Diese Seite auf Deutsch anzeigen?

First Setup: Customer with Microsoft 365

Introduction

This implementation guide covers the first setup of MailStore Cloud for customers that are using Microsoft Entra / Microsoft 365 as their directory service and mail system. The guide includes many links to help pages that provide more detailed information about various topics.

It is assumed that you received your registration information including username, password and the login URL via mail. If you did not receive this information, please contact the MailStore support.

Login

As a first step, please use the credentials that were provided to you to login to the administrative web access (short “Admin Access”). Please make sure that the URL ends on “/adminaccess”. You will notice that your username looks like a mail address, consisting of a name and a domain. The domain is used to identify you as a customer within MailStore Cloud. It cannot be used outside of MailStore Cloud, i.e. you cannot send mails to it or use the domain in your browser. In the screenshot below, you can see the username for a customer with customer name “democustomer”.

Admin Access at a Glance

After you have successfully logged in, you will see the dashboard of the Admin Access. It presents you with basic information about your tenant and points out inconsistencies in your configuration. You should check the dashboard from time to time to make sure everything is working smoothly.

The main menu of the Admin Access on the left provides access to both configurations and the process log. During this first setup, only a few of the sections of the Admin Access will be needed.

Setting up Microsoft Entra

Create a Secret in MailStore Cloud

To add a secret:

  1. In Admin Access, navigate to Secrets and then click Add secret. The Create Secret section will appear.
  2. Fill in the Description text box.
  3. In the Type dropdown menu, select Certificate.
  4. To create a new source, make sure the Create self-signed certificate is selected. Once the secret is saved, the public key can be downloaded.
    1. To download the public key, navigate to the Secrets tab.
    2. Select the download icon located in Actions.
  5. If an existing, self-signed certificate is to be imported for the source, a password will be needed and the .pfx file will need to be imported. Select the … button to upload the existing file.

Start creating a Directory Service Configuration in MailStore Cloud

  1. In the Admin Access, navigate to Directory Service.
  2. Select Add directory service.
  3. Enter a name in the required Name text box.
  4. Select “Microsoft Entra ID” as type.
  5. Use the “Copy” button to copy the “OpenID Redirect URI” to your clipboard.
  6. Leave the dialog open while configuring Microsoft Entra.

Create Application in Microsoft Entra

  1. Open the Entra admin portal at https://entra.microsoft.com/.
  2. Navigate to Identity and select Applications, then App registrations.
  3. Choose New registration.
  4. Enter a name in the text box.
  5. Select Web for the redirect URL type and use the value from your clipboard as URL
  6. Click Register to continue.
  7. On the Overview page, select the Redirect URLs.
  8. A new page will appear for Platform Configurations.
  9. Two options are given for the tokens you would like to be issued by the authorization endpoint. Make sure the ID tokens checkbox is selected.
  10. Select Save and navigate back to Overview.
  11. Under Client credentials in Essentials, select Add a certificate or secret.
  12. A new page will appear. Select the Certificates tab.
  13. Click on Upload certificate.
  14. Select the public key that was exported to Admin Access in the prior section: “Create a Secret in MailStore Cloud“.
  15. Select Upload to continue.
  16. Next, navigate to API permissions.
  17. Select Add a permission.
  18. Click on Microsoft Graph, select Application permissions and Directory.
  19. Choose Directory.Read.All.
  20. Add permission.
  21. Select Add a permission
  22. Click on Microsoft Graph, select Application permissions and Mail.
  23. Choose Mail.ReadWrite.
  24. Add permission.
  25. Select Add a permission
  26. Click on Microsoft Graph, select Application permissions and MailboxSettings.
  27. Choose MailboxSettings.Read.
  28. Add permission.
  29. Select Grant admin consent for your tenant.

You have now successfully configured an app registration in Microsoft Entra ID and can continue with the configuration in MailStore Admin Access. Keep the Entra ID overview page open, as you will need to copy values from there later.

Configure Directory Service and Access Rights in MailStore Cloud

Continue creating a Directory Service Configuration

Go back to the dialog “Create Directory Service” dialog in MailStore Cloud.

  1. From the Microsoft Entra ID Overview page, copy the Application (client) ID and paste it into the Application ID text box.
  2. From the same Microsoft Entra ID Overview page, copy the Directory (tenant) ID and paste it into the Tenant ID text box.
  3. In the Credentials field, import the credentials created in the Create a Secret section of this article.
  4. Keep the checkbox “Create archiving and folder synchronization configuration” checked.
  5. When all mandatory properties are filled you can click on the Test Connection button to test the given configuration. A new dialog will open and show the result of the connection test.
  6. Click Save.

Create a Schedule to run the Directory Service Synchronization

To create a Schedule to run the Directory Service Synchronization:

  1. In the Directory Services tab, select the clock icon under Actions on the previously created directory service configuration.

    1. Select the recurrence for the schedule. Note: the directory service synchronization should be executed periodically.
    2. Save the configuration.
  2. The schedule should now be executed at your selected timeframe. A log for the execution can be found in the Process Log tab in Compliance.
    The directory service synchronization will synchronize the following data:

    • Domains
    • Mailboxes
    • Users
    • Groups

    Synchronized domains can be found under the Domains tab in User Management.

Configure a group to grant access to Web Access

To enable the users to have access to their archive you need to add the Reader role to the user through a group permission.

To configure a group to grant access:

  1. Navigate to the Groups tab in User Management.
  2. Select a group containing all users who need access to Web Access. If this has not been created yet, create a new group and add those users.
  3. Edit the group’s permissions by selecting the wrench icon.
  4. Select the Reader role and click Save.

After adding the “Reader” role it should be possible for the synchronized users to log in to Web Access.

Adding the “Admin” role to a synchronized user

The Admin role should be given to at least one of the synchronized users so they can gain access to the Admin Access.

To grant a user access to Admin Access:

  1. Navigate to Groups in the User Management section.
  2. Select a group containing the users who need access to Admin Access. If it has not been created yet, a new group can be made with the list of users.
  3. Edit the groups permissions by selecting the wrench icon.
  4. Select the admin role and click

The synchronized admin user should now be able to logout and login to Admin Access. The provisioned (not synchronized) admin user can be deleted.

Configure Archiving and Folder Synchronization

Create a Journaling Endpoint

Journaling is used to push emails from the mailing system (in this case Microsoft 365) directly into the archive.

To create a Journaling endpoint:

  1. Navigate to the Journal Endpoints tab in the Archiving section.
  2. Select Add journal endpoints.
  3. Enter a name in the Name text field.
  4. Select a journaling mailbox. Note: You should create a new mailbox in MailStore cloud that is only used for journaling.
  5. If not done so already, a new mailbox can be created directly from the Select Mailbox dialog by clicking the +
  6. The journal endpoint dialog should now look like this:
  7. Select Save. The confirmation will stay open and show a “SMTP address” entry that can be copied. This is used later in the Microsoft 365 configuration to setup email journaling.
  8. Sign in to the Microsoft 365 Purview portal as an Exchange or Global Administrator for your Microsoft 365 tenant.
  9. In the left navigation menu select Settings.
  10. In the now shown Settings submenu select Data Lifecycle Management and then select Exchange (legacy) or use this link.
  11. From there, click on Journal rules and then New rule.
  12. In “Send journal reports to” enter the SMTP Address you copied in one of the previous steps.
  13. Enter a name in the Journal rule name text field.
  14. Select a preference for Journal messages sent or received from.
  15. Select a preference for Type of message to journal.
  16. Click Next to review and submit the configuration in the next step.

Emails sent and received from now on should be redirected and archived automatically to MailStore Cloud. To archive already existing emails, you need to configure Mailbox archiving and run it once.

Note: If Non-Delivery Reports (NDRs) containing the X-MS-Exchange-Message-Is-Ndr mail header are sent to a journal endpoint, only the attached mail or journal report will be archived.

Create an Archiving Profile

This step can be skipped if the “Create archiving and folder synchronization configuration” checkbox was checked during one of the steps in the prior section “Continue creating a Directory Service Configuration”, because then an archiving profile was already created.

To create an Archiving profile:

  1. Navigate to Archiving Profiles in the Archiving section.
  2. Select Add archiving profile.
  3. Enter a name in the required Name text field.
  4. Select Exchange Online in the Type dropdown menu.
  5. For the mode, select Multiple mailboxes.
  6. Select the directory service that was setup in the prior section: Start creating a Directory Service Configuration in MailStore Cloud.
  7. The same Application ID and Tenant ID from prior steps should also be used.
  8. Click Save.

Create a Schedule to run the Archiving Profile

To create a schedule to run the Archiving Profile:

  1. In the Archiving profile list, click on the clock icon on the previously created archiving configuration.
  2. Select the recurrence.
    Note: For Journaling, archiving must only be executed once. A schedule with the Once recurrence must always be timed at least 1 minute in the future for it to be executed.
  3. Save the configuration.

The schedule should now be executed at your selected timeframe, a log for the execution can be found in the Process Log tab in the Compliance section.

A schedule can also be created and edited in the Schedules tab under the Archiving section. After the successful completion of the archiving schedule, the schedule and archiving configuration can be deleted.

Create a Folder Synchronization Configuration

This step can be skipped if the “Create archiving and folder synchronization configuration” checkbox was checked during one of the steps in the prior section “Continue creating a Directory Service Configuration”, because then a folder synchronization profile was already created.

To create a folder synchronization configuration:

  1. Navigate to Folder Synchronizations in the Archiving section.
  2. Click Add folder synchronization.
  3. Enter a name in the required Name text field.
  4. Select Exchange Online in the Type dropdown menu.
  5. For Mode, select Multiple Mailboxes.
  6. Select the directory service from the prior section: Start creating a Directory Service Configuration in MailStore Cloud
  7. Use the same Application ID, Tenant ID, and credentials that were also used.
  8. Select an option for Delete in Mailbox. Delete in Mailbox will delete emails from the source mailbox once they have been archived and the foldersync has run successfully. The default setting in the dropdown is Never delete.
  9. You can also choose to run a directory service synchronization before the folder synchronization to refresh the users and groups. With that option you do not need a separate schedule for the directory service synchronization. The default for that option is false.
  10. Click Save.

Create a Schedule to run the Folder Synchronization

  1. In the Folder Synchronizations list, click on the clock icon on the previously created foldersync configuration.
  2. Select the recurrence. The folder synchronization should be executed periodically.
  3. Save the configuration.

The schedule should now be executed at your selected timeframe, you can find a log for the execution in the Process Log tab in the Compliance section.

A schedule can also be created or edited in the Schedules tab in the Archiving section.

Log in to Web Access

You should now be able to log in to Web Access with any of your synchronized users (from your synchronized domain).

Compliance

You could now continue by setting up compliance rules for your archive.