Prerequisites for Exchange Online
Before you can configure Exchange Online via API, the following is required:
- Global Administrator role must be assigned to the user used to enable the API. Learn more about Office 365 roles.
- Enable audit logging for mailbox activities. Although Exchange Admin Center activities are monitored by default, you must manually enable auditing for user mailboxes. Learn more about how to enable mailbox audit logging.
- Shared Mailboxes are not supported. Skyhigh CASB supports only User Mailboxes, ideally from the Service account that is integrated. Shared Mailboxes are not supported.
- Cloud service accounts only. Make sure that the service account you use for API integration is hosted in the cloud. The account cannot be hosted on-premises. If the account is hosted on-premises, then the API enablement will enter into a constant authentication loop and will fail.
If you receive errors when you enable mailbox audit logging, make sure all of the PowerShell prerequisites are met, as described in this Microsoft TechNet article.
NOTE: Before configuring Exchange Online via API, you must contact Skyhigh Security Support to enable Microsoft Graph REST API access for your instances.
Alternatively, you can also use the method Custom oAuth Application for Office 365 API Integration to authenticate Skyhigh CASB to Exchange Online / Office 365. This method is often used in production deployments or larger organizations. In POCs or smaller deployments, it may be easier to use a Global Admin Account to authorize Skyhigh CASB.