Dropzone AI Documentation
WebsiteTest Drive
  • Dropzone Documentation
  • Overview
    • Alert Sources
    • Data Sources
    • Communicators
    • On-prem Support - Dropzone Connector
    • Interactive Chat
    • Metrics Guide
  • Dropzone Administraton
    • Team Admin
      • Google Workspace SAML
      • Okta SAML
  • Dropzone Integrations
    • Alert + Data Source Integrations
      • Amazon Web Services (AWS)
        • Cross-Account Access via CloudFormation
        • Cross-Account Access via Console
      • CrowdStrike
      • Datadog
      • Elasticsearch
      • Google Workspace
      • Google GCP
      • Jira
      • Microsoft (MS 365 etc)
        • Microsoft 365 / Microsoft Defender
        • Microsoft Sentinel
        • Microsoft 365 Exchange Online Management
      • Palo Alto Networks Firewall
      • Panther
      • QRadar
      • SentinelOne
      • Splunk
      • Sumo Logic
    • Alert Integrations
      • Gem
      • ServiceNow
    • Communicators
      • Microsoft Teams
      • Slack Communicator
    • Data Source Integrations
      • AbuseIPDB
      • Active Directory (LDAP)
      • Archive Inspector
      • Blocklist.de
      • CAPA
      • Censys
      • Crowdstrike Falcon Intelligence
      • DNSResolver
      • Dropzone URL Sandbox
      • EchoTrail
      • File
      • GreyNoise
      • Hybrid Analysis
      • Host.io
      • IPInfo.io
      • IPQualityScore
      • MalwareBazaar
      • Nuclei
      • NVD
      • Okta
      • oletools
      • OpenSSL Sign Code
      • PDF Analysis
      • Perplexity AI
      • PhishTank
      • Shodan
      • TShark
      • QRadar
      • UnshortenMe
      • URLhaus
      • Urlscan.io
      • VirusTotal
      • Vision
      • WHOIS
      • YARAify
Powered by GitBook
On this page
  • Create and Authorize Service Account
  • Locate Organization ID

Was this helpful?

  1. Dropzone Integrations
  2. Alert + Data Source Integrations
  3. Microsoft (MS 365 etc)

Microsoft 365 Exchange Online Management

PreviousMicrosoft SentinelNextPalo Alto Networks Firewall

Last updated 3 days ago

Was this helpful?

This configuration is only required if you are using Dropzone AI to analyze Quarantined Emails in Microsoft Defender for Office 365.

To enable Office 365 Exchange Online Management, you must first install Dropzone Certificate Credentials.

Some Dropzone actions use x509 certificate based authentication, for example retrieving quarantined emails during phishing analysis. In this section we will set up the Dropzone certificate as trusted by Microsoft.

Each Dropzone tenant uses a unique Dropzone certificate for maximum security.

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

  • Click "Available"

  • In the Search bar, search MS 365/Defender, then click "Configure"

  • Under "Connection", click "mycompany.dropzone.app.crt" and download the file

  • Return to the Application Overview for your new application

    • Applications > App Registration > All Applications > Dropzone AI

  • In the left side bar, click "Certificates & Secrets"

  • Navigate to Certificates, then click "Upload Certificate"

  • Select the certificate file you downloaded from the Dropzone UI earlier

  • For description, use "Dropzone AI"

You should now see the certificate in the UI, including a 'thumbprint' (a cryptographic hash of the certificate.)

Once you have installed your Dropzone credentials, you may assign the Office 365 Exchange Online Management permissions. To do so, do the following:

  • In the left sidebar, return the API permissions page

  • Click "Add a permission"

  • Select "APIs my organization uses"

  • Type "Office 365 Exchange Online" in the search bar

  • Click "Application permissions"

Add the following permissions:

Permission
Purpose

Exchange.ManageAsApp

Read file details

  • Once done selecting all the permissions, click "Add permissions"

  • Click "Grant admin consent for [mycompany.net]"

  • Click "Yes"

Create and Authorize Service Account

  • Open your powershell environment

  • Connect to Entra ID and get information about the application we configured. The value for the -AppID parameter is the "Application (Client) ID" you recorded earlier

    PowerShell 7.4.5
    
    # Connect to "AzureAD"
    PS /home/wbagg> <b>Connect-AzureAD</b>
    VERBOSE: Authenticating to Azure ...
    VERBOSE: Building your Azure drive ...
    Loading personal and system profiles took 8788ms.
    
    # Run the following to get the object-id of our application, replacing
    # application-id with the actual Application (Client) ID of our new app
    #
    #    PS /home/wbagg> <b>Get-AzADServicePrincipal -AppID "<application-id>" | Select-Object DisplayName, AppId, Id | Format-List
    # 
    # For example:
    PS /home/wbagg> <b>Get-AzADServicePrincipal -AppID aaaaaaaa-1111-2222-3333-444444444444 | Select-Object DisplayName, AppId, Id | Format-List
    
    DisplayName : Dropzone AI
    AppId       : aaaaaaaa-1111-2222-3333-444444444444
    Id          : 44726f70-7a6f-6e65-5761-734865726521
    
  • Note this Id field which we'll use in the next command, which we refer to as the object-spid (Service Principal ID)

  • Connect to Exchange Online and Create an Exchange Online Service Principal for our Application

# Connect to ExchangeOnline
PS /home/wbagg> Connect-ExchangeOnline

# Run the following to create the service principal, replacing
# application-id and object-spid from the earlier values
#
#    PS /home/wbagg> New-ServicePrincipal -AppId "<application-id>" -ObjectId "<object-spid>" -DisplayName "Dropzone AI"
#
# for example
PS /home/wbagg> New-ServicePrincipal -AppId "aaaaaaaa-1111-2222-3333-444444444444" -ObjectId "44726f70-7a6f-6e65-5761-734865726521" -DisplayName "Dropzone AI"

DisplayName    ObjectId                               AppId
-----------    --------                               -----
Dropzone AI    44726f70-7a6f-6e65-5761-734865726521   aaaaaaaa-1111-2222-3333-444444444444
  • Lastly, we assign Transport Hygiene Exchange Role to our Application

# Run the following to enable the Transport Hygiene role, replacing the
# application-id with the actual Application (Client) ID of our new app
#
#    PS /> New-ManagementRoleAssignment -App "application-id" -Role "Transport Hygiene"
#
PS /> New-ManagementRoleAssignment -App "aaaaaaaa-1111-2222-3333-444444444444" -Role "Transport Hygiene"

Name                           Role                RoleAssigneeName       RoleAssigneeType   AssignmentMethod   EffectiveUserName
----                           ----                ----------------       ----------------   ----------------   -----------------
Transport Hygiene-44726f70...  Transport Hygiene   ba0efd83-6465-48a...   ServicePrincipal   Direct

Locate Organization ID

  • In the left navigation, select Manage > Custom domain names

  • In the domain list you'll find one that ends in .onmicrosoft.com. Record this domain for use later in the Dropzone UI where it is called "Organization ID"

Certificates & Secrets
Certificate installed

Next we need to run PowerShell commands to grant permissions. You may use whatever PowerShell environment you prefer. The examples below were performed using Azure's interactive Cloud Shell. You may find some of the useful.

For example go to and click on the Cloud Shell icon

Sign into as an administrator

https://entra.microsoft.com
Microsoft Azure Documentation
https://portal.azure.com
Entra home
Integrations Dropdown
Click Available
Download your Dropzone certificate
Upload Certificate
Upload Certificate File
Office 365 Exchange Online
Azure Cloud Shell Icon
Azure Custom Domain Names
Azure Custom Domain Names List