Prerequisites
Exchange Server Requirements
- Exchange Server: Exchange Server 2016 or 2019 (verified against Exchange Server 2019). Note the current CU level.
- Dedicated Server: Exchange must not be co-located with the Domain Controller role (causes Kerberos SPN conflicts).
- Exchange Management Shell: EMS must launch and run without errors locally on the Exchange server.
- FQDN: A resolvable fully-qualified domain name for the target Exchange server, matching the SSL certificate CN/SAN.
Network Requirements
- Port 443 (HTTPS): Open from the DSPM connector host to Exchange (required for all three methods).
- Port 88 (Kerberos KDC): Reachable from the connector to a Domain Controller (required only for SPNEGO/Kerberos).
- No intercepting proxy/WAF: Proxies or WAFs between the connector and Exchange may break WinRM/SOAP traffic to /PowerShell/ and /EWS/.
Active Directory & Service Account Requirements
- Dedicated Service Account: A dedicated AD account for the connector (shared admin accounts are not recommended).
- Organization Management: The service account must be a member of the Exchange 'Organization Management' role group.
- MFA Exempt: Basic and NTLM authentication do not support MFA — the service account must be MFA-exempt.
- Non-expiring Password: Expired credentials silently break scans.
- AD Domain FQDN: Required for NTLM/Kerberos credential construction (e.g. corp.example.com).
Access Requirements
- Administrator Access: Local administrator rights on the Exchange server to run EMS cmdlets and edit IIS/applicationHost.config.
- IIS Management: Access to IIS Manager on the Exchange server (Client Access / front-end and Back End sites).