If your company's security policy doesn't allow you to use an account and password to access Office 365 or if you use MFA, you can skip the User-based authentication mode and use the Certificate-based authentication mode instead. You can make this choice in the Configuration Wizard or in the Office 365 configuration tab of Tools > Options.
Please follow these steps to create the Promodag Reports Application, the certificate, register them in Microsoft Entra ID and create a dedicated role group in Exchange Admin Center:
The computer’s operating version must be greater than or equal to Windows 10/Windows Server 2016. Microsoft PowerShell 7 or higher is required.
The ExchangeOnlineManagement and Microsoft.Graph PowerShell modules should be installed on the computer. It they are not, please proceed with these steps:
Install the ExchangeOnlineManagement module: Install-Module ExchangeOnlineManagement -Scope AllUsers
Install the Microsoft.Graph module: Install-Module Microsoft.Graph -Scope AllUsers
These steps will enable you to create a self-signed certificate, an application in Microsoft Entra ID to access your tenant, and a role group in Exchange Admin Center.
The script is delivered by default in the C:\Users\Public\Documents\Promodag\Reports\ directory but you can use it from a different location.
4. The script will proceed, and you will be prompted to sign-in to Office 365 to create the role group and grant it the relevant permissions. Use a Global Administrator account.
5. A certificate valid for two years has now been created in the script directory with the name " RepexRBACAppCertificate.pfx". The application has been created in Microsoft Entra ID with the name "Promodag Reports RBAC Application", a role group with the name “Promodag Reports RBAC Role Group” has been created in Exchange Admin Center, a service principal object has been created for this new application and it has been added as a member of this new role group.
6. The script displays the summary information to be used in Promodag Reports: Application ID and certificate path, plus a link (Authorization URL) to connect to Microsoft Entra ID and authorize the newly created application. This information is then saved into a file in the current directory.
Paste the URL displayed in a web browser to connect to Microsoft Entra ID. Sign in using a Global Administrator account. The Promodag Reports RBAC Application | API permissions page opens.
Optional: You can delete the self-signed certificate and use your own if you prefer. See Replace or renew the certificate.
Please make sure that you have retrieved the following information the first step:
In a PowerShell 7 window, connect to Exchange Online PowerShell.
$SP = New-ServicePrincipal -AppId <appId from step 6> -ObjectId <Object id from step 6> -DisplayName "SP for Promodag Reports Application"
Add-RoleGroupMember -Identity “Promodag Reports role group” -Member $SP.Identity
Then go to Apply "Promodag Reports RBAC Application" settings to Promodag Reports.