Skip to main content

Directory Services Integration with Office 365 (Microsoft 365)

In order for a Mailstore user to be able to authenticate in the archive (e.g. through the Outlook add-on) using O365 modern authentication, Mailstore has to be able to synchronize user data from O365. User data in O365 is stored within AAD (Azure ActiveDirectory). Enabling the synchronization is a complex process with many steps, but it is not difficult to do. (This article is  in part based on an original Mailstore Server KB article.)

Registering MailStore as an App in Azure

Sign in to the Azure Portal as a Global Administrator for your Microsoft 365 tenant.

In the navigation menu (☰), select the option Azure Active Directory.

image-1612984909982.png

On the next page, select App registrations in the Manage section of the left navigation menu.

image-1612984947919.png

Select New Registration. The Register an application page appears.

In the Name field, enter a display name, e.g. MailStore. Click on Register. 

image-1612984960262.png

You'll be presented the registered application page. Keep it open, you'll need the following information from it: Name, Application (client) ID, Directory (tenant) ID

image-1612985025941.png

Creating Credentials in MailStore

Log on to MailStore Client as a MailStore Server administrator.

Click on Administrative Tools > Users and Archives > Directory Services.

In the Integration section, change the directory service type to Microsoft 365 (Modern Authentication).

In the Connection section, click on the button (…) next to the Credentials drop-down list.

In the Credential Manager that appears, click on Create…

In the Azure AD App Credentials dialog, enter the following information in the Settings section: Name,  Application (client) ID, Directory (tenant) ID based on the Registered app within Azure.

In the Authentication section, click on the drop-down button next to the Certificate text box und select Download Certificate. Save the certificate on your hard drive.

Confirm your entries by clicking OK.

image-1612985169961.png

Close the Credential manager and choose the newly created credentials from the drop-down.

Publishing Credentials in Azure

Switch to the Azure AD app overview page in your web browser.

image-1612985459928.png

Select Certificates & secrets in the Manage section of the left navigation menu.

Click on Upload certificate in the Certificates section. Select the certificate file that you have saved previously and upload it to Azure AD by clicking Add.

image-1612985468040.png

The certificate is uploaded:

image-1612985620183.png

Configuring App Authentication in Azure

In the Azure Portal in the web browser, select Authentication in the Manage section of the left navigation menu.

Click on the Add a platform button in the Platform configurations section of the Authentication page.

Select Web in the Web applications section of the Configure platforms menu page.

image-1612985688223.png

In the field Redirect URI, enter a URI in the format (without brackets)

https://archive.my-office.at/yourURLalias/oidc/signin

Enable the ID tokens option in the Implicit grant section. (Access tokens are not needed.)

Click on Configure.

image-1612985735921.png

Configuring the Redirect URI in MailStore

Switch to the Directory Services page in the MailStore Client.

Enter the redirect URI in the corresponding field in the Authentication section. Just copy the value previously configured in Azure AD from the web browser.

image-1612985850270.png

Configuring API Permissions in Azure

Switch again to Azure AD in your web browser.

Select API permissions in the Manage section of the left navigation menu.

Click on the Add a permission button in the Configured permissions section.

image-1612985934104.png

On the Request API permissions menu page, select the API Microsoft Graph in the Commonly used Microsoft APIs section.

Select the option Application permissions.

Enable the Directory > Directory.Read.All permission in the Select permissions section.

Click on Add permissions.

image-1612985960725.png

The permissions are updated and the Directory.Read.All permission appears in the API permissions list under Microsoft Graph.

Click on the Add a permission button in the Configured permissions section again.

On the Request API permissions menu page, select APIs my organization uses.

Search for Office 365 Exchange Online and click on the corresponding entry.

image-1612986022664.png

Select the option Application permissions.

Enable the full_access_as_app permission in the Select permissions section.

Click on Add permissions.

image-1612986079762.png

The permissions are updated and the full_access_as_app permission appears in the API permissions list under Exchange.

Now click on the Grant admin consent for <your tenant name> button in the Configured permissions section.

Acknowledge the following notice with Yes.

The status of all granted permissions is updated to Granted for <your tenant name>.

image-1612986095948.png

User Synchronization

You can choose between 3 different settings with regards to the synchronization of users: sync licensed users, sync enabled users, and sync only "these" groups. Choose the appropriate one for your needs (if you don't have special instructions from your managers on which users to sync, you'll need the licensed Exchange users option).

Click on Test settings. This will check if you have configured everything correctly. New users will show up in the list with a tiny + sign next to their icons.

image-1612986398440.png

image-1612986607702.png

To synchronize, and thereby create the users, click Synchronize Now.

The users are now auto-created…

image-1612986653091.png

… and their profiles too:

image-1612986684201.png

Now, you are ready to create the Archiving profile for your company and set up Archiving jobs. Click here to go on.