The email banner is an **optional** feature for Outlook monitoring. Halo will sanitize email attachments regardless of whether the banner is configured. When enabled, Storage Monitor will:

- mount an Exchange Online certificate from the `cdrplatform-secrets` secret using the key `exchange-online-cert`
- set `EXCHANGEONLINE__CertificatePath=/mnt/exchange/exchange-certificate.pfx`
- use `EXCHANGEONLINE__AppId` and `EXCHANGEONLINE__Organization` from chart configuration
- create the Exchange Online distribution group and transport rule on startup
- keep the distribution group synchronized with Outlook monitors in the background

## Prerequisites

- You have Outlook monitoring already configured for the service
- You have [registered your application with Microsoft Entra ID](/halo/registering-with-microsoft-entra-id) with the required Exchange Online permissions
- You have a `.pfx` certificate with private key for the Exchange Online app registration — see [Setup Exchange Online for the Outlook banner](/halo/storage-monitoring-banner-setup-exchange-online) for certificate creation instructions
- You know the Exchange Online app registration `AppId`
- You know the Exchange Online `Organization` value, for example `glasswall.com`
- You have version 2.4.0+ of the cdrplatform-storage-monitor Helm chart

## Deployment

Add the certificate to the existing `cdrplatform-secrets` secret in the target namespace:

```bash
# Linux-only
kubectl -n cdrplatform patch secret cdrplatform-secrets \
  --type merge \
  -p "{\"data\":{\"exchange-online-cert\":\"$(base64 -w0 < exchange-certificate.pfx)\"}}"
```

```PowerShell
# Windows-only
$tmpFile = [IO.Path]::GetTempFileName()
Set-Content -Path $tmpFile -NoNewline -Value ('{"data":{"exchange-online-cert":"' + [Convert]::ToBase64String([IO.File]::ReadAllBytes("path/to/exchange-certificate.pfx")) + '"}}')
kubectl -n cdrplatform patch secret cdrplatform-secrets --type merge --patch-file $tmpFile
Remove-Item $tmpFile
```

Then deploy or upgrade the chart:

```bash
helm upgrade --install cdrplatform-storage-monitor cdrplatform-storage-monitor -n cdrplatform \
    --set image.tag="178428" \
    --set image.registry="glasswallhub.azurecr.io" \
    --set image.pullPolicy=IfNotPresent \
    --set cloud_provider=local \
    --set ingress.tls.enabled=true \
    --set ingress.tls.domain=${domain_name} \
    --set ingress.tls.secretName=tls-secret \
    --set deployment.replicaCount=1 \
    --set configuration.DATABASE__Provider="mongo" \
    --set configuration.GRAPHAPI__TenantName="${storage_monitor_tenant_name}" \
    --set configuration.WEBHOOKS__CallbackBaseAddress="https://${domain_name}" \
    --set secretsFromRef[0].DATABASE__ConnectionString.secretName="mongodb-cdrplatform-cdrp-user" \
    --set secretsFromRef[0].DATABASE__ConnectionString.key="connectionString.standard" \
    --set configuration.ENABLE_OUTLOOK_BANNER=true \
    --set configuration.EXCHANGEONLINE__AppId="<exchange-online-app-id>" \
    --set configuration.EXCHANGEONLINE__Organization="<tenant>"
    -f cdrplatform-storage-monitor/values.yaml \
    --atomic
```

## Notes

- To disable the feature again, set `ENABLE_OUTLOOK_BANNER` back to `false` and redeploy through Helm.