Preparing technical configuration for DPG Service

This document describes the required technical configuration for new DPG customers with Exchange Online.

The app registration and configuration must be performed by the customer, and it is the responsibility of the designated Technical Contact to act as a single point of contact and to coordinate all necessary customer resources during the DPG implementation project.

Note that this process needs only to be done once, during the initial configuration and delivery. After this is done, you should not make changes to the app registration unless instructed by Timengo DPG Support.

For information on how to prepare for the DPG Outlook Office Addin, see Configuring the DPG Outlook Office Addin.

Mailboxes: Naming, users, and permissions

A DPG system mailbox must be created as a licensed mailbox. It is recommended to name it dpg@<CUSTOMER.NAME>.
One or more secure mailboxes (a.k.a. funktionspostkasser) must already exist or be created. They are typically named sikkerpost@<CUSTOMER.NAME>, hr@<CUSTOMER.NAME>, finance@<CUSTOMER.NAME>, etc. They can be created as shared mailboxes or as licensed mailboxes. If OME (Office Message Encryption) is enabled, please use licensed mailboxes.
All users who should be able to send securely using DPG must have the following permissions set:
- Send on Behalf to only the secure mailboxes they should be able to send from
- Full Access to only the secure mailboxes they should be able to access
A Mail-enabled Security group must be created. It is recommended to name it GRP-DPG-SecureMailboxes@<CUSTOMER.NAME>. All the secure mailboxes must be members of the group.

Mailbox requirements, recommendations and best practices

The following recommendations and best practices are supported by examples.

Both the system mailbox and all the secure mailboxes (funktionspostkasser) must be set with a message size limit of 150MB.

How to set mailbox-level message size limits

This example shows how to set mailbox-level message size limits:

<#
Set mailbox-level message size limits
#>
Set-Mailbox -Identity "dpg" -MaxSendSize 150MB -MaxReceiveSize 150MB
<#
Verify that mailbox message limits have been set to 150 MB
#>
Get-Mailbox -Identity "dpg" | Select MaxSendSize, MaxReceiveSize

The system mailbox must not be configured as resource or room mailbox.

Hide only the system mailbox from GAL (Hide from address lists).

How to hide a mailbox from address lists

This example shows how to hide a mailbox from address lists:

<#
Hide mailbox from address lists
#>
Set-Mailbox -Identity "dpg" -HiddenFromAddressListsEnabled $true
<#
Verify that mailbox is hidden from address lists
#>
Get-Mailbox -Identity "dpg" | Format-List HiddenFromAddressListsEnabled

System mailbox language must always be set to English to prevent errors with folder names and ATP scanning.

How to set mailbox language to en-US

This example shows how to set mailbox language to en-US:

<#
Set the mailbox language
#>
Set-MailboxRegionalConfiguration -Identity "dpg" -Language en-US `
-LocalizeDefaultFolderName -DateFormat "yyyy-MM-dd" -TimeFormat "HH:mm"
<#
Verify that the mailbox language is set
#>
Get-Mailbox -Identity "dpg" | Format-List Languages

Disable retention for system mailbox, keep it to a low number of days, and exclude it from retention policies. As the system mailbox is very busy, retention can result in the system mailbox running out of space.
How to identify if retention policy is enabled

This example shows a way of identifying if a retention policy is enabled.
Note: if a retention GUID exists, you must make sure to disable retention for the system mailbox – see for example "Mailbox Retention Policy", "Retention Policy" or "Inplace holds":
```
<#
See if a retention GUID exists
#>
Get-Mailbox -identity "dpg" | Select Name, InPlaceholds | FL 
```
The system mailbox must be monitored regularly by an administrator. Look for remaining read emails (indication of mail processing failure) and ensure that the mailbox does not increase in size. In general, the system mailbox should only contain mails in the short span where DPG is processing, and once DPG has successfully finished, the mails are automatically deleted from the mailbox.
Consider using Security Groups for managing mailbox permissions.
Disable https://myanalytics.microsoft.com/ for the system mailbox.

DPG SaaS integration - Azure Graph and OAuth configuration

DPG connects to Azure as a Registered Application and authenticates using OAuth 2.0. Emails are retrieved from the system mailbox using Graph, and the DPG application is only permitted access to the system mailbox.

Configuration

Log in to https://portal.azure.com as an administrator, and search for Microsoft Entra ID.
Go to App registrations, and select New registration. Insert a Name, set the Redirect URI to Public client/native (mobile & desktop), and set the value to urn:ietf:wg:oauth:2.0:oob. Select Register to finish:
For the App registration you just created, make a note of the Application (client) ID and the Directory (tenant) ID. Both can be found in the Overview section:
Go to API permissions and select Add a permission. Click Microsoft Graph, and then Application permissions.
1. Go to the section Mail, and select Mail.ReadWrite.
2. Go to the section User, and select User.Read.All
3. Go to the section for GroupMember, and select GroupMember.Read.All.
4. Select Add permissions to finish:
Click Grant admin consent for <customer>.
If prompted, accept the permissions requested.
Make sure all application permissions are set and granted.
Now select Certificates & secrets. You have two options to prove the application's identity. DPG supports both:
- Using a certificate (recommended):
  
  Select Upload certificate, browse for the certificate (public key) .cer file to be used, and select Add. It is recommended to use a .cer file for an organization certificate to be installed in DPG.
  
  If you have access to logging in to the TIMENGO DPG portal, you can easily obtain the .cer version of an organization certificate (organisationscertifikat). Go to Certificate Check, look up the certificate, and select the button to download:
  
  Once completed, you will see that the certificate is installed:
  
  Very important
  
  Certificates expire, so the certificate must be updated whenever it is renewed. Remember that the new 'organisationscertifikat' must also be installed in the DPG service – otherwise, DPG will fail to connect!
- Using a secret string (NOT recommended):
  
  Select New client secret, name it "DPG client secret", set to for instance 24 months, and select Add:
  
  The client secret (a.k.a. application password) is shown, and it is important to copy the password:

Use PowerShell to create a new ApplicationAccessPolicy. Update accordingly for:

EMAIL_ADDRESS_OF_THE_SYSTEM_MAILBOX
APPLICTION_CLIENT_ID

$Desc = "Restrict DPG application to only the system mailbox"
$DPGSystemMailbox = "EMAIL_ADRESS_OF_THE_SYSTEM_MAILBOX"
$AppId = "APPLICATION_CLIENT_ID"

New-ApplicationAccessPolicy -AppId $AppId -PolicyScopeGroupId `
$DPGSystemMailbox -AccessRight RestrictAccess -Description $Desc

Example

Confirm that the ApplicationAccessPolicy is applied correctly by running the PowerShell below. Access to the system mailbox should say Granted, and access to a random mailbox should say Denied.

Update accordingly for:

EMAIL_ADDRESS_OF_THE_SYSTEM_MAILBOX
EMAIL_ADDRESSS_OF_A_RANDOM_MAILBOX
APPLICATION_CLIENT_ID

$DPGSystemMailbox = "EMAIL_ADRESS_OF_THE_SYSTEM_MAILBOX"
$TestUser = "EMAIL_ADDRESS_OF_A_RANDOM_MAILBOX"
$AppId = "APPLICATION_CLIENT_ID"

Test-ApplicationAccessPolicy -Identity $DPGSystemMailbox -AppId $AppId 
Write-host "Make sure this permission is set to Granted" `
-ForegroundColor Green
Pause
Test-ApplicationAccessPolicy -Identity $TestUser -AppId $AppId 
Write-host "Make sure this permission is set to Denied" `
-ForegroundColor Red

Example

Handover to Timengo DPG

After completing the configuration steps, you must hand over the following details to Timengo DPG as specified in the welcome letter:

Mail address of DPG system mailbox
Mail addresses of the secure mailboxes
Mail address of the Mail-Enabled Security Group
DPG SaaS integration - Azure Graph and OAuth configuration configuration details:
- Application (client) ID
- Directory (tenant) ID
- Mail address of the 'organisationscertifikat' used

You have now completed the DPG SaaS integration - Azure Graph and OAuth configuration for DPG Service.

For information on how to prepare for the DPG Outlook Office Addin, see Configuring the DPG Outlook Office Addin.