Last date modified: 2026-Feb-13

Microsoft preservation source manual setup

An Azure Admin must complete all steps to create and configure preservation hold credentials before creating a preservation data source in Relativity. For more information, see Microsoft preservation source manual setup.
You must complete all steps to use Preservation in-place. The steps are as follows:

  1. Register the application.
  2. Assign API permissions.
  3. Generate certificate.
  4. Assign application roles.
  5. Run PowerShell script to create a Service Principal.

After completing the setup, you can set up the Microsoft 365 data source in Relativity. For more information, see Microsoft preservation source manual setup.

Register the application

Follow the steps below to set up app-only authentication in Entra ID. For more information, see Microsoft's documentation for setting up app-only authentication in Entra ID. The person performing the steps below should be a Microsoft Azure admin and familiar with setting up certificates. For more information, see Microsoft's documentation.

Start with registering your app by following the steps below:

The person completing the application registration process needs to be an Azure Administrator with sufficient privileges.

  1. Open your Azure Portal.
  2. Click More Services.
  3. Search for and select Microsoft Entra ID, formerly known as Azure AD.
  4. In the left-navigation menu, select Manage > App registrations.
  5. Click New Registration.

    This will open the Register an application page.
  6. Enter an application name in the Name field.
  7. Select Accounts in this organizational directory only as the supported account type.
  8. Click Register.

For more information on registering an application in Azure, see Microsoft's documentation or Microsoft's authentication documentation.

Assign API permissions

You must add the Sites.Read.All and Exchange.ManageAsApp API permissions to your application. The Sites.Read.All permission is needed to do OneDrive & SharePoint Discovery in Relativity. The Exchange.ManageAsApp permission is needed so that the application can run cmdlets in Exchange Online in each tenant organization.

To add the Sites.ReadAll permission,

  1. In the left-hand navigation, select Manage > API Permissions.
  2. Click Add a permission.
  3. Click Microsoft Graph.
  4. Select Application Permissions.
  5. Select theSites.Read.All option from the Application Permissions section.
  6. Click Grant admin consent for <Organization>, Yes.

The Sites.ReadAll permission should now be added to your application.

To add the Exchange.ManageAsApp permission,

  1. In the left-hand navigation, select Manage > API Permissions.
  2. Click Add a permission.
  3. Click APIs my organization uses.

  4. Click Office 365 Exchange Online.

  5. Select Application Permission.

  6. Select the Exchange.ManageAsApp permissions.

  7. Click Grant admin consent for <Organization>, Yes.

The Exchange.ManageAsApp permission should now be added to your application.

Next, you must generate a self-signed certificate. For more information, see Generate certificate.

Generate certificate

You must create a self-signed certificate. Use the script below. The script below will create two files:

  • mycert.pfx—use the .pfx file to upload to Relativity.
  • mycert.cer—use the .cer file to upload to the application in Azure.

The script creates a certificate that is valid for one year. After a year, you must replace this certificate with a new valid certificate.

To generate a self-signed certificate,

  1. Copy the following PowerShell script. For more information on creating a x.509 certificate, see Microsoft's documentation.

    # Create certificate

    $mycert = New-SelfSignedCertificate -DnsName "contoso.org" -CertStoreLocation "cert:\CurrentUser\My" -NotAfter (Get-Date).AddYears(1)

    -KeySpec KeyExchange

    # Export certificate to .pfx file

    $password = ConvertTo-SecureString "test" -AsPlainText -Force

    $mycert | Export-PfxCertificate -FilePath mycert.pfx -Password $password

    # Export certificate to .cer file

    $mycert | Export-Certificate -FilePath mycert.cer

    You can also use a purchased or generated certificate from your organization.
  2. Replace the "contoso.org" value in the -DnsName "contoso.org" string with the matching the domain name in your Microsoft Entra admin center.

    Relativity does not validate or need this value to be RelativityOne's Instance DNS.
  3. Replace the "test" value in the $password = ConvertTo-SecureString "test" string with a secure password.
  4. Run the script in Windows Powershell.
  5. On your application page, select Certificates & secrets.
  6. Click Upload certificate.

Assign application roles

To assign the required application roles,

  1. In the top-most search bar, enter Entra ID Roles and administrators.
  2. Search for and select the following roles:
    1. Compliance Administrator—can read and manage compliance configuration and reports in Microsoft Entra ID and Microsoft 365.

    2. Exchange Administrator—Can manage all aspects of the Exchange product.

  3. Click the Add assignments button.
  4. Select the Preservation in-place app you created.
  5. Click Add.

You now have the Compliance Administrator and Exchange Administrator roles assigned to the application. For information on roles, see Microsoft’s documentation.

You will use the information created for the next steps.

Run PowerShell script to create a Service Principal

After setting up an app in Entra ID in the Register the application section, you need to create a Service Principal to associate with the app.

You may need to install the AzureAD and ExchangeOnlineManagement modules.

To install the modules, add the following to PowerShell:

Install-Module Microsoft.Graph.Authentication

Import-Module Microsoft.Graph.Authentication

Install-Module Microsoft.Graph.Applications

Import-Module Microsoft.Graph.Applications

Install-Module ExchangeOnlineManagement

Import-Module ExchangeOnlineManagement

To create the Service Principal and assign it to the application, add the following to PowerShell.

You must have a Global Admin run the following PowerShell script.

## Authenticate with Microsoft (including providing answer for MFA)

$AppId = "Application-ID-FROM-AZURE-AD"

$appName = "AppNAME-FROM-Azure-AD"

$spDisplayName = "your_sp_displayname"

# access token is passed to Connect-AzureAD

# the user logging, will require admin permissions.

Connect-MgGraph

$AADApp = Get-MgServicePrincipal -Filter "displayName eq '$appName'"

# create service principal in scc

connect-ippssession

New-ServicePrincipal -AppId $AADApp.AppId -ObjectId $AADApp.Id -DisplayName $spDisplayName

$SP = Get-ServicePrincipal -Identity $spDisplayName

Add-eDiscoveryCaseAdmin -Confirm:$false -User $appId

disconnect-exchangeonline -Confirm:$false

Use the copy button to copy the script.

Replace these values in the script with your information:

  • $AppId—replace "Application-ID-FROM-AZURE-AD" with the Application ID that you created during app registration. For more information, see Register the application.
  • $appName—replace "AppNAME-FROM-Azure-AD" with the Application Name that you created during app registration. For more information, see Register the application.
  • $spDisplayName—replace "your_sp_displayname" with a display name for your service principal. This can be any name that you want to use to identify the service principal, for example RLH_PIP_ServicePrincipal.

Next, you can open Relativity and use the information to create the Microsoft 365 data source. For more information, see Microsoft preservation source manual setup.

Return to top of the page
Feedback