'Recycle bin' feature, which can be found HERE.
For a shared mailbox, make sure!
1. The AD needs to be synced to Azure AD (this lets us read which mailbox is shared)
2. The service account used for scanning via basis auth must have a valid email account and must have full access to the shared mailbox that should be scanned.