Register an Office 365 Application for Token Vault - Exchange

To register an Exchange Online connector for Token Vault, you need to specify certain properties of this Azure Active Directory application (Application (client ID), Client secret and Redirect URI).

This topic describes the first configuration task in the process of setting up an Exchange connector to use modern authentication.

Perform this task at the Azure Active Directory admin center.

Register and Application For Token Vault on the Azure Active Directory admin center

Navigate to https://aad.portal.azure.com
Log in with an existing Office 365 account and select Azure Active Directory in the left navigation pane
In the left navigation pane, select App registration
The App registrations page opens. Click the New registration button to register a new application.
The Register an application page opens. Fill out the application’s registration information to match your Token Vault configuration:
Specify a meaningful Name for the application.

Choose Accounts in any organization directory (Any Azure AD directory (Multitenant) under Supported account types
Choose Web type for Redirect URI (optional) and enter your Token Vault configuration in the following format ‘https://<FQDN>:<port>/callback’ where
- FQDN is the Fully Qualified Domain Name of the Token Vault machine and
- port is the value of HttpsPort setting in the Token Vault appsettings.json configuration file in case of https usage
  E.g. https://tokenvaultmachine.testdomain.com:8381/callback.
  This URI must be the same as the Redirect URI displaying by Token Vault on connector registration page (see also the Registering an Office 365 connector chapter).

If you have more Token Vault deployments on different machines the same application on the Azure Active Directory admin center can be used for all Token Vault deployments. In this case Redirect URIs belonging to those Token Vaults according to their configuration and in the same format described above must be specified as additional Redirect URIs to the application on the Azure Active Directory admin center portal.
Click Register. The new application is created with the specified name and a generated Application (client) ID but the application does not have any certificate or secret yet.
In the App registrations page, open the Owned applications tab.
Click the application name (in this example Kofax Token Vault) to open the application configuration page and copy the Application (client) ID for later use. This application property is required for the registration an Office 365 connector (such as the Exchange Online connector) on the Token Vault admin website.
Select on Certificates & secrets in the menu on the left. In the panel on the right click the New client secret button to generate a new client secret for the application.
Specify a Description and select Never as the Expires option.
Click the Add button.
Copy the newly generated client secret value for later use. This is another required application property for registering an Office 365 connector such as the Exchange Online connector on the Token Vault admin website.
Important: You can ONLY copy the client secret at this point in the workflow. After you leave this page you are not able to retrieve it. If you leave this page without copying the client secret, you must repeat the corresponding steps above and create a new one.
Select API permissions in the menu on the left. Click the Add a permission button to configure permissions for the application.
Locate Exchange in the panel on the right, under the Supported legacy APIs group.
Click the Exchange button.
The Request API Permissions page is shown.
Select Delegated permissions.
Locate the EWS permission group, select the checkbox labeled EWS.AccessAsUser.All and click the Add permissions button. The Token Vault application now has permission to access Exchange Online.
Select Overview on the left to verify that the Token Vault application has a current secret in the Certificates & secrets column.