> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Exchange Online

> Exchange Online is an enterprise-class collaboration product by Microsoft that primarily focuses on sending, receiving and storing email messages.

## Creating an Exchange Online connection

Create the connection by using one of the following methods:

* [OAuth](#using-oauth)
* [Application Credentials](#using-application-credentials)

### Using OAuth

#### Creating your connection

1. In the Blink platform, navigate to the **Connections** page > **Add connection**. A New Connection dialog box opens displaying icons of external service providers available.
2. Select the **Exchange Online** icon. A dialog box with name of the connection and connection methods appear.
3. (Optional) Edit the name of the connection. At a later stage you cannot edit the name.
4. Click **Exchange Online** to authenticate using OAuth.
5. Sign in using your credentials.

<Note>
  Some actions require specific roles and permissions that are only available to user accounts.

  For example, the [Start Compliance Search](/docs/integrations/exchange-online/actions/start-compliance-search) requires the `eDiscovery Manager` role in Microsoft Compliance.

  For these cases, the action can be run using an Exchange Online OAuth connection by authenticating via a user instead of an application.
</Note>

### Using Application Credentials

#### Obtaining the credentials

To connect to Exchange Online, Blink uses Certificate Based Authentication (CBA).

1. Follow the instructions in the following [link](https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#set-up-app-only-authentication) to set up app only authentication.

   * Make sure that the application has the *Exchange Administrator* role.
   * Save the certificate that you uploaded to Azure. **It cannot be downloaded again!**

2. Once your application is authorized, you should have a certificate stored as a `.pfx` and `.cer` file.

3. Extract the public and private key of the certificate in a Base64 encoding:

   1. In a bash terminal, install the `openssl` package if it is not installed already.

   2. Public key: `openssl pkcs12 -in <your certificate file>.pfx -nokeys`

      <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/public_key.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=5a44772e3a2f04e18ac94eeaf8429533" alt="Untitled" width="1078" height="826" data-path="img/ExchangeOnline/public_key.png" />

   3. Private key: `openssl pkcs12 -in <your certificate file>.pfx -nodes -nocerts | openssl rsa`

      <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/private_key.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=f45fb184c2b57a81a6576bb7ba2a5e9d" alt="Untitled" width="1332" height="1060" data-path="img/ExchangeOnline/private_key.png" />

   4. Both commands will have a Base64 encoded key, surrounded by `=====<TEXT>=====` tags. These are the values that need to be used for the Blink connection.

#### Setting API Permissions

1. **Navigate to [Azure Portal](https://portal.azure.com)** and select your app registration.

2. **Configure API Permissions**:
   * Go to **API permissions** in your app registration.
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/CAgQojQeorlb2r8I/img/ExchangeOnline/1.png?fit=max&auto=format&n=CAgQojQeorlb2r8I&q=85&s=fae7dc9df4e7d5f309b8ad43fb458599" width="1728" height="916" data-path="img/ExchangeOnline/1.png" />
     </Frame>

   * Click **Add a permission** to open the API permissions dialog.
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/2.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=f97b7431f28b1dd75a2c02cee0035b0c" width="1728" height="917" data-path="img/ExchangeOnline/2.png" />
     </Frame>

   * Select **APIs my organization uses** tab, then search for and select your Office 365 Exchange Online application.
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/4.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=30b71e9e820f7d235b9021fa75b040d9" width="1728" height="916" data-path="img/ExchangeOnline/4.png" />
     </Frame>

   * Choose **Application permissions** (not Delegated permissions).
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/5.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=87888e283828b46cfed87b5431360a10" width="1728" height="919" data-path="img/ExchangeOnline/5.png" />
     </Frame>

   * Add the following permissions:

     | API               | Permissions name       | Type                   |
     | ----------------- | ---------------------- | ---------------------- |
     | Exchange          | `Exchange.ManageAsApp` | Application permission |
     | Other permissions | `full_access_as_app`   | Application permission |

3. **Grant Admin Consent** for all configured permissions:
   <Frame>
     <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/6.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=7af68e50a98b6c89e12373c2c4b19932" width="1728" height="917" data-path="img/ExchangeOnline/6.png" />
   </Frame>
   * Confirm the admin consent when prompted.
   * After granting consent, the status should show green checkmarks indicating "Granted for \[Your Organization]".

#### Setting Roles

##### Step 1: Create a Security Group

1. **Navigate to [Microsoft Entra admin center](https://entra.microsoft.com)**.
   <Frame>
     <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/7.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=b9881f80970a526a485cf38ee48e9ddc" width="1728" height="917" data-path="img/ExchangeOnline/7.png" />
   </Frame>

2. **Create a new security group**:
   * Go to **Groups** > **Overview**.
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/8.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=b5b17619bb9b6a775b7b74a1cf905a3e" width="1728" height="917" data-path="img/ExchangeOnline/8.png" />
     </Frame>
   * Click **New group**.
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/9.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=05ea164d9bda31d7f28d4b3c66ad89e1" width="1728" height="917" data-path="img/ExchangeOnline/9.png" />
     </Frame>
   * Fill the form with the following details:
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/CAgQojQeorlb2r8I/img/ExchangeOnline/10.png?fit=max&auto=format&n=CAgQojQeorlb2r8I&q=85&s=867f6c8dfb549d6b8ebcd25e60e089f3" width="1728" height="915" data-path="img/ExchangeOnline/10.png" />
     </Frame>
     * Set **Group type** to `Security`.
     * Enter a **Group name** (e.g., `Exchange`).
     * Add a **Group description**.
     * Set **Microsoft Entra roles can be assigned to the group** to `Yes`.
     * Add the required users as **Members**.
   * Click **Create**.

##### Step 2: Assign Compliance Administrator Role

1. **Navigate to the created group**.
   * Go to **Groups** > **All groups** > Select your group.

2. **Add role assignment**:
   * Click **Assigned roles** in the left menu.
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/CAgQojQeorlb2r8I/img/ExchangeOnline/11.png?fit=max&auto=format&n=CAgQojQeorlb2r8I&q=85&s=baa12190b695f6db029d90fd1f5cd75b" width="1728" height="916" data-path="img/ExchangeOnline/11.png" />
     </Frame>
   * Click **Add assignments**.
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/CAgQojQeorlb2r8I/img/ExchangeOnline/12.png?fit=max&auto=format&n=CAgQojQeorlb2r8I&q=85&s=de3687d2472c263dbf6effb32607d152" width="1728" height="916" data-path="img/ExchangeOnline/12.png" />
     </Frame>
   * Fill the form with the following details:
     <Frame>
       <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/13.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=f49cf7087921a748490ececfb7a71c21" width="1728" height="917" data-path="img/ExchangeOnline/13.png" />
     </Frame>
     * Select **Compliance Administrator** role.
     * Set **Assignment type** to `Eligible` (for permanent access, choose "Active").
     * Configure the assignment duration:
       * **Assignment starts**: Set current date and time.
       * **Assignment ends**: Set end date (can be set to permanent by checking "Permanently eligible").
   * Click **Assign**.

##### Step 3: Verify Role Assignment

1. Navigate back to **Groups** > **All groups** > Your group.
2. Go to **Assigned roles**.
3. Verify that "Compliance Administrator" appears with status "Granted for \[Your App Name]".
   <Frame>
     <img src="https://mintcdn.com/blinkops-2/0JKaSiVOyIaH-NI8/img/ExchangeOnline/14.png?fit=max&auto=format&n=0JKaSiVOyIaH-NI8&q=85&s=a96dbcb95e13d0274d2d75eb8e5b191c" width="1728" height="917" data-path="img/ExchangeOnline/14.png" />
   </Frame>

<Note>
  The role assignment may take a few minutes to propagate across the system.
</Note>

#### Creating your connection

1. In the Blink platform, navigate to the **Connections** page > **Add connection**. A New Connection dialog box opens displaying icons of external service providers available.

2. Select the **Exchange Online** icon. A dialog box with name of the connection and connection methods appear.

3. (Optional) Edit the name of the connection. At a later stage you cannot edit the name.

4. Select **Certificate** as the method to create the connection.

5. Fill in the parameters:

   * The *App ID* that has Exchange Administrator permissions.
   * The `.onmicrosoft.com` URL of the *Organization*
   * *Public key* of the X.509 certificate that is authorized to act on behalf of the application, in a PEM format
   * *Private key* of the X.509 certificate that is authorized to act on behalf of the application, in a PEM format

6. (Optional) Click **Test Connection** to test it.

7. Click **Create connection**. The new connection appears on the **Connections** page.
