Archiving Emails from Microsoft 365 - Modern Authentication
This implementation guide covers the specifics of archiving Exchange Online / Microsoft 365 mailboxes. It is assumed that you already have a MailStore Server installation or test installation and are familiar with the fundamentals of MailStore Server. Please refer to the Manual or the Quick Start Guide for more information.
MailStore Server offers several ways to archive emails from Exchange Online / Microsoft 365 mailboxes, which are described below. If you are not sure which archiving method best suits your company, please refer to the chapter Choosing the Right Archiving Strategy.
Our Tech Tip video shows the essential configuration steps in this article.
- If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article Changing Archiving from Microsoft Exchange Server to Microsoft 365.
- MailStore Server supports archiving emails from the global Microsoft Cloud Microsoft 365 and Office 365, operated by 21Vianet. Other Environments like GCC, GCC High or DoD are not supported.
- For better readability, the terms Microsoft 365 and Exchange Online are used interchangeably hereinafter instead of Exchange Online / Microsoft 365.
App Registration & User Synchronization
Before archiving Microsoft 365 mailboxes, registering MailStore Server in your Microsoft 365 tenant is required. It is also highly recommended to synchronize users in MailStore Server directly with that tenant to fetch all information that is relevant for archiving such as email addresses. The registration and synchronization procedures are described in the chapter Synchronizing User Accounts with Microsoft 365 (Modern Authentication) of the MailStore Server manual.
Please note: MailStore Server runs as a Windows service and thus must use Application Permissions to access user mailboxes in Microsoft 365. By design, on the Microsoft identity platform, which is at the heart of Microsoft 365 authentication and authorization, this permission scope encloses the full level of privileges implied by a permission. As a consequence, once registered as described above, MailStore Server has access to all mailboxes in your Microsoft 365 tenant. Therefore, with regard to security, access to the Microsoft 365 archiving profiles in MailStore Server is limited to MailStore Server administrators.
In Microsoft 365, shared mailboxes are special mailboxes that multiple users have access to. Unlike a normal mailbox, a shared mailbox is not associated to a licensed Microsoft 365 user. For MailStore Server to create user entries for shared mailboxes, you must therefore deactivate the option Synchronize licensed Microsoft Exchange Online users only in the section User Database Synchronization.
After synchronization you can grant MailStore Server users access to the archive of the shared mailbox by assigning privileges. For archiving shared mailboxes, just proceed as for individual or multiple mailboxes as detailed below.
Archiving Individual Microsoft 365 Mailboxes
In MailStore Server Microsoft 365 archiving tasks are stored in archiving profiles. By following the procedure described here you can archive a single Microsoft 365 mailbox for a specific MailStore user. The archiving process can be executed manually or automatically. You can find further information about executing archiving profiles in chapter Email Archiving with MailStore Basics.
For each mailbox, please proceed as follows:
- Log on to MailStore Client as MailStore Server administrator.
- Click on Archive Email.
- From the Email Servers list in the Create Profile area of the Archive Email page, select Microsoft 365 or Microsoft 365 (21Vianet) to create a new archiving profile.
- A wizard opens to assist in specifying the archiving settings.
- Select Single Mailbox and click on OK.
- Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the Credentials drop-down list. You can also use the button (…) to access the Credential Manager.
- In the Mailbox field, enter the primary email address of the user whose mailbox you want to archive.
- Click on Test to verify that MailStore Server can access the mailbox.
- Click on Next.
- If needed, adjust the settings for the List of Folders to be Archived, the filter and the Deletion Rules. By default, no emails will be deleted from the mailbox. The Timeout value only has to be adjusted in specific cases (e.g. with very slow network connections).
- Click on Next to continue.
- Select the archive of the user for whom the selected mailbox is to be archived. If the user does not exist yet, click on Create a New User….
- Click on Next.
- In the last step, a name for the archiving profile can be specified. After clicking Finish, the archiving profile will be listed under Saved Profiles and, if desired, can be run immediately or automatically.
More information on how to execute archiving profiles can be found under the topic Email Archiving with MailStore Basics
Archiving Multiple Microsoft 365 Mailboxes Centrally
With MailStore, some or all Microsoft 365 mailboxes can be archived in a single step.
Please proceed as follows:
- Log on to MailStore Client as MailStore Server administrator.
- Click on Archive Email.
- From the Email Servers list in the Create Profile area of the Archive Email page, select Microsoft 365 or Microsoft 365 (21Vianet) to create a new archiving profile.
- A wizard opens to assist in specifying the archiving settings.
- Select Multiple Mailboxes and click OK.
Please note: To be able to archive multiple mailboxes, MailStore Server users along with their email addresses must exist in the MailStore Server user management. If this is not the case, MailStore Server will offer to set up and run the directory synchronization at this point. Once completed, the wizard will resume.
Alternatively, you can cancel the wizard and create users manually as described the in chapter User Management.
- Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the Credentials drop-down list. You can also use the button (…) to access the Credential Manager.
- Click on Next to continue.
- If needed, adjust the settings for the List of Folders to be Archived, the filter and the Deletion Rules. By default, no emails will be deleted from the mailbox. The Timeout value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
- Select the users whose mailboxes are to be archived.
- The following options are available:
- All users with configured email address
Choose this option to archive the mailboxes of all users who are set up, along with their email addresses, in MailStore's user management. - All users except the following
Choose this option to exclude individual users (and thereby their Microsoft 365 mailboxes) from the archiving process, using the list of users below. - Only the following users
Choose this option to include individual users (and thereby their Microsoft 365 mailboxes) in the archiving process, using the list of users below. Only the mailboxes of those users explicitly specified will be archived. - Synchronize with Directory Services before archiving
If selected, the MailStore user list will be synchronized with the configured directory service before any archiving process is executed. This has the advantage that, for example, new employees will be created as MailStore users before archiving, so once the archiving process is executed, their Microsoft 365 mailbox is archived automatically as well. This option is especially recommended when the archiving process is to be executed automatically.
- Click on Next.
- In the last step, a name for the archiving profile can be specified. After clicking Finish, the archiving profile will be listed under Saved Profiles and can be run immediately or automatically, if desired.
Archiving Incoming and Outgoing Emails Directly
Together with the Exchange Online journal function, MailStore can archive the incoming and outgoing emails of all users automatically. This is the only way to ensure that all emails are archived entirely.
Basic Functionality
The Exchange Online journal function makes it possible to record all incoming, outgoing and internal email traffic. At the time of sending and receiving, a copy of the respective email is created by Exchange Online. The copy is then attached to a so-called journal report and stored in a special journal mailbox. The journal report contains information about the actual senders and recipients; Exchange Online also resolves BCC recipients and distribution lists.
With the corresponding archiving profile MailStore can archive the journal mailbox automatically. During this process, MailStore parses the information in the journal reports and assigns the emails to their respective MailStore archives. Therefore even with journal archiving all users have access to their own emails only.
Step 1: Setup and Configure MailStore Gateway
Please refer to the MailStore Gateway Manual for detailed instructions about:
- Installation and Setup of MailStore Gateway
- Logging on to MailStore Gateway's Management Console
- Creating MailStore Gateway mailboxes
After these steps, a mailbox with an individual email address (e.g. [email protected]) should exist.
Step 2: Configure MailStore Server
Setting up archiving processes for MailStore Gateway mailboxes is done using archiving profiles. General information about archiving profiles is available in chapter Working with Archiving Profiles.
Before configuring MailStore Server, please make sure that a MailStore Server user account exists for each user whose emails are to be archived with the MailStore Gateway. Please refer to chapter User Management for more information.
Important notice: It is imperative that, in user management under Properties, the email address is specified for each user. This is the only way to make sure that the emails in the archive are assigned to the appropriate users.
Please proceed as follows:
- Log on as MailStore Server administrator using MailStore Client.
- In MailStore Server, click on Archive Email.
- To create a new archiving profile, select Microsoft 365 from the Email Server list in the Create Profile area of the application window.
- A wizard opens that guides you through the setup process.
- Select In- and Outbound E-Mail Automatically and click OK.
Please note: To be able to archive a MailStore Gateway mailbox, MailStore Server users along with their email addresses must exist in the MailStore Server user management. If this is not the case, MailStore Server will offer to set up and run the directory synchronization at this point. Once completed, the wizard will resume.
Alternatively, you can cancel the wizard and create users manually as described the in chapter User Management.
- Fill out the fields Host, Mailbox ID and Password. Click on Test to verify the data entered.
If MailStore Gateway uses a TLS certificate from a certificate authority that is not trusted by the MailStore Server computer, the option Accept all certificates must be checked.
- Adjust any further settings such as how to handle emails with unknown addresses or asking MailStore Server to delete emails after they have been archived.
- If the option Synchronize with Directory Services before archiving is enabled, the MailStore Server user list will be synchronized with the configured directory service before the archiving process actually runs. This has the advantage that, for example, new employees will be created as MailStore Server users before archiving which enables MailStore Server to sort their emails into the correct archives.
- Click on Next.
- The timeout value only has to be adjusted on a case-by-case basis (e.g. with very slow servers or network connections).
- Click on Next.
- At the last step, select a name for the new archiving profile. After clicking on Finish, the archiving profile will be listed under Saved Profiles and can be run immediately or automatically, if desired.
Step 3: Creating a Journal Rule
The following steps describe how to set up journaling for your Microsoft 365 account.
Since you are planning to use an external mailbox (MailStore Gateway) as the recipient for Journal reports, we highly recommend to first create an external contact with this mail address in your Exchange mailbox administration to prevent any later errors or warnings about an unknown recipient in the process.
- Sign in to the Microsoft 365 admin center as an Exchange or Global Administrator for your Microsoft 365 tenant.
- Expand the left navigation menu by clicking Show all.
- In the Admin centers section, either use this direct link or follow these steps:
- In the left navigation menu, click Compliance. The Microsoft Purview compliance portal is opened.
- In the left navigation menu, select Data Lifecycle Management, then select Exchange (legacy).
- Open the Settings on the top right.
- Enter a mailbox in the Send undeliverable journal reports to section. This mailbox receives None Delivery Reports (NDRs) for undeliverable journal reports in case the primary journal mailbox is unreachable.
- This mailbox should be a dedicated mailbox for this purpose, which cannot reside in any Microsoft 365 tenant.
- The same journal report non-delivery reports mailbox must not be used for multiple tenants.
- The mail server must not alter the X-MS-Exchange-Message-Is-Ndr email header.
For this purpose, you can set up a second gateway on another server with an additional mailbox, as described in Step 1. Alternatively you can use any external mailbox that matches the above criteria.
- MailStore is able to extract the journal reports contained in the NDRs, then archive them like normal journal reports and thus assign the emails they contain to users. You can therefore create a second archiving profile as described in Step 2, which archives from the Microsoft 365 journal report non-delivery reports mailbox.
- Return to the Exchange (legacy) settings.
- Open the page Journal rules.
- Create a new journaling rule by clicking on + (New rule).
- Enter the email address of the previously created MailStore Gateway mailbox in the Send journal reports to: box.
- Enter a name for the journal rule, e.g. Journaling.
- In the Journal messages sent or received from section, select whether the rule should apply to everyone or to specific users or groups.
- Under Type of message to journal, choose whether to capture all messages, internal messages only, or external messages only.
- Click on Next, then validate your settings, click Submit to activate the rule.
Public Folders
MailStore Server can archive the emails from the public folders of Exchange Online and make them available to some or all MailStore Server users. The archiving process can be executed manually or automatically.
Step 1: Creating a User Archive for Public Folders
Archived emails are always assigned to a particular user. You also need to specify a target archive when archiving a public folder.
As best practice, please create a dedicated MailStore Server user (e.g. publicfolder) whose archive acts as target for the public folder archiving profile. Through the user privileges you can grant access to the archive of the user publicfolder to other MailStore Server users. This way the archived emails of the public folder are made available to those MailStore Server users.
You can find more information on how to create a new user in MailStore Server in the chapter User Management.
Step 2: Granting permissions on public folders in Exchange Online
Accessing public folders needs a Microsoft 365 user that has a mailbox because the necessary permissions are implemented on mailbox level.
To grant the Microsoft 365 user the necessary permissions, please proceed as follows:
- Sign in to the Microsoft 365 Exchange admin center as an Exchange or Global Administrator for your Microsoft 365 tenant.
- Navigate to Public folders, in case it it not already opened.
- Click on Root permissions.
- The side-panel Folder permissions opens. Click on + Add permissions.
- Use the text box beneath Select User to choose the Microsoft 365 user you want to grant permissions.
- Choose Custom as Permission level and grant Read items and Delete all permissions.
- Click on Save Changes.
Step 3: Setting up the Archiving Process
- Log on to MailStore Client as MailStore Server administrator.
- Click on Archive Email.
- From the Email Servers list in the Create Profile area of the Archive Email page, select Microsoft 365 or Microsoft 365 (21Vianet) to create a new archiving profile.
- A wizard opens to assist in specifying the archiving settings.
- Select Public Folders and click on OK.
- Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the Credentials drop-down list. You can also use the button (…) to access the Credential Manager.
- In the Mailbox field, enter the primary email address of the user that has access to the public folders as described above.
- The value of the Target Folder box defines the top level folder below which the public folder hierarchy will be created in the target archive. Usually, you can leave this value to its default.
- Click on Test to verify that MailStore can access the public folders.
- Click on Next to continue.
- Adjust the settings for the List of Folders to be Archived. By default, all public folders that contain emails will be archived.
- If needed, adjust the filter and the Deletion Rules. By default, no emails will be deleted from the public folders. The Timeout value only has to be adjusted in specific cases (e.g. with very slow network connections).
- Click on Next to continue.
- In the next step, select the archive of the user you have prepared in step 1.
- In the last step, specify a name for the archiving profile. After clicking Finish the archiving profile will be listed under Saved Profiles and can be run immediately or automatically if desired.
About Archiving Archive Mailboxes
Folder structure in the archive
Archiving profiles for archive mailboxes store emails in the same folder structure in the MailStore archive that also use archiving profiles for normal mailboxes. If archiving profiles now exist for normal mailboxes and archive mailboxes, both sources are merged in the MailStore archive and no duplicates are created.
Emails are moved
From the normal mailbox to the archive mailbox
If emails in the source are moved from the normal mailbox to the archive mailbox and the folder name does not change, and the archive mailbox is then archived, the emails remain in the MailStore archive in the same place.
However, if the emails in the archive mailbox are stored in a different folder, MailStore moves the emails in the MailStore archive to this folder.
From the archive mailbox to the normal mailbox
If emails in the source are moved from the archive mailbox to the normal mailbox and the folder name does not change, and the normal mailbox is then archived, the emails remain in the MailStore archive in the same place.
However, if the emails in the normal mailbox are stored in a different folder, MailStore moves the emails in the MailStore archive to this folder.
Emails are copied to the archive mailbox
If emails in the source are copied from the normal mailbox to the archive mailbox and the folder name does not change, and the archive mailbox is then archived, the emails remain in the MailStore archive in the same place.
If copies of an email are in the regular mailbox and the archive mailbox, and the containing folders are the same, and there are archiving profiles for both mailboxes, a single copy of the email can be found in that folder in the archive.
However, if the emails in the archive mailbox are copied to another folder, MailStore moves the emails in the MailStore archive to this folder.
If copies of an email are in the normal mailbox and the archive mailbox and the folders containing them are different and there are archiving profiles for both mailboxes, a single copy of the email can be found in the folder in the MailStore archive in which the last run archiving profiles found the email in the source.
Archiving Individual Microsoft 365 Archive Mailboxes
In MailStore Server Microsoft 365 archiving tasks are stored in archiving profiles. By following the procedure described here you can archive a single Microsoft 365 archive mailbox for a specific MailStore user. The archiving process can be executed manually or automatically. You can find further information about executing archiving profiles in chapter Email Archiving with MailStore Basics.
For each mailbox, please proceed as follows:
- Log on to MailStore Client as MailStore Server administrator.
- Click on Archive Email.
- From the Email Servers list in the Create Profile area of the Archive Email page, select Microsoft 365 or Microsoft 365 (21Vianet) to create a new archiving profile.
- A wizard opens to assist in specifying the archiving settings.
- Select Single Archive Mailbox and click on OK.
- Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the Credentials drop-down list. You can also use the button (…) to access the Credential Manager.
- In the Mailbox field, enter the primary email address of the user whose archive mailbox you want to archive.
- Click on Test to verify that MailStore Server can access the archive mailbox.
- Click on Next.
- If needed, adjust the settings for the List of Folders to be Archived, the filter and the Deletion Rules. By default, no emails will be deleted from the archive mailbox. The Timeout value only has to be adjusted in specific cases (e.g. with very slow network connections).
- Click on Next to continue.
- Select the archive of the user for whom the selected archive mailbox is to be archived. If the user does not exist yet, click on Create a New User….
- Click on Next.
- In the last step, a name for the archiving profile can be specified. After clicking Finish, the archiving profile will be listed under Saved Profiles and, if desired, can be run immediately or automatically.
More information on how to execute archiving profiles can be found under the topic Email Archiving with MailStore Basics
Archiving Multiple Microsoft 365 Archive Mailboxes Centrally
With MailStore, some or all Microsoft 365 archive mailboxes can be archived in a single step.
Please proceed as follows:
- Log on to MailStore Client as MailStore Server administrator.
- Click on Archive Email.
- From the Email Servers list in the Create Profile area of the Archive Email page, select Microsoft 365 or Microsoft 365 (21Vianet) to create a new archiving profile.
- A wizard opens to assist in specifying the archiving settings.
- Select Multiple Archive Mailboxes and click OK.
Please note: To be able to archive multiple archive mailboxes, MailStore Server users along with their email addresses must exist in the MailStore Server user management. If this is not the case, MailStore Server will offer to set up and run the directory synchronization at this point. Once completed, the wizard will resume.
Alternatively, you can cancel the wizard and create users manually as described the in chapter User Management.
- Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the Credentials drop-down list. You can also use the button (…) to access the Credential Manager.
- Click on Next to continue.
- If needed, adjust the settings for the List of Folders to be Archived, the filter and the Deletion Rules. By default, no emails will be deleted from the archive mailbox. The Timeout value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
- Select the users whose mailboxes are to be archived.
- The following options are available:
- All users with configured email address
Choose this option to archive the mailboxes of all users who are set up, along with their email addresses, in MailStore's user management. - All users except the following
Choose this option to exclude individual users (and thereby their Microsoft 365 mailboxes) from the archiving process, using the list of users below. - Only the following users
Choose this option to include individual users (and thereby their Microsoft 365 mailboxes) in the archiving process, using the list of users below. Only the mailboxes of those users explicitly specified will be archived. - Synchronize with Directory Services before archiving
If selected, the MailStore user list will be synchronized with the configured directory service before any archiving process is executed. This has the advantage that, for example, new employees will be created as MailStore users before archiving, so once the archiving process is executed, their Microsoft 365 mailbox is archived automatically as well. This option is especially recommended when the archiving process is to be executed automatically.
- Click on Next.
- In the last step, a name for the archiving profile can be specified. After clicking Finish, the archiving profile will be listed under Saved Profiles and can be run immediately or automatically, if desired.