Skip to main content

Exclude synchronized Azure Active Directory mailboxes from billing

All mailboxes added to GravityZone Security for Email as a result of synchronizing with Azure Active Directory (AAD) are identified by default as standard users, making them subject to billing. To be able to exclude o exclude shared mailboxes from billing, you need to provide the synchronization service with additional permissions to be able to read information from the Exchange API.

Grant access to synchronize Azure Active Directory shared mailboxes through Azure Active Directory

Note

This applies only to new Azure Active Directory connections. If you already have an existing Azure Active Directory connection, please assign the Office 365 Exchange Online API permission to it before continuing.

  1. Sign in to Azure Active Directory with an Administrator account.

  2. In the menu on the right side of the page, select Roles and administrators.

    153578_1.png

  3. Use the search box to locate the Security Reader role and check the box next to it.

    153578_2.png

    Note

    This will grant the Unified Security Service Active Directory sync access to read extended information about Azure AD objects.

    Important

    Due to a recent Microsoft Azure update, you may not be able to assign this role via the Azure portal. As an alterntive, please use Azure CLI or PowerShell.

  4. Click on the azure_button.PNG button on the right side of the screen and select Description.

    153578_3.png

  5. Select the Assignments page from the menu on the right side of the screen and click Add assignments.

    153578_4.png

  6. Search for USS AzureAD, click on it to select it, and then click on Add.

    153578_5.png

The necessary permissions have now been granted to the synchronization service.

Note

If the Azure portal does not allow you to assign the role to the USS AzureAD application, you can use the Azure CLI tool or PowerShell as an alternative.

Grant access to synchronize Azure Active Directory shared mailboxes through Azure CLI

  1. Start the Azure CLI tool:

    docker run -it mcr.microsoft.com/azure-cli

  2. Log in as a user with permission to assign roles:

    az login

  3. Follow the prompts to open a browser and authenticate the CLI

  4. Find the Object ID of USS AzureAD (this can also be found in the Azure > Enterprise Applications > USS AzureAD section):

    az ad sp list --all --query "[].{objectId:objectId}" --filter "displayName eq 'USS AzureAD'"

  5. Assign the Security Reader role to USS AzureAD (where $objectId is the Object ID from step 3):

    az rest --method post --url https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments --body "{\"principalId\":\"$objectId\",\"roleDefinitionId\":\"5d6b6bb7-de71-4623-b4af-96380a352509\",\"directoryScopeId\":\"/\"}"

Grant access to synchronize Azure Active Directory shared mailboxes through PowerShell

  1. Download and install the AzureAD PowerShell module.

  2. Log in to your tenant as a Global Administrator:

    Connect-AzureAD

  3. Get the service principal ObjectID using the command:

    Get-AzureADServicePrincipal

  4. View the Object ID’s of the Azure AD Directory Roles:

    Get-AzureADDirectoryRole | sort DisplayName

    Note

    This will also display the available directory roles.

  5. Set a directory role to Service Principal:

    dd-AzureADDirectoryRoleMember -ObjectId -RefObjectId

    Note

    ObjectId is the object ID of the directory role from step 4 and RefObjectId is the object ID of the Service Principal from step 3.

  6. Check the current directory roles assigned for the Service Principal:

    Get-AzureADServicePrincipalMembership -ObjectId

    Note

    ObjectId is the object ID of the Service Principal from step 3.

It may take up to 15 minutes for changes to propagate.

Add the Exchange Online API permission to an existing Azure Active Directory connection

Note

Only follow this procedure for Azure Active Directory connections created prior to 21st October 2020.

  1. Sign in to Azure Active Directory with an Administrator account.

  2. In the menu on the right side of the page, select Enterprise applications.

    153578_6.png

  3. Search for USS AzureAD and select it.

    153578_7.png

  4. In the menu on the right side of the page, select Permissions.

    153578_8.png

  5. Click the Grant admin consent for <company name> button.

  6. Proceed with the authentication and click Accept.

The Office 365 Exchange Online permission will now appear in the Admin Consent tab.

In this section: