AutoStore Office 365 Permissions Overview
Question:
What Permissions are needed in which Scenario?
Here are some scenarios and required permission in AutoStore:
If one of the examples is configured (Delegation Mode only), then during the authorization process in Token Vault there is another approval request. With admin rights this can be assigned by the user, or an email is sent to the admin who performs the approval. The rights are then added to the application under "Other Permissions granted for Company XY". The rights that have to be set are specified by Microsoft via MS Graph APIs.
Note: It is not mandatory to create different apps in Azure. The same app can be used for multiple applications. The important thing is to assign the appropriate permissions. These permissions can also be taken away "on the fly", but this requires admin rights in Azure. If too many rights have been taken away, errors will be displayed in Token Vault during the Authorize process, or in AutoStore during runtime.
Recommendation: Better to add more rights at the beginning and then remove them step by step. You can validate the rights via "Authorize" process in Token Vault and if you let the AutoStore service run. The condition is that the configuration is running and functional.
An Access is Denied error message almost always means that one of the mentioned permissions are not set. In many cases "Grant Admin Consent" must be given on the permissions.
Regarding the approval process, it is advisable to always open a browser in the Incognito window. This prevents any automatic SSO entries. This ensures that the user who is to be authorized is also used.
Possible scenarios:
For scenario 2 & 4 there is also the possibility to map everything in delegation mode. To do this, you have to assign rights in Azure to the user or the mailbox. The rights are: Send As, Send on Behalf and Read and Manage "Full Access". You need mailbox delegation enabled.
1. IMAP Capture + Microsoft Office 365 Mail Send (Mail recipient in IMAP is also mail sender in MS Office Send 365)
Email is to be retrieved via IMAP and sent in the same workflow with Microsoft Office 365 Mail Send and the same user. What permissions need to be set?
Configured Permissions IMAP:
Delegation Mode: IMAP.AccessAsUser.All (Read and write access to mailboxes via IMAP)
Configured Permissions Microsoft Office 365 Mail Send:
Delegation Mode: Mail.Send (Send mail as a user)
Delegation Mode: Mail.Readwrite (Read and write access to user mail)
The following rights are then added per app approval process:Other Permissions granted for "Company name"
Delegated: email (View users' email address)
Delegated: EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services)
Delegated: offline_access (Maintain access to data you have given it access to)
Delegated: openid (Sign users in)
Delegated: POP.AccessAsUser.All (Read and write access to mailboxes via POP.)
Delegated: SMTP.Send (Send emails from mailboxes using SMTP AUTH)
2. IMAP Capture + Microsoft Office 365 Mail Send (Mail recipient in IMAP is not the user who will send the email in MS Office Send 365)
Email should be retrieved via IMAP and sent in the same workflow with Microsoft Office 365 Mail Send and another user. What permissions need to be set?
Configured Permissions IMAP:
Delegation Mode: IMAP.AccessAsUser.All (Read and write access to mailboxes via IMAP)
Configured Permissions Microsoft Office 365 Mail Send:
Application mode: Mail.Send (Send mail as any user)
Application mode: Mail.Readwrite (Read and write mail in all mailboxes)
The following rights are then added per app approval process:Other Permissions granted for "Company name"
Delegated: email (View users' email address)
Delegated: EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services)
Delegated: offline_access (Maintain access to data you have given it access to)
Delegated: openid (Sign users in)
Delegated: POP.AccessAsUser.All (Read and write access to mailboxes via POP.)
Delegated: SMTP.Send (Send emails from mailboxes using SMTP AUTH)
3. POP3 Capture + Microsoft Office 365 Mail Send (Mail recipient in POP3 is also mail sender in MS Office Send 365)
Email is to be retrieved via POP3 and sent in the same workflow with Microsoft Office 365 Mail Send and the same user. What permissions need to be set?
Configured Permissions POP3:
Delegation Mode:POP.AccessAsUser.All (Read and write access to mailboxes via POP)
Configured Permissions Microsoft Office 365 Mail Send:
Delegation Mode: Mail.Send (Send mail as a user)
Delegation Mode: Mail.Readwrite (Read and write access to user mail)
The following rights are then added per app approval process:Other Permissions granted for "Company name"
Delegated: email (View users' email address)
Delegated: EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services)
Delegated: offline_access (Maintain access to data you have given it access to)
Delegated: openid (Sign users in)
Delegated: POP.AccessAsUser.All (Read and write access to mailboxes via POP.)
Delegated: SMTP.Send (Send emails from mailboxes using SMTP AUTH)
4. POP3 Capture + Microsoft Office 365 Mail Send (Mail recipient in POP3 is not the user who should send the e-mail in MS Office Send 365)
Email should be retrieved via POP3 and sent in the same workflow with Microsoft Office 365 Mail Send and another user. Which permissions have to be set?
Configured Permissions POP3:
Delegation Mode:POP.AccessAsUser.All (Read and write access to mailboxes via POP)
Configured Permissions Microsoft Office 365 Mail Send:
Application Mode: Mail.Send (Send mail as a user)
Application Mode: Mail.Readwrite (Read and write access to user mail)
The following rights are then added per app approval process:Other Permissions granted for "Company name"
Delegated: email (View users' email address)
Delegated: EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services)
Delegated: offline_access (Maintain access to data you have given it access to)
Delegated: openid (Sign users in)
Delegated: POP.AccessAsUser.All (Read and write access to mailboxes via POP.)
Delegated: SMTP.Send (Send emails from mailboxes using SMTP AUTH)
5. Printer or file capture or files from Knowledge Package Loader + Microsoft Office 365 Mail Send
File is captured via MultiPoll, AutoCapture or a MFD and the file is later sent via Microsoft Office 365 Mail Send. This can also be done without Token Vault. To do this, you must select Application Mode in Microsoft Office 365 Mail Send component in AutoStore.
Configured Permissions Microsoft Office 365 Mail Send: (Without Token Vault)
Application mode: Mail.Send (Send mail as any user)
Application mode: Mail.Readwrite (Read and write mail in all mailboxes)
Configured Permissions Microsoft Office 365 Mail Send: (With Token Vault)
Delegation Mode: Mail.Send (Send mail as a user)
Delegation Mode: Mail.Readwrite (Read and write access to user mail)
The following rights are then added per app approval process:Other Permissions granted for "Company name"
Delegated: email (View users' email address)
Delegated: EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services)
Delegated: offline_access (Maintain access to data you have given it access to)
Delegated: openid (Sign users in)
Delegated: POP.AccessAsUser.All (Read and write access to mailboxes via POP.)
Delegated: SMTP.Send (Send emails from mailboxes using SMTP AUTH)
6. Printer or file Capture or files from Knowledge Package Loader + Send to OneDrive
File is picked up via MultiPoll, AutoCapture or a MFD and the file is later stored in OneDrive via OneDrive. This can also be realized without Token Vault. To do this, you must select the Application Mode in OneDrive component in AutoStore.
Configured Permissions OneDrive: (With Token Vault)
Application mode: Files.ReadWrite.All (Read and write files in all site collections)
Configured Permissions OneDrive: (Without Token Vault)
Delegation Mode: Files.ReadWrite.All (Have full access to all files user can access)
The following rights are then added per app approval process:Other Permissions granted for "Company name"
Delegated: User.Read (Sign in and read user profile)
7. Permissions required to setup Azure or Azure & on-Premises in Token Vault
Allowing Azure Active Directory users to log in to Token Vault an application must be created in Azure and this application must be configured in Token Vault.
Configured Permissions: (more information are part of the Token Vault Installation guide)
Delegation Mode: User.ReadBasic.All (Read all users' basic profiles)
Delegation Mode: Group.Read.All (Read all groups)
8. Important Note: Shared Mailboxes
If shared mailboxes are used, they require a password. This is also possible without an additional license. In this scenario, you need to use the shared mailbox address in Token Vault i.e. "Sign in with Microsoft" and perform the Authorize Process with the shared mailbox. If ADFS is active, the Office 365 address must also always be used. In many cases it is not possible to link an on-premises user account with a shared mailbox account.
According to the Microsoft recommendations, a shared mailbox is not designed for direct logon. But shared mailbox can have a password and login enabled without a license.
Go to admin.microsoft.com => Users => Active Users => select the Shared Mailbox => Reset password. After this, you can login with the username/password.
Please be noted, that accessing a shared mailbox, a user must have an Exchange Online license, but the shared mailbox doesn't require a separate license. Without a license, shared mailboxes are limited to 50 GB. To increase the size limit to 100 GB, the shared mailbox must be assigned an Exchange Online Plan 2 license. If Exchange Online Plan 1 license with an Exchange Online Archiving add-on license is assigned, this will let you enable auto-expanding archiving for additional archive storage capacity. Similarly, if you want to place a shared mailbox on litigation hold, the shared mailbox must have an Exchange Online Plan 2 license or an Exchange Online Plan 1 license with an Exchange Online Archiving add-on license.
9. Links
- Video Tutorial: Token Vault Installation Tutorial.mp4
- Video Tutorial: AutoStore IMAP Token Vault Configuration Tutorial.mp4
- Video Tutorial: AutoStore SendToOffice 365 Token Vault Configuration Tutorial.mp4
- Online Help: https://docshield.kofax.com/
- Azure Portal: https://portal.azure.com/
Approval process permissions example:
Applies to:
| Product | Version |
|---|---|
| Control Suite | 1.3 or higher |
| Token Vault | 3.6 or higher |