Configure certificate-based authentication to Office 365 for StoreLog

Please follow these steps to create the Promodag StoreLog Application, the certificate, register them in Microsoft Entra ID and create a dedicated role group in Exchange Admin Center:

Prerequisites

  1. The computer’s operating system version must be greater than or equal to Windows 10/Windows Server 2016.
  2. Microsoft PowerShell 7 or higher is required.
  3. The ExchangeOnlineManagement and Microsoft.Graph PowerShell modules should be installed on the computer. It they are not, please proceed with these steps:
  • Click  and search for PowerShell PowerShell 7 and run it as administrator.
  • Install the ExchangeOnlineManagement module: 
install-Module ExchangeOnlineManagement -Scope AllUsers
  • Install the Microsoft.Graph module:
 install-Module Microsoft.Graph -Scope AllUsers

These steps will enable you to create a self-signed certificate, an application in Microsoft Entra ID to access your tenant, and a role group in Exchange Admin Center.

  • The script is delivered by default in the C:\Users\Public\Documents\Promodag\StoreLog\ directory but you can use it from a different location.
Locate the script to configure cert-based authentication for StoreLog
  • Run the script: ./CreateStorelogRBACApp.ps1
  • Enter certificate password at prompt and write it down.
Run CreateStoreLogRBACApp script
  • The script will proceed, and you will be prompted to sign-in to Office 365 to create the role group and grant it the relevant permissions. Use a Global Administrator account.
  • A certificate valid for two years has now been created in the script directory with the name " StoreLogRBACAppCertificate.pfx". The application has been created in Microsoft Entra ID with the name "Promodag StoreLog RBAC Application", a role group with the name “Promodag StoreLog RBAC Role Group” has been created in Exchange Admin Center, a service principal object has been created for this new application and it has been added as a member of this new role group.
  • The script displays the summary information to be used in StoreLog: Application ID and certificate path, plus a link (Authorization URL) to connect to Microsoft Entra ID and authorize the newly created application. This information is then saved into a file in the current directory.

Authorize this new application in Microsoft Entra ID

Grant admin consent

  • Paste the URL displayed in a web browser to connect to Microsoft Entra ID. Sign in using a Global Administrator account. The Promodag StoreLog RBAC Application | API permissions page opens.
  • Click Grant admin consent for <name of your Office 365 tenant>.
  • Review the permissions granted to the application.

 

Review Permissions in Entra ID

Apply these settings in StoreLog

Finally, enter the Application Id, path to the certificate file, certificate password in the application.

Apply certificate-based authentication settings in StoreLog

Optional: You can delete the self-signed certificate and use your own if you prefer. See How to renew your certificate (the principle is the same for both Promodag Reports and StoreLog).

 

Comprehensive Exchange reporting made simple for Office 365, On-Premise, and Hybrid environments

Start your free 45-day trial of Promodag Reports

Begin Your Free Trial