Documentation · Enterprise setup

Enterprise mode: collect from another custodian.

Enterprise mode is for operators preserving somebody else's mailbox, OneDrive, or SharePoint content. It requires a one-time admin approval and a per-custodian mailbox permission grant. The payoff is full custodian coverage with the same defensibility guarantees as Personal mode.

What Enterprise mode does

Enterprise mode uses delegated Microsoft Graph permissions to pull mail from a custodian's mailbox (/users/{custodian}/messages), files from their OneDrive, and content from SharePoint sites they have access to. The operator signs in as themselves; every Graph call is made on their behalf and logged in the tenant audit trail.

This is not an Application-permission tool. Krellix never asks for Mail.Read.All or similar tenant-wide Application scopes — those would break the delegated chain-of-custody story. Instead, the tenant admin grants the operator's sign-in the delegated scope set once, and then grants Full Access mailbox permission on each custodian mailbox the operator is authorized to collect.

Prerequisites

• A Microsoft 365 tenant with Exchange Online.
• An operator account in the tenant. No special license required beyond a standard M365 seat.
• Tenant admin access to perform the one-time admin consent and the per-custodian mailbox permission grants (or an admin willing to do these on your behalf).
• For OneDrive/SharePoint collection: the operator needs either a privileged Entra role (Global Reader, Compliance Administrator, eDiscovery Manager) or site membership on the specific SharePoint sites being collected.

Admin consent (one-time)

The first operator to sign into Krellix in Enterprise mode will be prompted to request admin consent for six scopes:

• User.Read — identify the operator in the manifest.
• Mail.Read — the operator's own mailbox (fallback for self-collection scenarios).
• Mail.Read.Shared — delegated access to custodian mailboxes the operator has permission on.
• Files.Read.All — OneDrive collection. Admin-restricted.
• Sites.Read.All — SharePoint collection. Admin-restricted.
• offline_access — refresh tokens for long collections.

Approving admin consent

The admin has two paths:

1. From the consent dialog. If the admin clicks through the Krellix sign-in themselves, Microsoft shows a consent screen with a “Consent on behalf of your organization” checkbox. Approving with that checkbox ticked grants the scopes tenant-wide in a single click.
2. From the Entra admin center. Navigate to Microsoft Entra ID → Enterprise applications → Krellix Mail (the app appears after the first sign-in attempt, even if consent wasn't granted). Open the app's Permissions tab and click Grant admin consent for [tenant].

After admin consent, subsequent operators in the same tenant sign in without seeing the consent dialog. The tenant is now provisioned.

Add-MailboxPermission (per custodian)

Admin consent alone does not grant the operator access to any specific mailbox. That is intentional — a delegated Mail.Read.Shared token only works against mailboxes where the token holder has explicit mailbox permission. For every custodian mailbox the operator is authorized to collect, the tenant admin must run the following Exchange Online PowerShell command:

Add-MailboxPermission `
  -Identity  "custodian@yourtenant.com" `
  -User      "operator@yourtenant.com" `
  -AccessRights FullAccess `
  -InheritanceType All `
  -AutoMapping $false

AutoMapping $false keeps the custodian mailbox from automatically appearing in the operator's Outlook client. This is important: the goal is programmatic collection access, not an additional mailbox in the operator's Outlook folder list.

The permission takes effect immediately, but token caches on the operator side can take up to 60 minutes to refresh. If Krellix returns a 403 on a custodian you just got permission for, sign out and sign back in to force a fresh token.

Removing permission after collection

Best practice is to grant FullAccess for the duration of a specific matter and remove it after delivery. The reverse command:

Remove-MailboxPermission `
  -Identity  "custodian@yourtenant.com" `
  -User      "operator@yourtenant.com" `
  -AccessRights FullAccess `
  -InheritanceType All

The operator's past collections remain verifiable forever — revoking permission doesn't invalidate exports that were already sealed.

First Enterprise collection

1. Open Krellix, pick Enterprise, and sign in with the operator account.
2. On the collection screen, enter the custodian's UPN (e.g. d.marquez@yourtenant.com). Krellix validates the UPN by calling /users/{upn} — if the lookup fails, you'll see “Custodian not found.” Check the spelling and confirm the account is enabled.
3. Choose which sources to collect: Mail, OneDrive, SharePoint. Each is independent — you can collect mail-only, or mail + OneDrive, or all three.
4. Set the scope: date range, KQL filter, folder restriction, SharePoint site list, OneDrive subfolder path. Krellix shows the translated Graph filter for mail; for OneDrive/SharePoint it shows the exact drive and site IDs that will be walked.
5. Click Run export. Krellix runs a pre-flight probe against each source — a MailFolders.GetAsync(Top=1) for mail, a Drive.GetAsync for OneDrive, a Sites.Root.GetAsync for SharePoint. If any probe returns 403, the operator is missing the required permission — the error names the specific source.

Multi-custodian collections

A single Krellix collection targets one custodian. For matters spanning multiple custodians, run one collection per custodian; Krellix writes each into its own timestamped subfolder with its own manifest. At delivery time, zip the subfolders together and include a short cover letter referencing the collection IDs — those IDs appear in each ChainOfCustody.json and are stable.

Deduplication across custodians is handled by matching SHA-256 hashes across the per-custodian manifests. The DeduplicationReport.csv in each collection lists hashes and gives you the inputs for cross-custodian dedup without having to open every file.

Common errors during setup

• AADSTS90094 on sign-in: admin consent has not been granted for the tenant. Return to the admin consent section.
• 403 on first mailbox read: admin consent is in place but mailbox permission isn't. Run Add-MailboxPermission.
• 403 on OneDrive or SharePoint: the operator lacks the privileged role or site membership. Full list of required access in troubleshooting.

Next steps

• Understand the output
• Verify a collection
• Troubleshooting