Documentation forAccess Rights Manager

Configure Exchange resources


General steps

Select Scans from the home page of the configuration application.


Click Exchange.


Add an Exchange Online resource

To successfully add an Exchange Online resource to ARM, you must have completed the preparation (app registration) as described in the chapter "Prepare Exchange resources".

Please note that Exchange Online requires a specific app registration. You can not use the credentials from the app registration for Azure AD, Teams, and OneDrive or SharePoint Online.


  1. The credentials displayed here are not used for accessing Exchange Online. You specify the access information for Exchange Online in a subsequent step.
  2. Select Exchange Online. Exchange Online is always shown.
  3. Select one or more collectors. The scan is always executed via one collector only. If you have selected more than one collector, ARM automatically decides via which collector the scan will be executed based on the CPU and RAM utilization. The collector servers must have internet access.


  1. Newly added resource configurations are always displayed at the bottom.

  2. Click the link to specify the credentials to access Exchange Online.


To access Exchange Online, you can use either a registered app (recommended) or a service account. See chapter "Prepare Exchange resources".

  1. Specify the app ID for access via registered app or the user name of the service account in email format, for example "".

  2. Specify the thumbprint for access via registered app or the service account password.

  3. For access via registered app, specify the organization (see next section). For access via a service account, this field has no meaning and you can leave it blank.


Identify the organization for access to Exchange Online via registered app

  1. Log in as an administrator at

  2. Click Azure Active Directory > Custom domain names.

You will see a list of available domain names that you can enter as organization. Recommended: Use the domain name ending with "", for example, "".


Add an Exchange on-premise resource

  1. Enter the credentials for the account that should be used to execute the Exchange scan. The credentials from the basic configuration are preset. We recommend using a service account. Required permissions can be found in the system requirements in the section Service account permissions.
    The credentials are used to search for Exchange servers in Active Directory to list them below.
  2. Filter the list of results. You can also specify an Exchange server that is not listed. Confirm your entry with the ENTER key.

  3. Select the Exchange Server. All DAGs* or servers that are contained in the current Active Directory site will be listed.
  4. Select one or more collectors. The scan is always executed via one collector only. If you have selected more than one collector, ARM automatically decides via which collector the scan will be executed based on the CPU and RAM utilization.
  5. Click Apply.


* Access Rights Manager can connect to DAG servers (Database Availability Groups) and execute scans on them. You are able to select the DAG server directly in the scan configuration. Please note that you have to adjust the settings described in the section Preparing the PowerShell Website on every involved DAG Exchange server. The decision, which server the collector establishes a connection with is made by the DAG during the initial connection build up. This means that successive scans may take place on different servers.

Since IP less DAGs (from Exchange 2016 Default Setting, optional in Exchange 2013) do not have an Administrative Access Point (AAP), the Exchange server cannot be managed via this DAG. In this case, specify an Exchange server directly or use the load balancing namespace.


Customize an Exchange configuration

  1. Start/cancel an Exchange scan.
  2. Schedule regular scans.
  3. Change the name of the configuration.

The typical scan speed is around 10 elements per second.


  1. Change the credentials that are used to execute the scan.

Please note that the user name for Exchange Online must be entered in e-mail format, for example

  1. Switch the collector server. Please note that the collector server requires internet access when using Exchange Online.


Define the scope of the scan.

All the links lead to the following dialog:

If you select only a subset of folders for readable public folders, then no statistical data will be available.

Administrative permissions to public folders are not available (since Exchange 2013).

A filter is applied to the mailbox property "RecipientTypeDetails", to select the mailbox type.


You can determine if substitution rules and mailbox folders are read.


Determine the range in which mailbox details are read with Exchange Web Service (EWS).

The selection of mailbox type is independent for scans with PowerShell and EWS. This means that you can determine which mailbox types are scanned and for which mailbox types the mailbox folders are scanned.


Connection settings for Exchange Online

Click the link to configure the connections settings for the Exchange Online scan.


Select the authentication mechanism.

Note that the "Basic" mechanism has already been deprecated by Microsoft for Exchange Online.


Connection settings for Exchange on-premise

Click one of the links to configure the connections settings for the Exchange on-premise scan.


The following settings must match those of the IIS-website. These are described in the section Preparation of the PowerShell website.

  1. Enter the name of the Exchange PowerShell website. In standard settings this is "PowerShell".
  2. Select an authentication mechanism. For Exchange Online select "Basic".


  1. In some cases the client access server is not reachable via the fully qualified computer name. In this scenario, deactivate this option. Please note the preview.
  2. Select if an encrypted connection should be used. This setting must match those of the PowerShell website.