Contents:
- Multi-Factor Authentication.
- Create the Microsoft 3650 Graph OAuth connection on Riva Cloud.
- How to limit specific Mailbox and User access when using "Application Permissions".
- List of Microsoft Exchange Online Application Scopes requested.
Multi-Factor Authentication (MFA)
If your company requires Multi-Factor Authentication for the Riva connection account to Office 365, then you will be required to validate the account via the MFA mechanism (phone token or email address) when creating the connection.
Alternatively, you could submit a request to your Exchange/Azure administrator to exclude your service account from requiring MFA.
Create the Graph OAuth Connection on Riva Cloud
To create the Graph OAuth connection:
-
Log in to https://www.rivacloud.com. (Detailed instructions to log in or sign in)
-
On the Get Started page, select Configure your email.
(Another way of accessing the page to configure the email would be to click on the dropdown beside the Synchronization category in the side navigation menu and then select Connections) -
Select the Office 365 Graph Connection logo.
-
On the Connection page that appears, input the administrator email and select Connect.
-
In one or more Microsoft windows that appear, enter the information required to access the desired Office 365 account. You will be required to log in with an Admin account to approve the application and permissions. Note, that Riva does not store any admin passwords.
Note: The required information may include Multi-Factor Authentication (MFA).
-
If you see these Permissions requested page, select Accept.
-
If the connection setup is successful, select OK.
Result: The Office 365 Graph OAuth connection is added to your Riva Cloud account.
How to limit specific Mailbox and User access when using "Application Permissions"
When using "Application Scoped" permissions, there is a common concern that the application itself will have access to all mailboxes.
There are controls specific to Exchange Online resources that do not apply to other Microsoft Graph workloads.
For the specific Exchange Online scopes (including MailboxSettings.*, Mail.*, Calendar.*, Contact.*, and, Task.*), it is possible to limit the "Application Scoped" permission to specific Users and Mailbox by using the "Exchange Application Access Policy."
Details on how to use the "Exchange Online Application Access Policy", https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
Refer to this Riva article for more specific details, https://support.rivasync.com/hc/en-us/articles/23568389010452-Microsoft-Graph-Limiting-Azure-Application-Scope-Permissions-to-Specific-Exchange-Online-Mailboxes
List of Microsoft Exchange Online Application Scopes requested
Below is a list of default Riva Cloud requested application scopes and a description of their purposes.
Note: For Riva Cloud customers looking to adjust and limit scope access, please contact the Riva technical support team for guidance.
Permission | Permission Type | Description |
---|---|---|
User.Read.All | Application | To lookup "email addresses" to Microsoft mailbox. |
User.Read | Delegated | Sign in and read the user profile. Part of the Azure App registration process. |
Calendar.ReadWrite | Application | Used to synchronize calendar items; Depending on requirements, can be limited to Calendar.Read |
Mail.ReadWrite | Application | Used to synchronize email items; Depending on requirements, can be limited to Mail.Read |
Mail.Send | Application | Send mail as the user. |
MailboxSettings.ReadWrite | Application | Read and write mailbox settings including Categories, Time Zone, and Work Hours. |
Contacts.ReadWrite | Application | Used to synchronize contact items; Depending on requirements, can be limited to Contacts.Read |
GroupMember.Read.All | Application | Expanding distribution lists to receive their members and for "User Gathering" process which read group memberships. |