# Connecting Microsoft Exchange to Amazon Q Business
You can connect your Microsoft Exchange enterprise messaging system to Amazon Q Business to unlock valuable organizational knowledge. This connection allows your users to search emails, calendar events, and shared content directly through the Amazon Q web experience.
You can connect your Microsoft Exchange instance to Amazon Q Business using the AWS Management Console or the [https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) API. This enables faster information discovery and improved decision-making across your organization.
**Topics**
+ [Microsoft Exchange connector versions](exchange-versions.md)
+ [Known limitations for the Microsoft Exchange connector](exchange-limitations.md)
+ [Microsoft Exchange connector overview](exchange-overview.md)
+ [Prerequisites for connecting Amazon Q Business to Microsoft Exchange](exchange-prereqs.md)
+ [Connecting using the Latest Microsoft Exchange Connector (Console)](exchange-console-new.md)
+ [Connecting using the Legacy Microsoft Exchange Connector (Console)](exchange-console-original.md)
+ [Connecting Amazon Q Business to Microsoft Exchange using APIs](exchange-api.md)
+ [Connecting Amazon Q Business to Microsoft Exchange (New connector) using APIs](exchange-new-api.md)
+ [How Amazon Q Business connector crawls Exchange ACLs](exchange-user-management.md)
+ [Microsoft Exchange data source connector field mappings](exchange-field-mappings.md)
+ [IAM role for Microsoft Exchange connector](exchange-iam-role.md)
+ [Understand error codes in the Microsoft Exchange connector](exchange-error-codes.md)
**Learn more**
+ For an overview of the Amazon Q web experience creation process using IAM Identity Center, see [Configuring an application using IAM Identity Center](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application.html).
+ For an overview of the Amazon Q web experience creation process using AWS Identity and Access Management, see [Configuring an application using IAM](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/create-application-iam.html).
+ For an overview of connector features, see [Data source connector concepts](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html).
+ For information about connector configuration best practices, see [Connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Microsoft Exchange connector versions
You can choose between two Microsoft Exchange connector versions:
## Latest Microsoft Exchange connector (Recommended)
**Note**
The latest connector provides improved accuracy. We recommend using the latest connector for new implementations. The legacy connector remains available if you need specific features not yet supported in the latest connector.
The latest Microsoft Exchange connector offers a simplified configuration experience:
+ Enhanced accuracy and performance
+ Simplified filtering with Date Range options only
+ Automatic crawling of ACL and identity information
## Legacy Microsoft Exchange connector
The legacy Microsoft Exchange connector provides full-featured configuration with advanced options:
+ Complete entity type selection including Calendar, OneNotes, and Contacts
+ Advanced filtering options and regex pattern matching
+ Custom field mappings for metadata extraction
+ Configurable sync modes and VPC settings
+ Domain-based email filtering and inclusion rules
+ Manual ACL and identity crawling configuration
# Known limitations for the Microsoft Exchange connector
**Note**
**Legacy version notice:** We recommend using the latest connector for improved performance and retrieval quality. The following limitations apply only to the legacy connector version.
The original Microsoft Exchange connector has these known limitations:
+ When you enable Access Control Lists (ACLs), the "Sync only new or modified content" option is not available due to Microsoft Exchange API limitations. Use "Full sync" or "New, modified, or deleted content sync" modes instead, or disable ACLs to use this sync mode.
# Microsoft Exchange connector overview
The following table shows the Amazon Q Business Microsoft Exchange connector features and capabilities.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-overview.html)
# Prerequisites for connecting Amazon Q Business to Microsoft Exchange
**In Microsoft Exchange, make sure you have:**
+ Created a Microsoft Exchange account in Office 365.
+ Copied your Microsoft 365 tenant ID. You can find your tenant ID in the **Properties** of your Azure Active Directory Portal or in the Microsoft Entra Admin portal. For more information, see [Find your Microsoft 365 tenant ID](https://learn.microsoft.com/en-us/sharepoint/find-your-office-365-tenant-id) on the Microsoft website.
+ Configured an OAuth 2.0 credential token containing a client ID and client secret.
+ Added the following permissions for the connector application:
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-prereqs.html)
**In your AWS account, make sure you have:**
+ Created a Amazon Q Business application.
+ Created a [Amazon Q Business retriever and added an index](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/select-retriever.html).
+ Created an [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds) for your data source and, if using the Amazon Q API, noted the ARN of the IAM role.
+ Stored your Microsoft Exchange authentication credentials in an AWS Secrets Manager secret and, if using the Amazon Q API, noted the ARN of the secret.
**Note**
If you’re a console user, you can create the IAM role and Secrets Manager secret as part of configuring your Amazon Q application on the console.
For a list of things to consider while configuring your data source, see [ Data source connector configuration best practices](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-best-practices.html).
# Connecting using the Latest Microsoft Exchange Connector (Console)
The latest Microsoft Exchange connector provides a simplified configuration experience with essential features. The following procedure shows how to connect Amazon Q Business to Microsoft Exchange using the latest connector.
**Connecting Amazon Q to Microsoft Exchange using the latest connector**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Microsoft Exchange (latest)** data source to your Amazon Q application.
1. Then, on the **Microsoft Exchange** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. In **Source**, enter the following information:
+ **Tenant ID** – Enter your tenant ID. Your Microsoft tenant ID is a globally unique identifier required to configure each connector instance. You can find your tenant ID in the properties section of your Microsoft account dashboard.
1. For **Authentication**, choose between **New** and **Existing**.
1. If you choose **Existing**, choose an existing secret for **Select secret**.
If you choose **New**, enter the following information in the **New AWS Secrets Manager secret** section:
1. **Secret name** – Enter a name for your secret.
1. For **Client ID** and **Client secret**, enter the authentication credential values that you generated from your Exchange account.
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-connector.html#exchange-iam).
1. For **Additional configuration – *optional***, configure the following options:
+ **Date Range** – Enter the date range for crawling your email content. The end date is optional.
**Note**
**Simplified configuration:** The latest connector automatically crawls email content only with ACL enabled by default. Entity type selection and attachment filtering are not available to keep configuration simple and reliable.
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting using the Legacy Microsoft Exchange Connector (Console)
The legacy Microsoft Exchange connector provides comprehensive configuration options including entity type selection, field mappings, and VPC settings. The following procedure shows how to connect Amazon Q Business to Microsoft Exchange using the legacy connector.
**Connecting Amazon Q to Microsoft Exchange using the legacy connector**
1. Sign in to the AWS Management Console and open the Amazon Q Business console.
1. From the left navigation menu, choose **Data sources**.
1. From the **Data sources** page, choose **Add data source**.
1. Then, on the **Add data sources** page, from **Data sources**, add the **Microsoft Exchange** data source to your Amazon Q application.
1. Then, on the **Microsoft Exchange** data source page, enter the following information:
1. **Name and description**, do the following:
+ For **Data source name** – Name your data source for easy tracking.
**Note**
You can include hyphens (-) but not spaces. Maximum of 1,000 alphanumeric characters.
+ **Description – *optional*** – Add an optional description for your data source. This text is viewed only by Amazon Q Business administrators and can be edited later.
1. In **Source**, enter the following information:
+ **Tenant ID** – Enter your tenant ID. Your Microsoft tenant ID is a globally unique identifier required to configure each connector instance. You can find your tenant ID in the properties section of your Microsoft account dashboard.
1. **Authorization** – Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. If supported for your connector, you can manage ACLs by selecting ** Enable ACLs ** to enable ACLs or **Disable ACLs** to disable them. To manage ACLs, you need specific IAM permissions. See [Grant permission to create data sources with ACLs disabled](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/setting-up.html#DisableAclOnDataSource) for more details. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details.
1. **Authentication** – Choose between **New** and **Existing**.
1. If you choose **Existing**, select an existing secret for **Select secret**.
If you choose **New**, enter the following information in the **New AWS Secrets Manager secret** section:
1. **Secret name** – A name for your secret.
1. For **Client ID**, **Client secret** – Enter the authentication credential values that you generated from your Exchange account.
1. **IAM role** – Choose an existing IAM role or create an IAM role to access your repository credentials and index content.
**Note**
Creating a new service IAM role is recommended.
For more information, see [IAM role](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-connector.html#exchange-iam).
1. In **Sync scope**, choose from the following options:
+ **UserIDs** – Choose to filter content by specific user email IDs.
+ **User email ID** – Upload a file with user email IDs to filter content. Format email IDs on separate lines in the file.
+ **Include patterns** – Specify patterns to include specific content.
+ **Exclude patterns** – Specify patterns to exclude specific content.
1. For **Maximum file size**, specify the file size limit in MBs that Amazon Q will crawl. Amazon Q crawls only files within the size limit you define. The default file size is 50MB. The maximum file size must be greater than 0MB and less than or equal to 50MB.
1. For **Additional configuration – *optional***, configure the following options:
+ **Entity types** – Choose whether to crawl the following entities: **Calendar**, **OneNotes**, and **Contacts**.
+ **Calendar crawling** – Enter the date range for which the connector will crawl your calendar content.
+ **Include email** – Enter the email from domains, email to domains, and subjects you wish to include or exclude in your application.
+ **Shared folders access** – Enable ACL crawling for shared folders.
+ **Regex for domains** – Add patterns to include and exclude certain email domains from your application.
+ **Regex patterns** – Add regular expression patterns to include or exclude certain files. You can add up to 100 patterns.
1. **Multi-media content configuration – optional** – To enable content extraction from embedded images and visuals in documents, choose **Visual content in documents**.
To extract audio transcriptions and video content, enable processing for the following file types:
1. **Advanced settings**
**Document deletion safeguard** - *optional*–To safeguard your documents from deletion during a sync job, select **On** and enter an integer between 0 - 100. If the percentage of documents to be deleted in your sync job exceeds the percentage you selected, the delete phase will be skipped and no documents from this data source will be deleted from your index. For more information, see [Document deletion safeguard](connector-concepts.md#document-deletion-safeguard).
1. In **Sync run schedule**, for **Frequency** – Choose how often Amazon Q will sync with your data source. For more details, see [Sync run schedule](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-sync-run). To learn how to start a data sync job, see [Starting data source connector sync jobs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/supported-datasource-actions.html#start-datasource-sync-jobs).
1. **Tags - *optional*** – Add tags to search and filter your resources or track your AWS costs. See [Tags](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/tagging.html) for more details.
1. **Field mappings** – A list of data source document attributes to map to your index fields.
**Note**
Add or update the fields from the **Data source details** page after you finish adding your data source. You can choose from two types of fields:
1. **Default** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can't edit these.
1. **Custom** – Automatically created by Amazon Q on your behalf based on common fields in your data source. You can edit these. You can also create and add new custom fields.
**Note**
Support for adding custom fields varies by connector. You won't see the **Add field** option if your connector doesn't support adding custom fields.
For more information, see [Field mappings](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-field-mappings).
1. **Configure VPC and security group – *optional*** – Choose whether you want to use a VPC. If you do, enter the following information:
1. **Subnets** – Select up to 6 repository subnets that define the subnets and IP ranges the repository instance uses in the selected VPC.
1. **VPC security groups** – Choose up to 10 security groups that allow access to your data source. Ensure that the security group allows incoming traffic from Amazon EC2 instances and devices outside your VPC. For databases, security group instances are required.
For more information, see [VPC](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-vpc).
1. In **Data source details**, choose **Sync now** to allow Amazon Q to begin syncing (crawling and ingesting) data from your data source. When the sync job finishes, your data source is ready to use.
**Note**
View CloudWatch logs for your data source sync job by selecting **View CloudWatch logs**. If you encounter a `Resource not found exception` error, wait and try again as logs may not be available immediately.
You can also view a detailed document-level report by selecting **View Report**. This report shows the status of each document during the crawl, sync, and index stages, including any errors. If the report is empty for an in-progress job, check back later as data is emitted to the report as events occur during the sync process.
For more information, see [Troubleshooting data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/troubleshooting-data-sources.html#troubleshooting-data-sources-not-indexed).
# Connecting Amazon Q Business to Microsoft Exchange using APIs
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
## Microsoft Exchange JSON schema
The following shows the Microsoft Exchange JSON schema:
```
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"connectionConfiguration": {
"type": "object",
"properties": {
"repositoryEndpointMetadata": {
"type": "object",
"properties": {
"tenantId": {
"type": "string",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"minLength": 36,
"maxLength": 36
}
},
"required": ["tenantId"]
}
}
},
"repositoryConfigurations": {
"type": "object",
"properties": {
"email": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"attachment": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "DATE","LONG"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"calendar": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"contacts": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "STRING_LIST", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
},
"notes": {
"type": "object",
"properties": {
"fieldMappings": {
"type": "array",
"items": [
{
"type": "object",
"properties": {
"indexFieldName": {
"type": "string"
},
"indexFieldType": {
"type": "string",
"enum": ["STRING", "DATE"]
},
"dataSourceFieldName": {
"type": "string"
},
"dateFieldFormat": {
"type": "string",
"pattern": "yyyy-MM-dd'T'HH:mm:ss'Z'"
}
},
"required": [
"indexFieldName",
"indexFieldType",
"dataSourceFieldName"
]
}
]
}
},
"required": [
"fieldMappings"
]
}
},
"required": ["email"
]
},
"additionalProperties": {
"type": "object",
"properties": {
"inclusionPatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionPatterns": {
"type": "array",
"items": {
"type": "string"
}
},
"inclusionUsersList": {
"type": "array",
"items": {
"type": "string",
"format": "email"
}
},
"exclusionUsersList": {
"type": "array",
"items": {
"type": "string",
"format": "email"
}
},
"s3bucketName": {
"type": "string"
},
"inclusionUsersFileName": {
"type": "string"
},
"exclusionUsersFileName": {
"type": "string"
},
"inclusionDomainUsers": {
"type": "array",
"items": {
"type": "string"
}
},
"exclusionDomainUsers": {
"type": "array",
"items": {
"type": "string"
}
},
"crawlCalendar": {
"type": "boolean"
},
"crawlNotes": {
"type": "boolean"
},
"crawlContacts": {
"type": "boolean"
},
"crawlFolderAcl": {
"type": "boolean"
},
"startCalendarDateTime": {
"anyOf": [
{
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
},
{
"type": "string",
"pattern": ""
}
]
},
"endCalendarDateTime": {
"anyOf": [
{
"type": "string",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}Z$"
},
{
"type": "string",
"pattern": ""
}
]
},
"subject": {
"type": "array",
"items": {
"type": "string"
}
},
"emailFrom": {
"type": "array",
"items": {
"type": "string",
"format": "email"
}
},
"emailTo": {
"type": "array",
"items": {
"type": "string",
"format": "email"
}
},
"maxFileSizeInMegaBytes": {
"type": "string"
}
},
"required": []
},
"syncMode": {
"type": "string",
"enum": [
"FORCED_FULL_CRAWL",
"FULL_CRAWL",
"CHANGE_LOG"
]
},
"type" : {
"type" : "string",
"pattern": "MSEXCHANGE"
},
"secretArn": {
"type": "string"
}
},
"version": {
"type": "string",
"anyOf": [
{
"pattern": "1.0.0"
}
]
},
"required": [
"connectionConfiguration",
"repositoryConfigurations",
"syncMode",
"additionalProperties",
"secretArn",
"type"
]
}
```
The following table provides information about important JSON keys to configure.
| Configuration | Description |
| --- | --- |
| connectionConfiguration | Configuration information for the endpoint for the data source. |
| repositoryEndpointMetadata | The endpoint information for the data source. |
| tenantId | The Microsoft 365 tenant ID. You can find your tenant ID in the Properties of your Azure Active Directory Portal. |
| repositoryConfigurations | Configuration information for the content of the data source. For example, configuring specific types of content and field mappings. |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-api.html) | A list of objects that map the attributes or field names of your Microsoft Exchange data source. |
| secretARN | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your Exchange data source. This includes your client ID and your client secret. |
| additionalProperties | Additional configuration options for content in your data source |
| inclusionPatterns [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-api.html) | A list of regular expression patterns to include specific files in your Exchange data source. Files that match the patterns are included in the index. Files that don't match the patterns are excluded from the index. If a file matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence and the file isn't included in the index. |
| exclusionPatterns[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-api.html) | A list of regular expression patterns to exclude specific files in your Exchange data source. Files that match the patterns are excluded from the index. Files that don't match the patterns are included in the index. If a file matches both an exclusion and inclusion pattern, the exclusion pattern takes precedence and the file isn't included in the index. |
| startCalendarDateTime | Use to specify the date and time for Calendar content to be crawled by Amazon Q. |
| endCalendarDateTime | Use to specify the date and time for Calendar content to be crawled by Amazon Q. |
| subject | Use to specify email subject lines to be crawled. |
| emailFrom | Use to specify emails to be crawled based on sender. |
| emailTo | Use to specify emails to be crawled based on recipient. |
| maxFileSizeInMegaBytes | Specify the maximum single file size limit in MBs that Amazon Q will crawl. Amazon Q will crawl only the files within the size limit you define. The default file size is 50MB. The maximum file size should be greater than 0MB and less than or equal to 50MB. |
| [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-api.html) | true to index this content in your Microsoft Exchange data source. Amazon Q Business crawls ACL information by default to ensure responses are generated only from documents your end users have access to. See [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization) for more details. |
| syncMode | Specify whether Amazon Q should update your index by syncing all documents or only new, modified, and deleted documents. You can choose between the following options: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/exchange-api.html) |
| type | The type of data source. Specify MSEXCHANGE as your data source type. |
| enableIdentityCrawler | true to activate identity crawler. Identity crawler is activated by default. Crawling identity information on users and groups with access to specific documents is useful for user context filtering. Search results are filtered based on the user or their group access to documents. Amazon Q Business crawls identity information from your data source by default to ensure responses are generated only from documents end users have access to. For more information, see [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler). |
| version | The version of this template that's currently supported. |
# Connecting Amazon Q Business to Microsoft Exchange (New connector) using APIs
You use the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) action to connect a data source to your Amazon Q application. You can also use the [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) action to modify an existing data source configuration.
Then, you use the `configuration` parameter to provide a JSON blob that conforms the AWS-defined JSON schema.
For an example of the API request, see [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) and [UpdateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_UpdateDataSource.html) in the Amazon Q API Reference.
## Microsoft Exchange new connector JSON schema
The following shows the Microsoft Exchange new connector JSON schema:
```
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": ["MSEXCHANGEV2"]
},
"connectionConfiguration": {
"type": "object",
"properties": {
"secretArn": {
"type": "string",
"pattern": "^arn:[a-z0-9-\\.]{1,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[a-z0-9-\\.]{0,63}:[^/].{0,1023}$"
},
"tenantId": {
"type": "string",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$",
"minLength": 36,
"maxLength": 36
}
},
"required": ["tenantId", "secretArn"]
},
"dataEntityConfiguration": {
"type": "object",
"properties": {
}
},
"filterConfiguration": {
"type": "object",
"properties": {
"startDateFilter": {
"type": "string",
"format": "date-time"
},
"endDateFilter": {
"type": "string",
"format": "date-time"
}
}
},
"deletionProtectionConfiguration": {
"type": "object",
"properties": {
"enableDeletionProtection": {
"type": "boolean"
},
"deletionProtectionThreshold": {
"type": "string",
"pattern": "^(100|[1-9][0-9]?)$"
}
},
"required": ["enableDeletionProtection", "deletionProtectionThreshold"]
}
},
"required": [
"type",
"connectionConfiguration",
"dataEntityConfiguration"
]
}
```
The following table provides information about important JSON keys to configure for the new Microsoft Exchange connector.
| Configuration | Description |
| --- | --- |
| type | The type of data source. Specify MSEXCHANGEV2 for the new Microsoft Exchange connector. |
| connectionConfiguration | Configuration information for connecting to the Microsoft Exchange data source. |
| secretArn | The Amazon Resource Name (ARN) of an AWS Secrets Manager secret that contains the key-value pairs required to connect to your Exchange data source. This includes your client ID and your client secret. |
| tenantId | The Microsoft 365 tenant ID (UUID v4 format). You can find your tenant ID in the Properties of your Azure Active Directory Portal. |
| dataEntityConfiguration | Configuration for the types of data entities to crawl from Microsoft Exchange. |
| filterConfiguration | Optional configuration for filtering content during the crawl process. |
| startDateFilter | Specify the start date for filtering emails. Only emails created on or after this date will be crawled. Format: ISO 8601 date-time (e.g., 2025-06-01T00:00:00Z). |
| endDateFilter | Specify the end date for filtering emails. Only emails created on or before this date will be crawled. Format: ISO 8601 date-time (e.g., 2025-07-01T00:00:00Z). |
| deletionProtectionConfiguration | Optional configuration to protect against accidental deletion of large amounts of content. |
| enableDeletionProtection | A Boolean value to enable deletion protection. When enabled, the connector will not delete more than the specified threshold of documents in a single sync. |
| deletionProtectionThreshold | The maximum percentage of documents that can be deleted in a single sync when deletion protection is enabled. Must be a string representing a number from 1-100 (e.g., "10" for 10%). |
## Sample configuration for the new Microsoft Exchange connector
The following is a sample configuration for the new Microsoft Exchange connector:
```
{
"displayName": "mail-0910-sample",
"configuration": {
"connectionConfiguration": {
"secretArn": "arn:aws:secretsmanager:::secret:",
"tenantId": ""
},
"dataEntityConfiguration": {
},
"filterConfiguration": {
"startDateFilter": "2025-06-01T00:00:00Z",
"endDateFilter": "2025-07-01T00:00:00Z"
},
"deletionProtectionConfiguration": {
"enableDeletionProtection": true,
"deletionProtectionThreshold": "10"
},
"type": "MSEXCHANGEV2",
"version": "1.0.0"
},
"description": "Sample Config",
"syncSchedule": "",
"roleArn": "arn:aws:iam:::role/service-role/",
"mediaExtractionConfiguration": {}
}
```
**Note**
ACL crawling is available for both new and original Microsoft Exchange connector versions.
# How Amazon Q Business connector crawls Exchange ACLs
Connectors support crawling ACL and identity information where applicable based on the data source. If you index documents without ACLs, all documents are considered public. Indexing documents with ACLs ensures data security.
Amazon Q Business supports crawling ACLs for document security by default.
When you connect an Exchange data source to Amazon Q Business, Amazon Q Business crawls ACL information attached to a document (user and group information) from your Exchange instance. If you choose to activate ACL crawling, this information can be used to filter chat responses to your end user's document access level.
The Exchange group and user IDs are mapped as follows:
+ `_tenant_id` – Your Microsoft tenant ID is a globally unique identifier required to configure each connector instance. You can find your tenant ID in the properties section of your Microsoft account dashboard.
For more information, see:
+ [Authorization](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-authorization)
+ [Identity crawler](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-concepts.html#connector-identity-crawler)
+ [Understanding User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html)
**Note**
Field mappings are available for the original Microsoft Exchange connector only. The new connector uses automatic field mapping.
# Microsoft Exchange data source connector field mappings
You can improve search results and customize your users' chat experience by mapping document attributes from your Microsoft Exchange data to fields in your Amazon Q index.
Amazon Q offers two types of attributes to map to index fields:
+ **Reserved or default** – Reserved attributes are based on document attributes that commonly occur in most data. You can use reserved attributes to map commonly occurring document attributes in your data source to Amazon Q index fields.
+ **Custom** – You can create custom attributes to map document attributes that are unique to your data to Amazon Q index fields.
When you connect Amazon Q to a data source, Amazon Q automatically maps specific data source document attributes to fields within an Amazon Q index. If a document attribute in your data source doesn't have an attribute mapping already available, or if you want to map additional document attributes to index fields, use custom field mappings to specify how a data source attribute maps to an Amazon Q index field. You create field mappings by editing your data source after your application and retriever are created.
To learn more about document attributes and how they work in Amazon Q, see [Document attributes and types in Amazon Q](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/doc-attributes.html).
**Important**
Filtering using document attributes in chat is only supported through the API.
**Note**
You can map any Exchange field to the document title or document body Amazon Q reserved/default index fields.
**Topics**
+ [Mails](#exchange-field-mappings-mails)
+ [Calendar](#exchange-field-mappings-calendar)
+ [Attachments](#exchange-field-mappings-attachments)
+ [OneNotes](#exchange-field-mappings-onenotes)
+ [Contacts](#exchange-field-mappings-contacts)
## Mails
| Microsoft Exchange field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| createdDateTime | \$1created\$1at | Default | Date |
| lastModifiedDateTime | \$1last\$1updated\$1at | Default | Date |
| uri | \$1source\$1uri | Default | String |
| category | \$1category | Default | String |
| bccRecipients | xchng\$1bccRecipient | Custom | String list |
| ccRecipients | xchng\$1ccRecipient | Custom | String list |
| hasAttachment | xchng\$1hasAttachment | Custom | String |
| sendDateTime | xchng\$1sendDateTime | Custom | Date |
| importance | xchng\$1importance | Custom | String |
| from | xchng\$1from | Custom | String |
| to | xchng\$1to | Custom | String list |
| receivedDateTime | xchng\$1receivedDateTime | Custom | Date |
| isRead | xchng\$1isRead | Custom | String |
| replyTo | xchng\$1replyTo | Custom | String |
| folder | xchng\$1folder | Custom | String |
| title | xchng\$1title | Custom | String |
| flagStatus | xchng\$1flagStatus | Custom | String |
## Calendar
| Microsoft Exchange field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| location | xchng\$1location | Custom | String |
| organizer | xchng\$1organizer | Custom | String |
| subject | xchng\$1subject | Custom | String |
| weblink | \$1source\$1uri | Default | String |
| createdDateTime | \$1created\$1at | Default | Date |
| lastModifiedDateTime | \$1last\$1updated\$1at | Default | Date |
| eventStartTime | xchng\$1eventStartTime | Default | Date |
| eventEndTime | xchng\$1eventEndTime | Default | Date |
| attendees | xchng\$1attendees | Custom | String |
| recurrence | xchng\$1Recurrence | Custom | String |
| category | \$1category | Default | String |
| isReminderOn | xchng\$1isReminderOn | Custom | String |
| sensitivity | xchng\$1sensitivity | Custom | String |
| isOnlineMeeting | xchng\$1isOnlineMeeting | Custom | String |
| seriesMasterId | xchng\$1seriesMasterId | Custom | String |
| isCancelled | xchng\$1isCancelled | Custom | String |
## Attachments
| Microsoft Exchange field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| title | xchng\$1title | Custom | String |
| lastModifiedDateTime | \$1last\$1updated\$1at | Default | Date |
| category | \$1category | Default | String |
| contentType | \$1file\$1type | Default | String |
| size | xchng\$1size | Custom | String |
| url | \$1source\$1uri | Default | String |
## OneNotes
| Microsoft Exchange field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| isShared | xchng\$1isShared | Custom | String |
| link | xchng\$1links | Custom | String |
| title | xchng\$1title | Custom | String |
| lastUpdatedBy | xchng\$1lastUpdatedBy | Custom | String |
| lastModifiedDateTime | \$1last\$1updated\$1at | Default | Date |
| createdDateTime | \$1created\$1at | Default | Date |
| category | \$1category | Default | String |
| createdBy | xchng\$1createdBy | Custom | String |
| userRole | xchng\$1useRole | Custom | String |
## Contacts
| Microsoft Exchange field name | Index field name | Description | Data type |
| --- | --- | --- | --- |
| contactName | xchng\$1contactName | Custom | String |
| emailAddress | xchng\$1email | Custom | String |
| companyName | xchng\$1companyName | Custom | String |
| manager | xchng\$1manager | Custom | String |
| jobTitle | xchng\$1jobtitle | Custom | String |
| location | xchng\$1officeLocation | Custom | String |
| mobilePhone | xchng\$1mobile | Custom | String |
| birthday | xchng\$1birthday | Custom | Date |
| homeAddress | xchng\$1homeAddress | Custom | String |
| businessAddress | xchng\$1businessAddress | Custom | String |
| department | xchng\$1department | Custom | String |
| profession | xchng\$1profession | Custom | String |
| createdAt | \$1created\$1at | Default | Date |
| category | \$1category | Default | String |
| url | \$1source\$1uri | Custom | String |
# IAM role for Microsoft Exchange connector
**Note**
This section applies to both new and original Microsoft Exchange connector versions.
If you use the AWS CLI or an AWS SDK, you must create an AWS Identity and Access Management (IAM) policy before you create an Amazon Q resource. When you call the [CreateDataSource](https://docs.aws.amazon.com/amazonq/latest/api-reference/API_CreateDataSource.html) operation, you provide the Amazon Resource Name (ARN) role with the policy attached.
If you use the AWS Management Console, you can create a new IAM role in the Amazon Q console or use an existing IAM role.
To learn more about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*.
To connect your data source connector to Amazon Q, you must give Amazon Q an IAM role that has the following permissions:
+ Permission to access the `BatchPutDocument` and `BatchDeleteDocument` operations to ingest documents.
+ Permission to access the [User Store](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connector-principal-store.html) API operations to ingest user and group access control information from documents.
+ Permission to access your AWS Secrets Manager secret to authenticate your data source connector instance.
+ **(Optional)** If you're using Amazon VPC, permission to access your Amazon VPC.
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQToGetSecret",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Sid": "AllowsAmazonQToDecryptSecret",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsAmazonQToIngestDocuments",
"Effect": "Allow",
"Action": [
"qbusiness:BatchPutDocument",
"qbusiness:BatchDeleteDocument"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}/index/{{index_id}}"
]
},
{
"Sid": "AllowsAmazonQToIngestPrincipalMapping",
"Effect": "Allow",
"Action": [
"qbusiness:PutGroup",
"qbusiness:CreateUser",
"qbusiness:DeleteGroup",
"qbusiness:UpdateUser",
"qbusiness:ListGroups"
],
"Resource": [
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}",
"arn:aws:qbusiness:{{region}}:{{account_id}}:application/{{application_id}}/index/{{index_id}}/data-source/*"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNI",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Sid": "AllowsAmazonQToCreateAndDeleteNIForSpecificTag",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"AMAZON_Q"
]
}
}
},
{
"Sid": "AllowsAmazonQToCreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Sid": "AllowsAmazonQToCreateNetworkInterfacePermission",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AMAZON_Q": "qbusiness_{{account_id}}_{{application_id}}_*"
}
}
},
{
"Sid": "AllowsAmazonQToDescribeResourcesForVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
```
**To allow Amazon Q to assume a role, you must also use the following trust policy:**
```
{
"Version": "2012-10-17", ,
"Statement": [
{
"Sid": "AllowsAmazonQServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "qbusiness.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account}}"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:qbusiness:{{region}}:{{source_account}}:application/{{application_id}}"
}
}
}
]
}
```
For more information on Amazon Q data source connector IAM roles, see [IAM roles for Amazon Q data source connectors](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/iam-roles.html#iam-roles-ds).
# Understand error codes in the Microsoft Exchange connector
The following table provides information about error codes you may see for the Microsoft Exchange connector and suggested resolutions.
| Error code | Error message | Suggested resolution |
| --- | --- | --- |
| MSE-5101 | Exception occurred while validating the configurations. | Error occurred while validating the configurations. Verify the configurations and try again. |
| MSE-5102 | Invalid clientId pattern. | Error occurred while validating the configurations. Verify the configurations and try again. |
| MSE-5103 | ClientSecret Over maximum length. | Error occurred while validating the configurations. Verify the configurations and try again. |
| MSE-5104 | Enter valid credentials. Client ID should not be null or empty. | Error occurred while validating the configurations. Client ID should not be null. |
| MSE-5105 | Enter valid credentials. Client Secret should not be null or empty. | Error occurred while validating the configurations. Client Secret should not be null. |
| MSE-5106 | Enter valid credentials. Tenant ID should not be null or empty | Error occurred while validating the configurations. Tenant ID should not be null. |
| MSE-5107 | The provided client ID is invalid.Please verify the client ID and try again. | Provide client id is invalid while doing authentication. Connection will be unsuccessful. Provide valid client id. |
| MSE-5108 | The provided client secret is invalid. Verify the client secret and try again. | Provide client secret is invalid while doing authentication. Connection will be unsuccessful. Provide valid client secret. |
| MSE-5109 | The provided tenant ID is invalid. Please verify the tenant ID and try again. | Provide tenant ID is invalid while doing authentication. Connection will be unsuccessful. Provide valid tenant ID. |
| MSE-5200 | Got exception from customer while accessing the list of users. | Error occurred while fetching the list of users from Microsoft Graph API. Check logs for more details. |
| MSE-5201 | Got exception from customer while accessing mails. | Error occurred while fetching mails from Microsoft Graph API. Check logs for more details. |
| MSE-5202 | Got exception from customer while accessing calendar events. | Error occurred while fetching calendar events from Microsoft Graph API. Check logs for more details. |
| MSE-5203 | Got exception from customer while accessing OneNotes. | Error occurred while fetching one notes from Microsoft Graph API. Check logs for more details. |
| MSE-5204 | Got exception from customer while accessing attachments. | Error occurred while fetching attachments from Microsoft Graph API. Check logs for more details. |
| MSE-5205 | Got exception from customer while accessing contacts. | Error occurred while fetching contacts from Microsoft Graph API. Check logs for more details. |
| MSE-5206 | Error occurred while retrying API requests. | Error occurred while retrying API requests to fetch data from Microsoft Graph API. |
| MSE-5301 | Got exception from customer while running changelog mode. | Error occurred while handling changelog token. Refer logs or contact connector team for more information. |