If your environment has an on-premise Microsoft Exchange organization, you can configure EmpowerID to inventory and enforce permissions for your Exchange organization. If you are using Exchange, EmpowerID automatically discovers the organization during the initial Active Directory forest scan, categorizes it as a Resource System, and creates a record within the ExchangeMailbox table of the EmpowerID Identity Warehouse for each mailbox within the organization.
To work with Exchange after the initial inventory, you must:
Enable the Exchange Management Host Web Service on an EmpowerID Web server, enabled by default on All-In-One and Web Front-End server roles.
Configure the Exchange Resource System to talk to the host on the specified EmpowerID Web server
EmpowerID directs all traffic for Exchange through the EmpowerID Exchange Services Web site and application pool in IIS.
To configure Exchange management
On the navbar, expand Admin, then Applications and Directories, and select Account Stores and Systems.
Select the Resource Systems tab and then search for the Exchange Organization that you want to configure.
Click the Display Name link for the organization.
On the Account Store Details page that opens, select the Resource System tab and then click the Edit icon to put the resource system in edit mode.
This opens the edit form for the Exchange resource system. Settings that can be edited are described below.
Account Store Settings
Setting
Description
General Settings
IT Environment Type
Allows you to specify the type of environment in which the server resides.
Use Secure LDAPS Binding
Specifies whether to use secure LDAPS binding (for LDAP directories).
Load Balancing Scheme
Select one of the options:
Count — Finds the mailbox store within the specified load-balancing group with the least number of existing mailboxes.
Custom Logic — Uses a custom load-balancing scheme that your developers create by modifying the following stored procedure in the EmpowerID Identity Warehouse:
dbo.Custom_ExchangeMailboxObjectContainer_GetByCustomerGroupCustomLogicQuota Based — Compares the amount of storage space allocated for existing mailboxes against the value set as the maximum capacity for the mailbox store and selects the mailbox store within the load-balancing groups specified with the most unallocated space.
Random — Selects mailbox stores randomly.
Is Remote (Cloud Gateway Connection Required)
This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.
Directory Cleanup Settings
Directory Clean Up Enabled
Specifies whether the SubmitAccountTermination permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications to be marked for deletion are moved into a special OU within the external directory, disabled and finally deleted after going through an automated approval process. This process involves setting a number of system settings in EmpowerID and requires multiple approvals by designated personnel before an account is finally removed from the account store.
Report Only Mode (No Changes)
When enabled, a report of what the Directory Clean Up process would do is written to the log. The process itself is ignored and all accounts are set to Termination Pending.
OU to Move Stale Accounts
Specifies the external directory in which to move accounts marked for termination.
Inventory Settings
Inventory Enabled
Allows EmpowerID to inventory mailboxes.
Inventory Calendar Permissions Enabled
Allows EmpowerID to inventory calendar permissions.
Membership Schedule Interval
Specifies the time span that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes.
Projection Settings
Group Membership Projection Enabled
Select to allow EmpowerID to dynamically manage the membership of the organization's groups, adding and removing users to and from groups based on policy-based assignment rules.
Projection Interval: Start
Set the date on which to begin projection. By default, this is set to the creation date of the account store.
Projection Interval: Start
Set the date on which to begin projection. By default, this is set to the creation date of the account store.
Projection Interval: End
Set the date on which to stop projection. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
Projection Interval: (units)
Select the units for the interval at which to run projection. By default, this is set to 10 minutes.
Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run projection.
Hour Interval — If you select this value, enter the number of hours between projection runs in the Interval box below.
Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run projection.
Minute Interval — If you select this value, enter the number of minutes between projection runs in the Interval box below.
Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run projection each day.
Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run projection.
Run Indefinitely
Select to allow projection to run indefinitely, ignoring the End date.
Interval: (number)
Set the number of units for the interval at which to run projection. By default, this is set to 10 minutes.
Enforcement Settings
Rights Enforcement Enabled
Select to allow EmpowerID to determine who should have access to what in Exchange based on their assignments to Access Levels in EmpowerID and to enforce it using domain local groups (Resource Role Groups).
Enforcement Type
Select to specify how EmpowerID is to enforce rights in native systems.
No Action — No rights enforcement action occurs.
Projection with Enforcement — Changes to rights within EmpowerID occur within EmpowerID and are enforced within the native environment.
Projection with No Enforcement — Changes to rights within EmpowerID occur only within EmpowerID; they are not passed on to the native environment.
Projection with Strict Enforcement — EmpowerID overrides any changes made in the native environment. All changes made must occur within EmpowerID to be accepted. (Applies only to Active Directory groups.)
Schedule: Start
Set the date on which to begin enforcement. By default, this is set to the creation date of the account store.
Schedule: End
Set the date on which to stop enforcement. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox.
Interval: (units)
Select the units for the interval at which to run enforcement. By default, this is set to 10 minutes.
Once — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run enforcement.
Hour Interval — If you select this value, enter the number of hours between enforcement runs in the Interval box below.
Weekly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the day and time at which to run enforcement.
Minute Interval — If you select this value, enter the number of minutes between enforcement runs in the Interval box below.
Daily — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the time at which to run enforcement each day.
Monthly — If you select this value, the Interval box below is replaced with a Times control that allows you to specify the months, days, and time at which to run enforcement.
Run Indefinitely
Select to allow enforcement to run indefinitely, ignoring the End date.
Interval: (number)
Set the number of units for the interval at which to run enforcement. By default, this is set to 10 minutes.
Edit settings as needed and then click Save.