The required permissions to access the configuration and data in your Exchange organization depend on its type: On-Premises, Office 365 or Hybrid.
In the case of an Office 365 or Hybrid organization, you have the choice of using an app registered in Microsoft Entra ID or a second service account in Exchange Online.
| What for? | Required permissions | How to grant it? |
|---|---|---|
| Create scheduled tasks. | The account that starts Promodag Reports must be a member of the local Administrators group on the Promodag computer. | Add this account to the local Administrators group on the Promodag computer. |
| Create scheduled tasks. | Start the application as administrator. | Right-click the icon of Promodag Reports and select 'Run as administrator'. |
To access the configuration and data of your Exchange Online or Hybrid organization, you can choose between two solutions:
In this mode, Promodag Reports uses the permissions that have been granted to an application registered in Microsoft Entra ID.
No Office 365 license is required.
To register the standard Promodag Reports Application in Microsoft Entra ID and grant it the required permissions, please refer to this topic: Certificate-based authentication to Office 365. To create manually a custom Promodag Reports application, see How to create a custom Promodag app in Microsoft Entra ID.
| What for? | Required permissions | Permission description | How to grant it? |
|---|---|---|---|
| Import Office 365 licenses. | Microsoft Graph User.Read.All |
Allows the application to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. |
|
| Run reports on mailbox and public folder content. | Office 365 Exchange Online full_access_as_app |
Allows the application to have full access via Exchange Web Services to all mailboxes without a signed-in user. To limit the scope of this permission, see Restrict Promodag application access to the content of specific mailboxes. | |
| Import the directory, create Office 365 message tracking files, import the storage size, Run reports on mailbox and mailbox folder permissions. | Office 365 Exchange Online Exchange.ManageAsApp | Allows the application to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app. | |
| Publish reports onto a SharePoint Online library. | SharePoint Sites.Selected |
Allows the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online. |
In this mode, Promodag Reports uses the permissions granted to a user account.
This mode is incompatible with MFA.
You can use an account that has been granted the permissions summarized in the following table. To create this account from scratch, please refer to this topic: User-based authentication to Office 365.
| What for? | Required permissions or roles | How to grant it? |
|---|---|---|
| Import the directory. | View-Only Recipients role (Exchange Online). | Assigning the appropriate roles to the Office 365 Promodag user |
| Create Office 365 message tracking files. | ||
| Import the size of mailboxes, i.e. a data source for storage reports. | ||
| Run the Mailbox Permissions report. | Mail Recipients role (Exchange Online). | |
| Run reports on mailbox and public folder content. | ApplicationImpersonation role (Exchange Online). This role will be deprecated soon. |
To access the configuration and data of your On-Premises Exchange or Hybrid organization, Promodag Reports requires that you use an account with the permissions summarized in the following table. To create this user account from scratch, please refer to this topic: Creating a Promodag account for an On-Premises environment.
We strongly encourage you running Promodag Reports in the Windows session of your Promodag account.
| What for? | Required permissions or roles | How to grant it? |
|---|---|---|
| Import the directory. |
Membership of Recipient Management AND Public Folder Management groups. |
Assigning the appropriate roles to the Promodag user |
| Import the size of mailboxes and public folders, i.e. a data sources for storage reports. | ||
| Run reports on mailbox and public folder content. | ApplicationImpersonation role. | |
| Import message tracking files, i.e. the data source for reports on email traffic. | Read-Only permissions on message tracking file directories. | Configuring the message tracking data source for On-Premises Exchange |
| Import IIS log files, i.e. the data source for reports on OWA and ActiveSync activity. | Read-Only permissions on IIS log file directories. | Configuring the Internet Information Services data source |
| Import the size of Exchange databases, i.e. a data source for storage reports. | Read-Only permissions on Mailbox and Public Folder database files. | Configuring the Exchange database size data source for On-Premises Exchange |
The Promodag account must have been granted the db_owner role on the Promodag Reports database. It must also have the public and db_datareader roles on the TEMPDB database.
The ability to create databases requires specific SQL permissions (CREATE DATABASE).