contentACCESS documentation – version 6.2

  1. Introduction to contentACCESS
    1. Services provided by contentACCESS
    2. Software requirements
      1. contentACCESS prerequisites
  2. contentACCESS setup package
    1. Installation of contentACCESS
      1. EULA
      2. Installation type
      3. Components
      4. Prerequisites
      5. Base folder
      6. Service settings
      7. Database connection
      8. contentACCESS Central Administration
      9. contentACCESS Web Services (Proxy)
      10. contentACCESS Portal
      11. Preview service
      12. Central login
      13. Virtual drive
      14. Search service
      15. Search service (V2)
      16. SMTP server
      17. Overview
      18. Installation
      19. Summary
    2. Update of contentACCESS
      1. Managing the index reset or migration
  3. contentACCESS components
    1. contentACCESS Central Administration
      1. Central administration login
      2. contentACCESS Automated single sign on
      3. Central Administration logout
      4. contentACCESS Central Administration user interface
    2. contentACCESS Portal
      1. Logging in to contentACCESS Portal
      2. contentACCESS Portal Automated single sign on
    3. Virtual drive
    4. contentACCESS Web Services (Proxy)
    5. Central login page
  4. contentACCESS Tools
    1. Installing Outlook forms
    2. Legacy email archive connectors
    3. Legacy archive connector for Metalogix Archive Manager Exchange Edition (MAM EE)
      1. Installing Legacy MAM retrieve service and its configuration on the MAM server
      2. Configuration of the MAM server in contentACCESS Central Administration
    4. Legacy archive connector for Email Lifecycle Manager (ELM)
    5. Installing TECH-ARROW’s WinShortcutter
    6. contentACCESS Outlook add-in
      1. Installation of contentACCESS Outlook add-in
      2. How to use contentACCESS Outlook add-in
  5. Tenants in contentACCESS
    1. How to create a new tenant
      1. How to edit and disable a tenant
    2. Tenant limitations
    3. How to provide access to a tenant (adding new tenant administrators)
    4. Tenant administrator invitation types
    5. Tenant associations
      1. Tenant - database association
      2. Tenant - user association
    6. Tenant deletion
  6. General system configurations
    1. Connection
    2. User interface
    3. Users in contentACCESS
    4. Invitations
    5. Roles
      1. Creating roles
      2. Role details
      3. Role assignment
      4. Defining specific permissions of a role assignment
      5. Editing roles, editing role assignments
      6. Role cloning
      7. General use cases of how to create/assign roles
      8. Managing access to contentACCESS objects
    6. Login providers
      1. Login providers’ context menu options
      2. External login provider configuration
        1. Configuring Google OAuth
        2. Configuring Office 365 login provider
        3. Exchange login provider
        4. External AD login provider
      3. Associating an enabled provider with a user login
      4. contentACCESS users in third party systems
    7. System
    8. Licensing
      1. How to activate your license key
    9. Notifications
    10. System logs — how to find out possible misconfigurations / reasons of potential system/job failures
    11. Configuration auditing
    12. Archive auditing
    13. Distributed environment in contentACCESS — Clusters
    14. Statistics
    15. Legal hold
    16. Task runner
    17. Indexing
    18. SMTP Servers
    19. SMTP Mappings
    20. Sharing job
    21. Sharing settings
    22. How to create/configure databases — All databases
  7. Common features
    1. Databases
    2. Schedules
    3. Retentions
    4. Storages
      1. Amazon S3
      2. Google drive storage
      3. Datengut storage
      4. Azure storage
      5. Disk storage
      6. HybridStore
      7. Perceptive storage
      8. Kendox storage
    5. Exchange connections
      1. Exchange performance settings – turning off the Exchange throttling policies
      2. Mixed Exchange environments in the Email Archive system
    6. Importing contentACCESS configurations from files
      1. Manual import of Exchange servers/groups/mailboxes to the contentACCESS Address book
      2. Importing File Archive root folders to be archived
  8. Creating new jobs in contentACCESS
  9. Jobs’ page, jobs’ context menu
  10. Filtering in jobs
  11. File Archive
    1. Introduction to File system archive
    2. File archive settings
    3. File archive Databases
    4. File archive System settings
    5. File archive Retentions
    6. File archive Storages
    7. Root folders
    8. Aliases
    9. File archive Schedules
    10. Provisioning settings and managing access to contentACCESS Portal
      1. File system provisioning job description
    11. Remote agents (file archive)
    12. Global rules (remote file archive)
    13. Configuring aliases
    14. Configuration of jobs available in contentACCESS File Archive
    15. Configuration of File archive retention changer job
    16. Configuration of File system archive job
      1. File system archive job description
    17. Configuration of a File system restore job
      1. File system restore job description
    18. Configuration of File system recovery job
      1. File system recovery job description
    19. Configuration of Delete job in File archive
      1. File system delete job description
    20. Configuration of File system shortcut synchronization job
      1. File system shortcut synchronization job description
    21. Configuration of Remote shortcutting job
      1. File system remote shortcutting job description
    22. Active/inactive documents in File system archive
  12. Email Archive
    1. Important settings before creating an Email Archive job
    2. Database settings
    3. Email archive System settings
      1. Hybrid exchange settings
    4. Email archive Provisioning settings
      1. Email archive provisioning job description
    5. Retention settings
    6. Shortcuts in email archiving
    7. Storing of archived emails
      1. LoboDMS storage
    8. Creating email archive schedulers
    9. User experience
      1. Exchange 2013+: Mail app in OWA 2013+ or on MS Outlook 2013+ desktop version
      2. Exchange 2010: OWA 2010 integration
    10. Address book objects
      1. Adding address book objects manually
      2. Removing groups and mailboxes from the Address book
    11. Granting access rights for mailbox users and explicit users to view the mailbox archive
      1. Creating contentACCESS Portal users (option 1)
      2. Manage access to a mailbox archive (option 2)
    12. Database and store assignment in email archiving
      1. How to assign database, storage and index zone to an Exchange group?
      2. How to assign database, storage and index zone to a mailbox?
      3. How to move data from source database/storage into a second (target) database/storage?
    13. Mail app access
    14. Remote agents (email archive)
    15. PST import
      1. PST import job description
    16. Creating Email archive jobs: archive, restore, recovery, delete, mailbox move, shortcut synchronizaion, shortcut repair
    17. Email archive job
      1. Email archive job configuration
      2. Email archive job description
      3. Email archive journal processing
        1. Recommendations after turning on journal archive
      4. Archiving of rights protected messages
    18. Email archive retention changer job
    19. Email restore job
      1. Email restore job configuration
      2. Email restore job description
    20. Email recovery job
      1. Email recovery job configuration
      2. Email recovery job description
    21. Configuration of Delete job in Email archive
      1. Email delete job description
    22. Journal post processing job
      1. Journal post processing job configuration
    23. Mailbox move job
      1. Mailbox move job configration
      2. Mailbox move job description
    24. Shortcut synchronization job
      1. Shortcut synchronization job configuration
      2. Email shortcut synchronization job description
    25. Shortcut repair job
      1. Shortcut repair job configuration
      2. Email shortcut repair job description
    26. Public folder archiving
      1. How to configure a job to archive public folders
      2. Public folders in the contentACCESS Portal archive
      3. User permissions to public folders
      4. Public Folder archiving in mixed Exchange environments
    27. Access to private emails and archiving them
    28. SMTP archiving
  13. SharePoint archive plugin
    1. SharePoint Archive settings
    2. SharePoint archive System settings
    3. Site connections in the SharePoint archive
    4. SharePoint archive Provisioning settings
      1. SharePoint provisioning job description
    5. Shortcut configuration in SharePoint
    6. SharePoint archive Address book
    7. SharePoint Archive job configuration
      1. SharePoint archive job description
    8. SharePoint archive retention changer job configuration
    9. SharePoint recovery job configuration
      1. SharePoint recovery job description
    10. Configuration of Delete job in SharePoint archive
      1. SharePoint delete job description
    11. SharePoint Publishing job
      1. SharePoint publishing job description
    12. SharePoint in the contentACCESS Portal archive
  14. OneDrive archive
    1. OneDrive Archive job configuration
    2. OneDrive archive Jobs
  15. GDPR plugin
    1. GDPR Settings
      1. GDPR Databases
      2. GDPR Schedules
      3. GDPR Index zones
    2. GDPR Processing
      1. GDPR File system settings
      2. GDPR Exchange settings
      3. GDPR Applications
      4. GDPR Jobs
        1. GDPR File system job
          1. GDPR file system job description
        2. GDPR Exchange job
          1. GDPR Exchange job description
        3. GDPR Application job
          1. GDPR application job description
  16. Teams archive
    1. Teams archive databases
    2. Teams archive System settings
    3. Teams archive Provisioning settings
    4. Shortcut configuration in Teams archive
    5. Teams archive Address book
      1. Removing objects from Teams archive Address book
    6. Teams archive Licensing
    7. Teams archive Jobs
      1. Teams archive job
      2. Teams chat archive job
      3. Teams recovery job
        1. Teams recovery job description
      4. Configuration of Teams archive retention changer job
      5. Configuration of Teams chat archive retention changer job
      6. Configuration of Delete job in Teams archive
        1. Teams archive delete job description
      7. Configuration of Delete job in Teams chat archive
  17. Custom plugins
    1. Email management job configuration
    2. Storage replication plugin
    3. Sharing plugin
    4. Datengut plugin
    5. Email synchronizer plugin
    6. Categorize to Public folders plugin
    7. LoboDMS plugin
  18. ThreatTest
    1. ThreatTest configuration
      1. ThreatTest Databases
      2. ThreatTest System settings
      3. ThreatTest Schedules
      4. ThreatTest User experience
      5. ThreatTest Statistics
      6. ThreatTest Job
    2. Using ThreatTest App
  19. officeGATE
  20. contentACCESS Mobile
  21. Virtual drive configurations
  22. Teams application
  23. Application settings
  24. Terms of use
  25. FAQ
    1. Download sample for the file to be imported does not work
    2. Archiving is not working if MAPI is set to communicate with the Exchange server
    3. Virtual drive is still appearing after the uninstall
    4. Outlook forms problems
    5. Unable to open shortcuts of archived files on the server side
    6. Samples are not shown using 'Show sample" option in the Import dialog
    7. Do I need to create separate tenants for file archiving and email archiving
    8. What is the recommended database size for email, file and Sharepoint archiving
    9. The TEMP folder is running out of space when archiving big files
    10. The attachment could not be opened
    11. After updating Exchange 2013, the EWS connection might not work in contentACCESS
    12. If Windows authentication is not working in contentACCESS and an alias was created for contentACCESS
    13. contentACCESS Outlook add-in certificate issue
    14. Prerequisites for O365 archiving
    15. PowerShell scripts for setting up Email archive
    16. How to reconfigure your email archive to use modern authentication for PowerShell
    17. Solution for Outlook security patches
    18. Solution for Outlook security patches through GPO
    19. Solution for indexing PDF files
    20. O365 SuperUser mailbox configuration
    21. Microsoft 365 journaling
    22. Organizational forms
    23. Multifactor authentication
    24. Region setting
    25. contentACCESS Mail app installation issue
    26. Azure app registration for O365 archiving
      1. How to request access to Microsoft Protected API
  26. Troubleshooting

25.26.Azure app registration for O365 archiving

In this section, we will explain how an app is registered on the Azure portal which enables contentACCESS to authenticate and connect to the Microsoft Dataverse environment using a modern and more secure way of authentication. Modern authentication is a category of several different protocols (instead of being a single authentication method – like username and password) that aim to enhance the security posture of cloud-based resources. Modern authentication relies on token-based claims, which are used to authenticate with an identity provider to generate a token for access. OAuth is an open standard that is used for many applications and websites that can grant access to other systems’ information, but without giving them the password.

Important: The registration of the Azure AD application can be easily executed by the following script:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Invoke-WebRequest -Uri “https://static.contentaccess.cloud/appregistration/Register-contentACCESSAADapp.ps1” -OutFile
“Register-contentACCESSAADapp.ps1”
.\Register-contentACCESSAADapp.ps1

Please, be aware that Windows PowerShell needs to be run as Administrator for the process.

Why contentACCESS needs modern authentication?
For years, Microsoft allowed basic authentication to Exchange Online, SharePoint, and other resources, meaning that only a username and password were required. But, due to security reasons, Microsoft is progressively deprecating the legacy authentication, which will be then permanently blocked in the future. (Read more about the act in this article.) After that date, OAuth 2.0 (also known as modern authentication) will be required instead. These changes require vendors of third-party apps that integrate with Exchange Online and other resources like Teams and SharePoint to support modern authentication.
contentACCESS is also affected by these changes because it must use modern authentication to connect to Exchange Online, SharePoint, OneDrive, and Teams. This requires an Azure App registration to be configured on the O365 tenant.

App registration

Navigate to portal.azure.com. Go to All services -> App registrations -> + New registration. Fill in the details of the new application. The only mandatory field that needs to be changed is the name of the application, the other options can be left as-is. Click the Register button.

After the app is successfully registered, you will be able to see the Application ID and Directory ID in the app’s Overview. (These are used in archive settings to connect contentACCESS with the Teams application).


The next step is to grant the necessary permissions for the application. These permissions vary from the archive:


Grant permissions for the Email archive

1) On the application details page, click the API permissions button on the left menu. When the configured permissions page loads, click the + Add a permission button and select the requested API.

2) On the Request API permissions tab, search for Office 365 Exchange Online and select it.

3) Then select the Application permissions box, where the available permissions from this category will be shown.


Locate the full_access_as_app permission from the Other permissions option and the Exchange.ManageAsApp permission from the Exchange option, then click on the Add permissions button.

4) After the permissions have been assigned to the application, the administrator must grant consent for these permissions. Click on the Grant admin consent for “TENANTNAME” button.


5) The Exchange.ManageAs.App permission allows the applicant to connect to PowerShell but does not grant access to any PowerShell commands or Exchange objects. The permission to access Exchange objects is granted through the Role Based Access Control (RBAC). This means that the App registration needs to be granted to the Exchange Administrator role or Exchange Recipient Administrator role.
First, you need to go back to the Azure Active Directory page, then go to the Roles and administrators | All roles page, select Exchange Administrator from the list, and click the role.


6) After you open the role, click on the Add assignments button, then search for your App registration (Test_app in our example), and assign it to the role. Please note that the App registration is of type “Service Principal”.

7) The roles will be listed on the Exchange Administrator | Assignments page now.

8) When the permissions are assigned to the application, the admin consent is granted, and the roles are assigned, add a new client secret by clicking on the + Next client secret button. This is necessary for some plugins and client applications.

After the configuration is done, copy the client secret shown on the Get client secret dialog box to a secure location so that you can refer to it later. The client secret will be required when configuring certain contentACCESS models with modern authentication– like Email archive, SharePoint archive, Teams archive, GDPR Exchange, and Exchange connection.

Note: The App registration is using a client secret that has a limited lifetime (usually 1 year). It is important to maintain this information: every year a new client secret needs to be generated for the App registration. The modified client secret needs to be updated in all affected contentACCESS configurations.

Now you can configure contentACCESS to use the modern authentication for PowerShell. Read more about the Exchange connection configuration here.

Grant permissions for SharePoint archive

1) Navigate to your registered application (Azure Active Directory => App registration => Owned applications => registered application [Test_app in our example] => open the application by clicking on the title). On the application details page, click the API permissions button on the left menu. When the configured permissions page loads, click the + Add permission button and select the requested API.

2) On the Request API permissions => Microsoft APIs tab, you need permissions from Microsoft Graph and SharePoint options to support all the functions of contentACCESS and other client applications (including AAD groups support in SharePoint archive).

First, let’s go through with the Microsoft Graph permissions. After selecting the option from the list, choose the Application permissions box, where the available permissions from this category will be shown.

Locate the:

  • Group.Read.All (read all groups) from the Group option;
  • Group.Members.Read.All (read all group memberships) permission from the GroupMember option;
  • User.Read.All (read user profiles) and User.ReadWrite.All (read and write user profiles) permissions from the User option,

then click on the Add permissions button.


From the SharePoint option, the following Application permissions are required (from the Sites and TermStore groups):

  • Sites.FullControl.All – have full control of all site collections
  • Sites.Manage.All – Read and write items and lists in all site collections
  • Sites.Read.All – Read items in all site collections
  • Sites.ReadWrite.All – Read and write items in all site collections
  • TermStore.Read.All – Read managed metadata
  • TermStore.ReadWrite.All – Read and write managed metadata

3) After the permissions have been assigned to the application, the administrator must grant consent for these permissions. Click on the Grant admin consent for “TENANTNAME” button.



4) When the permissions are assigned to the application and the admin consent is granted, the client access certificate needs to be assigned to the application. Click on the Certificates & secrets option in the left side menu. On the certificate management screen click on the Upload certificate (Certificates tab) button. Browse the client certificate you want to use and upload it. It can be a self-signed certificate or an already existing one. A PowerShell script for creating a self-signed certificate can be downloaded here.


5) Next, add a new client secret by clicking on the + Next client secret button. This is necessary for some plugins and client applications (Test_client secret in our example).


Grant permissions for the Teams archive

1) Navigate to your registered application (Azure Active Directory => App registration => Owned applications => registered application [Test_app in our example] => open the application by clicking on the title). On the application details page, click the API permissions button on the left menu. When the configured permissions page loads, click the + Add permission button and select the requested API.

2) On the Request API permissions => Microsoft APIs tab, you need permissions from Microsoft Graph and SharePoint options. In the case of Teams archive, some permissions need to be selected from the Delegated option, and some from the Application option. The required permission set depends on the Teams Archive configuration in contentACCESS you would use.
There you can use delegated access or application access. When you choose delegated access, contenACCESS will connect and access the Teams data in the name of a superuser. This superuser MUST have owner access to every team you would like to archive.
The second approach is application access, where contentACCESS will connect to Microsoft Teams using a configured application. This application must NOT have owner access to any of the Teams, but you need to request access to Microsoft Protected API. For more information about how to request more access to Microsoft Protected API, read the following subsection, or follow the guideline here. The request is usually accepted within a day or two. The recommended approach is application access.
If you do not know at this point which approach will fit the best for you, add both permissions to the application. You can decide later during the archive configuration which option to use.


First, let’s go through the Microsoft Graph permissions. After selecting the option from the list, you need to choose the required Application and Delegated permissions from these categories.

From the Delegated permissions category locate the following permissions, then click the Add permissions button:

  • ChannelMessage.Read.All – Read user channel messages
  • Directory.Read.All – Read directory data
  • Group.ReadWrite.All – Read and write all groups
  • GroupMember.Read.All – Read all group memberships
  • TeamsTab.Read.All – Read tabs in Microsoft Teams
  • TeamworkTag.ReadWrite – Read and write tags in Teams
  • User.Read – Sign in and read user profile

From the Application permissions category locate these permissions, then click on the Add permissions button:

  • ChannelMessage.Read.All – Read all channel messages
  • Directory.Read.All – Read directory data
  • Group.ReadWrite.All – Read and write all groups
  • GroupMember.Read.All – Read all group memberships
  • TeamsTab.Read.All – Read tabs in Microsoft Teams
  • Teamwork.Migrate.All – Creating and managing resources for migration to Microsoft Teams
  • TeamworkTag.Read.All – Read tags in Teams


From the SharePoint option, the following Delegated and Application permissions are required:
Delegated permissions

  • Sites.FullControl.All – Have full control of all site collections
  • Sites.Manage.All – Read and write items and lists in all site collections
  • Sites.ReadWrite.All – Read and write items in all site collections
  • TermStore.ReadWrite.All – Read and write managed metadata
  • User.ReadWrite.All – Read and write user profiles

Application permissions

  • Sites.FullControl.All – Have full control of all site collections
  • Sites.Manage.All – Read and write items and lists in all site collections
  • Sites.ReadWrite.All – Read and write items in all site collections
  • TermStore.ReadWrite.All – Read and write managed metadata
  • User.ReadWrite.All – Read and write user profiles

Click on Add permissions.

Example: Locate the permissions from the category and assign them to the application

3) For delegated access, the following option must be enabled:

Note: In case of delegation access, some restrictions are applied (throttling, recovering mentions, archiving private channels, etc., are not supported). Delegation access is not recommended for production usage.

4) After the permissions have been assigned to the application, the administrator must grant consent for these permissions. Click on the Grant admin consent for “TENANTNAME” button.

5) When the permissions are assigned to the application and the admin consent is granted, the client access certificate needs to be assigned to the application.

Note: If you have also configured the permissions for the SharePoint archive and assigned the client access certificate to the application, this step can be skipped for the Teams archive. If you are registering the app for the first time on the Azure portal (and starting with Teams archive), you will need this step. The same applies to the creation of a Client secret (next step).

Click on the Certificates & secrets option in the left side menu. On the certificate management screen click on the Upload certificate (Certificates tab) button. Browse the client certificate you want to use and upload it. It can be a self-signed certificate or an already existing one. A PowerShell script for creating a self-signed certificate can be downloaded here.


6) Next, add a new client secret by clicking on the + Next client secret button. This is necessary for some plugins and client applications (Test_client secret in our example).

Yes No Suggest edit
« contentACCESS Mail app installation issueHow to request access to Microsoft Protected API »
Help Guide Powered by Documentor
Suggest Edit