Certificate-based authentication to Office 365

Create the certificate and the Promodag Reports Application

Please follow these steps to create the Promodag Reports Application, the certificate, register them in Microsoft Entra ID and create a dedicated role group in Exchange Admin Center:

Prerequisites and required module

The computer’s operating version must be greater than or equal to Windows 10/Windows Server 2016. Microsoft PowerShell 7 or higher is required.

The ExchangeOnlineManagement and Microsoft.Graph PowerShell modules should be installed on the computer. It they are not, please proceed with the next steps.

Install required PowerShell modules

• Search for PowerShell > Windows PowerShell 7 and run it as administrator.
• Install the ExchangeOnlineManagement module: Install-Module ExchangeOnlineManagement -Scope AllUsers
• Install the Microsoft.Graph module: Install-Module Microsoft.Graph -Scope AllUsers

Create the certificate and application using the provided script

These steps will enable you to create a self-signed certificate, an application in Microsoft Entra ID to access your tenant, and a role group in Exchange Admin Center.

• The script is delivered by default in the C:\Users\Public\Documents\Promodag\Reports\14\ directory but you can use it from a different location (download link).

• Run the script: .\CreateRepexRBACApp.ps1
• Enter certificate password at prompt and write it down.

• The script will proceed, and you will be prompted to sign-in to Office 365 to create the role group and grant it the relevant permissions. Use a Global Administrator account.

• A certificate valid for two years has now been created in the script directory with the name " RepexRBACAppCertificate.pfx". The application has been created in Microsoft Entra ID with the name "Promodag Reports RBAC Application", a role group with the name “Promodag Reports RBAC Role Group” has been created in Exchange Admin Center, a service principal object has been created for this new application and it has been added as a member of this new role group.

• The script displays the summary information to be used in Promodag Reports: Application ID and certificate path, plus a link (Authorization URL) to connect to Microsoft Entra ID and authorize the newly created application. This information is then saved into a file in the current directory.

Authorize the application in Microsoft Entra ID

Grant admin consent

• Paste the URL displayed in a web browser to connect to Microsoft Entra ID. Sign in using a Global Administrator account. The Promodag Reports RBAC Application | API permissions page opens.
• Review the permissions granted to the application (see details of each permission here: Office 365 permissions).
  
• Click Grant admin consent for <name of your Office 365 tenant>.
• Optional: You can delete the self-signed certificate and use your own if you prefer. See Replace or renew the certificate.

Configure Promodag Reports with the application settings

Please make sure that you have retrieved the following information the first step:

1. Application ID,
2. Certificate path,
3. Certificate password.

• In Promodag Reports, go to Tools > Options, Office 365 configuration.
• Select Certificate-based authentication.
• Enter the Application ID and Certificate password in the corresponding fields.
• Enter the path to the .pfx certificate file in the corresponding field.
• Click the Check validity link to verify the certificate expiration date.  
• Click the Check connection links to verify that Promodag Reports can connect to your tenant using the Microsoft Entra ID application and the certificate.

of