Exchange Online 365

Steps

  1. Create or identify an Exchange 365 account for Exchange discovery scanning.
  2. Grant the account one of the following roles. This is necessary so that the system can discover messages and display results.
    • Organization Management
    • View Only Organization Management

    The service account should now be able to access Exchange via Outlook Web App (OWA) and move between the mailboxes intended to be scanned during the discovery. Log onto OWA with this account and try switching between mailboxes as shown below:

  3. Configure Exchange impersonation. Exchange impersonation needs to be enabled for the service account used for the discovery.
    1. Log into the Microsoft Exchange admin center; for example, https://<server name>/IP/ecp/
    2. Click permissions, then admin roles.
    3. Under Name, double-click Discovery Management.

    4. Under Roles, click the plus sign and add a new role named “ApplicationImpersonation” to the Roles table.
    5. Under Members, click the plus sign and add the Service Account you will be using in the Exchange discovery task, such as Administrator, to the Members table.

  4. Configure an Exchange discovery task.
    1. Log onto the Forcepoint Security Manager and select the Data module.
    2. Select Main > Policy Management > Discovery Policies > Add Network Task > Exchange Task.
    3. Complete the wizard as explained in the Forcepoint DLP Administrator Help. On the Exchange Servers page, enter the credentials you used in step 1 and 3.
  5. Check that Integrated Windows authentication is turned on (it should be on by default). If it is not:
    1. In the Exchange admin center, go to servers > virtual directories > EWS (Default Web Site).
    2. Select Integrated Windows authentication.