Documentation forAccess Rights Manager

Configure Exchange resources

Select Scans from the home page of the configuration application.


Add an Exchange resource

Click Exchange.


  1. Enter the account information for the account that should be used to execute the Exchange scan. The credentials from the basic configuration will be suggested automatically. We recommend using a service account. Required permissions can be found in the system requirements in the section Service account permissions.
  2. Select the Exchange Server. All DAGs* or servers that are contained in the current Active Directory site will be listed. Enter the desired server into the search field (this is possible even when it is not listed).
  3. Assign a collector.


Special considerations for Exchange Online:

  • The credentials displayed here are not relevant for Exchange Online. They must be adjusted later in the scan configuration.
  • Exchange Online is always shown.
  • For Exchange Online the collector requires internet access.


* ARM can connect to DAG servers (Database Availability Groups) and execute scans on them. You are able to select the DAG server directly in the scan configuration. Please note that you have to adjust the settings described in the section Preparing the PowerShell Website on every involved DAG Exchange server. The decision, which server the collector establishes a connection with is made by the DAG during the initial connection build up. This means that successive scans may take place on different servers.

Since IP less DAGs (from Exchange 2016 Default Setting, optional in Exchange 2013) do not have an Administrative Access Point (AAP), the Exchange server cannot be managed via this DAG. In this case, specify an Exchange server directly or use the load balancing namespace.


Customize an Exchange configuration

  1. Start/cancel an Exchange Scan.
  2. Schedule regular scans.
  3. Change the name of the configuration.

The typical scan speed is around 10 elements per second.


  1. Change the Exchange Server that you want to scan.
  2. Change the credentials that are used to execute the scan. We recommend using a service account. Required permissions can be found in the system requirements in the section Service account permissions.

Please note that the user name for Exchange Online must be entered in e-mail format, e.g.

  1. Switch the collector server. Please note that the collector server requires internet access when using Exchange Online.


Define the range of the scan.

All the links lead to the following dialog:

If you select only a subset of folders for readable public folders, then no statistical data will be available.

Administrative permissions to public folders are not available (since Exchange 2013).

A filter is applied to the mailbox property "RecipientTypeDetails", to select the mailbox type.


You can determine if substitution rules and mailbox folders are read.

Please note that Exchange Web Services - Impersonation is used.


Determine the range in which mailbox details are read with Exchange Web Service (EWS).

The selection of mailbox type is independent for scans with PowerShell and EWS. This means that you can determine which mailbox types are scanned and for which mailbox types the mailbox folders are scanned.


Click one of the links to configure the connections settings for the Exchange scan.


The following settings must match those of the IIS-website. These are described in the section Preparation of the PowerShell website.

  1. Enter the name of the Exchange PowerShell website. In standard settings this is "PowerShell".
  2. Select an authentication mechanism. For Exchange Online select "Basic".


  1. In some cases the client access server is not reachable via the fully qualified computer name. In this scenario, deactivate this option. Please note the preview.
  2. Select if an encrypted connection should be used. This setting must match those of the PowerShell website.