Microsoft 365 Setup On Premise Engine Setup

Created by Paul Mendoza, Modified on Fri, 23 Jun 2023 at 01:16 PM by Paul Mendoza

The below processes are designed to be deployed in an Azure environment connecting to Office 365. You'll setup a Mail Enabled Security group which the On Premise Engine will watch for new mailboxes being added or removed.

Estimated Time: 1 hour with help from SigParser team. 

Warning: Do not try this without a SigParser support staff member on a call. It is easy to miss a step.

Azure Account Setup

Create a new Azure account that can be used exclusively by SigParser’s engine. This is important for security reasons as it reduces the risk of misconfigurations by other people sharing the account. 

You can use an existing Azure account if you want but you need to be sure the roles within the account are very well defined. You should not do this in a development Azure account as developers often are given too many permissions in development environments.

Setup Azure Virtual Machine

Create a new Azure virtual machine where all the processing will be done. 

Virtual Machine Sizing

Azure Specific Settings

  • Windows Operating System
  • Network Access
    • Outbound network access needed.
    • Inbound: Need RDP 3389 access
  • Backup: Enable backup
    • Backup policy: (new) DailyPolicy
  • Guest OS updates: OS-orchestrated patching: patches will be installed by OS
  • Identity: System assigned managed identity = Checked

Once the VM is created go to the VM resource in the Azure portal. 

  1. On the left menu under Settings, click Identity
  2. Under the System Assigned tab, change the Status to On
  3. Click Save
  4. Click Yes if a prompt appears.
  5. Save the name of the VM. You’ll need it in the next steps.

VM OS Configuration

  1. Login to the VM you just created 
  2. Install Google Chrome or Microsoft Edge
  3. In Windows Explorer turn on the visibility of file extensions. 
  4. Download the SigParser On Premise Engine release zip file to the VM
    1. Right click on the Zip file and click “Extract to…”
    2. Select the location C:\sigparser
    3. Click Next
    4. Wait for the extract to finish
  5. Go to c:\sigparser\
  6. Copy the  C:\sigparser\EmailFetcher\appsettings-template - office365.json file from folder and paste it to C:\sigparser folder. 
    1. Then rename the file to appsettings.json
  7. Open the new appsettings.json file for editing. We’ll put all our configuration into this file. Then later we’ll copy this file to different locations for each of the apps. 
  8. In C:\sigparser create a text file named allow.txt
    1. If you want to allow only specific domains to be mined then put each domain name on a different line. 
    2. If you want all domains to be mined then put an asterisk (*) only in the file. 
  9. In C:\sigparser create a file called deny.txt
    1. On each line put any email domains SigParser shouldn’t process if all the people on an email have those domains. This should generally be your company domain names and maybe your HR company. 
  10. In Windows search for Environment Variables and add the following AWS environment variables
    1. SigParserLicenseKey with the license key from SigParser
    2. AWS_ACCESS_KEY_ID = Access key with permission to write to Cloudwatch logs.
    3. AWS_SECRET_ACCESS_KEY = Access key secret for writing to Cloudwatch logs. 
  11. Copy the file c:\sigparser\EmailFetcher\log4net-template.config file to c:\sigparser
    1. Rename the file to be called log4net.config
    2. Open c:\sigparser\log4net.config
      1. Change the region setting to the value provided by SigParser IT
      2. Save the file
    3. Copy c:\sigparser\log4net.config to c:\sigparser\EmailFetcher\

Create a Microsoft 365 Security Group

  1. Go to Exchange Admin Console (
  2. Go to Recipients > Groups > Mail-enabled security
  3. Click Add a group
    1. In Group Type, select Mail-enabled security
    2. In Basics, set Name to SigParser
    3. In Settings,
      1. Set Group email address to sigparser@yourdomain
    4. In Review, review data and click Create Group
  4. Go to Recipients > Groups > and select the SigParser group
  5. Go to Members > View all and manage owners > +Add owners
  6. Select your group owner and click Add
  7. Get the Group ID from the URL browser bar
  8. Go to next step to add members to your security group

Add Members to Security Group

  1. Go to Exchange Admin Console (
  2. Go to Recipients > Groups > and select the SigParser group
  3. Go to Members > View all and manage owners > +Add members
  4. Add the members or groups who will be connected to SigParser

Register SigParser App in Microsoft Azure

  1. Go to Microsoft Azure portal (
  2. Go to App registrations > New Registration
  3. Enter the following info
    1. Name: SigParser Email Fetcher
    2. Supported account types: Single tenant option
    3. Redirect URI : Leave blank
  4. Click Register
  5. Add API Permissions
  6. Click on the API permissions section
  7. Give the app these Microsoft Graph as Application permissions
    1. Calender.Read : Yes
    2. Contacts.Read : Yes
    3. GroupMember.Read.All : Yes
    4. Mail.Read : Yes
    5. User.Read.All : Yes
  8. Grant Admin Consent

Create Access Policy

  1. Open Powershell
  2. Open powershell as administrator and paste this command to install the Exchange Online Manager
    1. Install-Module -Name ExchangeOnlineManagement
  3. Run this command next to enable Microsoft powershell scripts to run
    1. set-executionpolicy unrestricted
  4. Load the Exchange Online Management Tool with this command
    1. Import-Module ExchangeOnlineManagement
  5. Connect to your Microsoft account
    1. Connect-ExchangeOnline
  6. Create a new access policy with SigParsers app id and a security group
    1. New-ApplicationAccessPolicy -PolicyScopeGroupId -AppId d323f806-e9e0-4f23-a8e2-4ca821ffbbeb -AccessRight RestrictAccess -Description "Restrict SigParser's access"
    2. (Replace -PolicyScopeGroupId with the email of your security group)
  7. Test if SigParser can access restricted email address
    1. Test-ApplicationAccessPolicy -Identity -AppId d323f806-e9e0-4f23-a8e2-4ca821ffbbeb
    2. (Replace -Identity example@mail.comwith an email outside of SigParsers scope)

Create secrets file

Create the following file: c:\sigparser\secrets.json

  "SigParserApiToken": "your api key",
  "Office365ClientSecret": "office 365 client secret for the app you created in Azure"

Create App Secret

  1. Create a client secret for the Azure App you created
    1. Under Manage, click Certificates & secrets
    2. Under Client secrets, click New client secret
    3. Set description to SigParser
    4. Set expiration to 24 months
    5. Click Add
  2. In your secrets.json file 
    1. Update the Office365ClientSecret secret value.

Fill in appsettings.json file

  1. Open the C:\sigparser\ appsettings.json file
  2. salt = Change it by adding some random values into it. 
  3. monitoring_group_ids = ID of the mail enabled security group you created earlier. Get it from the URL in the browser when looking at the group. 
  4. Go to the
    1. Go to App Registrations -> select the SigParser app
    2. office365directoryid = Directory (tenant) ID
    3. office365clientid = Application (client) ID
  5. Confirm sendsubjectlines is the correct value
  6. Copy the configuration file C:\sigparser\appsettings.jsonand paste to...
    1. C:\sigparser\EmailFetcher 
    2. C:\sigparser\OnPremAdminTool

Generate API Key in SigParser and save to Azure Key Vault

  1. Create a SigParser account
  2. Purchase an Enterprise subscription or have the SigParser support team enable data API for your plan. 
  3. Create an API key
    1. Login or create an account at
    2. Don’t connect any mailboxes during the registration process. 
    3. Tell the SigParser dev team you have set up the account. They’ll enable the data API. 
    4. Go to Settings -> Data API -> Click Generate Key
    5. Copy the secret key. You will only be able to see it this one time.
  4. Add the key to the secrets.json file
    1. Add the key to SigParserApiToken
  5. Configure roles to users can’t add mailboxes
    1. Click Settings
    2. Click Users
    3. Click on each of the role names and do the following
      1. Disable the Add Data Sources feature
      2. Click Save
  6. Add to the Secret Vault a secret for AccessToken and have a random value. 

Setup Scheduled Task

  1. Go go the Task Scheduler in Windows
  2. Go to the folder Task Scheduler Library
  3. Click Import Task and import the XML file c:/sigparser/EmailFetcher/SigParser Email Fetcher Template.xml
  4. Configure the task
    1. General tab
      1. Name: SigParser Email Fetcher 1
      2. Select Run whether the user is logged on or not
    2. Triggers tab
      1. Customize the trigger as you see fit
    3. Actions tab
      1. Edit the Action
      2. In the Arguments field modify the instance ID to include your company name (no spaces).
      3. Example: --instance=MyCompanyName
      4. Click OK
    4. Click OK to finish creating the task

Test the task by:

  1. Right clicking on the task in the list
  2. Click Run
  3. You can view the logs by opening the file  C:\sigparser\EmailFetcher\emailfetcher.log

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article