Using App-only Authentication with M365

App-only authentication allows Forensic Email Collector (FEC) to authenticate against M365 at the tenant level. This workflow is similar to using Impersonation, but does not require the use of the ApplicationImpersonation role, which is being deprecated at the time of this writing.


In order to perform App-only Authentication, you need to do the following:

  1. Register a new App in Microsoft Entra ID (formerly Azure Active Directory)
  2. Grant the needed permissions to the App

Here is how you can complete the two steps above:


Part 1 - Register Your Application

  1. Visit Microsoft Entra admin center.
  2. Select Identity > Applications > App registration on the navigation menu and click + New registration.
New App Registration
  1. Enter a name of your choice and choose the Accounts in this organizational directory only option.
  2. For Redirect URI, change the dropdown to Public client/native (mobile & desktop) and set the value to the following:
https://login.microsoftonline.com/common/oauth2/nativeclient
  1. Choose Register. On the next page, copy the Application (client) ID and Directory (tenant) ID values—you will need to enter them into FEC later.
  2. Create a Client Secret using the Add a certificate or secret link.

  1. Choose + New client secret, give it a description, and choose an expiration date that suits your needs.

  2. Once the secret is created, copy the secret value on the Value* column. You will need to enter this into FEC later.

    * It is important that you use the Secret Value, not the Secret ID!

Tip: The Client Secret value is displayed only when it is first created. If you navigate away and come back to the same page, you will find that the Value field is masked.

Part 2 — Grant the Needed Permissions to the App


You can use App-level Authentication with both Exchange Web Services (EWS) and Microsoft Graph API. This part of the process splits into two paths depending on which provider you intend to use.

A. Exchange Web Services

If you are planning to use EWS, you can add and authorize the necessary permission as follows:

  1. While on your App Registration page, choose Manifest from the left-hand menu.
Editing the App Manifest
  1. Locate the requiredResourceAccess property in the manifest, and add the following inside the square brackets:
{
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
        {
            "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
            "type": "Role"
        }
    ]
}

Here is an example of how this looks in context:

  1. Click the Save button and choose Api permissions from the left-hand menu. At this stage, you should see the status of the EWS permission as "Not granted".

  1. Click on the Grant admin consent link to grant consent.

The ability to grant admin consent depends on the role of the authenticated user. If the current user is not in a role required to grant admin consent, the link would appear grayed out. You can learn about which roles can grant admin consent here: aka.ms/microsoftentraidroles

  1. Once the admin consent grant is successful, the status column for the EWS permission will show "Granted". You can now use the Client ID, Client Secret, and Tenant ID values in FEC in an Exchange Web Services (EWS) acquisition against M365 (see below for details).

B. Microsoft Graph API

If you are planning to use Microsoft Graph API to target M365, you can add the necessary permissions to your App registration as follows:

  1. Go to Api permissions from the left-hand menu.

  2. Click + Add a permission > Microsoft Graph > Application permissions*

    * The Application permissions part is important!


  3. Add the following permissions: Contacts.Read, Mail.Read, MailboxSettings.Read
  4. Grant admin consent as described above in Part A.

Editing the App manifest is not needed for Graph API permissions as the permissions are available through the Entra user interface.

C. Advanced: Role Based Access Control

Another possibility is to use Role Based Access Control (RBAC) for granular resource-scoped access control. This applies to both Microsoft Graph API acquisitions and EWS acquisitions, and can be used to limit the access to certain administrative units or mailboxes. You can find the details and examples here:

Role Based Access Control for Applications in Exchange Online

Setting up App-only Authentication in FEC

Once you complete the above section (i.e., create your App registration and grant admin consent), you can use the Client ID, Client Secret, and Tenant ID values in FEC as follows:

  1. Start a new acquisition targeting M365 via EWS or Graph API.
  2. Choose the Use App-only Auth option and follow the Credentials... hyperlink.
  3. Enter the Client ID, Client Secret, and Tenant ID values and click OK.
  4. Proceed with the acquisition as usual.

Revocation of Permissions

Once your acquisition is complete, the administrator can delete the App registration (Overview page of the App registration) or revoke the admin consents (API permissions page of the App registration) so that organizational data can no longer be accessed using the previously-registered App.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us