Question

How do I configure AD eDiscovery to collect from Microsoft Office 365 Exchange Online?

 

Prerequisites

  1. The collection Work Manager must be able to access Office 365
  2. Microsoft Outlook must be installed on the Work Manager machine to assemble PSTs from the collected email prior to processing.  The following versions of Outlook are supported:

    Outlook 2007 32-bit Standard & Professional
    Outlook 2010 32-bit Standard & Professional
    Outlook 2013 32-bit Professional Plus
    Outlook 2016 (not 365) 32-bit Professional Plus

  3. Create an account (referred to as SERVICE ACCOUNT) in Exchange 365 that will be used to perform the collection
  4. Grant that SERVICE ACCOUNT FullAccess to the mailboxes you wish to collect from by using the steps below:

Connect to Exchange Online Remote Powershell (see http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx)

  1. Open PowerShell
  2. Execute the following PowerShell Commands:
    1. $Cred = Get-Credential
      (At the prompt enter your Exchange Online/O365 Admin Credentials)
    2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell -Credential $Cred -Authentication Basic –AllowRedirection
    3. Import-PSSession $session

To grant FullAccess over a single mailbox:

Add-MailboxPermission -Identity -User -AccessRights FullAccess -InheritanceType all

To grant FullAccess to all mailboxes in the domain:

Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')} | Add-MailboxPermission -User  -AccessRights fullaccess -InheritanceType all

Notes:

  • and  should be the accounts' full email addresses.
  • In testing, we've not found permission levels other than "FullAccess" to work consistently.

 

Answer

  1. Login to AD eDiscovery as an administrative user account.
  2. Click the Data Sources tab.
  3. Select the Exchange tab.
  4. Click the green plus sign to add a new Exchange Data Source record.
  5. Fill in the following fields:
    1. Version: “Online\Office 365”
    2. Name: This is a friendly name. Can be set to any nickname for this record.
    3. Address: outlook.office365.com or smtp.office365.com
    4. Username: Full email address of the Exchange 365 SERVICE ACCOUNT.
    5. Password: Password of the Exchange 365 SERVICE ACCOUNT.

 

Overview

In addition to granting permission to the configured service account, AD eDiscovery must be configured with certain parameters in order to collect from Office 365 Exchange.  Linked here is a Microsoft KB article describing the endpoint mapping for O365.