Solved: Re: Changes to Exchange Online from Microsoft

TonyH · 05-08-2024 11:57 AM

Hello Everyone,

Quick note if you are currently using the Exchange Integration for SOAR.

"Today we are announcing that we will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in May 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online."

So starting in May of 2024, you will be unable to assign the ApplicationImpersonation role in Microsoft Exchange Online. For details of the changes that Microsoft is making to the ApplicationImpersonation role, see Retirement of RBAC Application Impersonation in Exchange Online. We recommend that you use Microsoft Graph Mail to work with Exchange Online.

Documentation has been updated to warn of this change here

TonyH

Hello Everyone,

There's a few updates we wanted to share in regards to this.

As mentioned the Chronicle SOAR Exchange integration will be affected by this change by Microsoft. We won't be deprecating the integration however as the on-prem version of SOAR will not be affected.

Our recommendation is to use Microsoft Graph Mail

MS Graph Mail integration uses the Microsoft Graph API which is recommended way to work with O365, it faster, new features are added to it and it better supported than EWS.
Currently, MS Graph Mail integration supports "core" activities when working with emails (send email, receive email, search email etc), but its not yet 1-1 parity with Exchange integration. We are working to add remaining actions, this work will going to be done in stages throughout the rest of the year.
Exchange integration and MS Graph Mail integration according to plans should have similar set of actions, but due to the changes of APIs, there will be differences in outputs (JSON results) returned by actions and connectors, inputs can differ as well. We are hoping to document these changes/differences.

We will continue to provide updates.

Thank you.

View solution in original post

citreno

Good to know, thanks!

Just as a heads up there's a permission issue MicrosoftGraphMail integration in that it requires application level permissions for mail.read in the common case(for most actions/connector to work). Most customer's won't accept a full grant to reading all email. We've forked the integration for ourselves to use delegated permissions using some of the GetToken action methods that the Exchange integrations used, but would prefer not to rely on this fork as it creates maintainability issues as the upgrade path gets challenging for customers.

With this being the new standard is there a plan for delegated permissions to be allowed? Happy to assist if a community contribution is welcome within the main google supported integration.

jasonsigman

Is this fork something you are willing to share? I have run into the same issue where we can't permit application level permissions for reading all email. I would love to use your fork for delegated permissions and share with our current google support rep the need for something official.

citreno

Sure thing, just reached out on LinkedIn, I can share more there, but if you are having trouble feel free to reach out to <PII removed by staff> and just put to my attention (Svetla) with a link to this post. We added a bunch of cool features to it, and haven't quite extracted just the connector and I can't say it's 100% documented/tested or ready to be publicly shared. That said the delegated connector auth has nice documentation and it works and has saved our customers once or twice! Happy to share a copy of the code, if you are willing to maintain it!

Dmitry_Sarakeev

Hi @citreno thank you for reaching out!

We are not planning to add delegated access to the MS Graph Mail integration at the moment, but we are working on extending the integration and updating the docs.

Can you please elaborate why you opted for delegated access in Graph Mail integration? Is it permissions only question? Did you considered using existing integration with app-level permissions and limiting app's access with Microsoft's RBAC for Apps?

TonyH

Hello Everyone,

There's a few updates we wanted to share in regards to this.

As mentioned the Chronicle SOAR Exchange integration will be affected by this change by Microsoft. We won't be deprecating the integration however as the on-prem version of SOAR will not be affected.

Our recommendation is to use Microsoft Graph Mail

MS Graph Mail integration uses the Microsoft Graph API which is recommended way to work with O365, it faster, new features are added to it and it better supported than EWS.
Currently, MS Graph Mail integration supports "core" activities when working with emails (send email, receive email, search email etc), but its not yet 1-1 parity with Exchange integration. We are working to add remaining actions, this work will going to be done in stages throughout the rest of the year.
Exchange integration and MS Graph Mail integration according to plans should have similar set of actions, but due to the changes of APIs, there will be differences in outputs (JSON results) returned by actions and connectors, inputs can differ as well. We are hoping to document these changes/differences.

We will continue to provide updates.

Thank you.

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Changes to Exchange Online from Microsoft