MailStore Server Help - User contributions [en]

EWS Migration

2026-04-09T10:19:19Z

Ltalaschus:

__NOTOC__
Exchange Web Services (EWS) is a technology that was developed specifically for accessing Exchange data. The API enables access to data from Microsoft Exchange Server and Exchange Online, including emails and mailboxes. EWS has been a central interface for third-party solutions such as archiving systems.

== Microsoft is discontinuing Exchange Web Services (EWS) for Microsoft 365 ==
Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has announced] that it will block access to Exchange Web Services (EWS) for Exchange Online starting October 1, 2026. EWS will be completely shut down by April 2027. This decision affects all organizations that use EWS in conjunction with Exchange Online (Microsoft 365). After the shutdown, some resources will only be accessible via the Graph API, while for other resources there is [https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-ews-exchange-online currently no Graph API equivalent]. These resources will then no longer be accessible by third-party solutions.

Microsoft will [https://techcommunity.microsoft.com/blog/exchange/exchange-online-ews-your-time-is-almost-up/4492361 preconfigure and potentially restrict access] to EWS based on usage starting in August 2026. Administrators can also [https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange manage the settings themselves].

For customers using Exchange Online Kiosk, Microsoft Office 365, and Office 365 F1/F3, [https://techcommunity.microsoft.com/blog/exchange/update-to-ews-access-for-kiosk--frontline-worker-licensed-users/4474299 Microsoft will disable EWS access as early as June 2026].

== What will change for MailStore Server and MailStore SPE? ==
The shutdown of EWS initiated by Microsoft will require adjustments in MailStore Server and MailStore SPE, depending on the archiving strategy. Archiving methods within MailStore Server and MailStore SPE that previously have used EWS may no longer be able to connect after October 1st and will then encounter errors.

== Which protocols does MailStore use? ==

Up to and including version 25.4, MailStore exclusively created Microsoft 365 archiving and export profiles that used EWS. Starting with version 26.1, new archiving profiles for regular mailboxes use the Graph API. New archiving profiles for archive mailboxes and public folders continue to use EWS, as these are not accessible via the Graph API. New export profiles, starting with version 26.2, use the IMAP protocol, since importing complete emails into a Microsoft 365 mailbox using the Graph API is also not possible.

=== How can MailStore support me during the migration? ===

Make sure you have completed the app registration in Entra ID [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication#Configuring_API_Permissions_in_Microsoft_Entra_ID|according to our instructions]]. In particular, the Mail.ReadWrite and IMAP.AccessAsApp permissions are now required.

The [[Email_Archiving_with_MailStore_Basics|summary of archiving profiles]] contains the protocol used. Microsoft 365 Journal archiving profiles do not typically use EWS and are therefore not affected.

If you have configured Microsoft 365 profiles that can be converted, this message will appear on the dashboard:

[[File:ews_conversion_message.png]]

Click this message to open the [[Microsoft_365_Profile_Conversion_Tool|Microsoft 365 Profile Conversion Tool]]. Use this tool to test and perform a conversion.

[[File:ConversionTool_en.png|450px|center]]

=== When do adjustments need to be made? ===

==== June 2026 ====

If you are an Exchange Online Kiosk, Microsoft Office 365, or Office 365 F1/F3 customer, all profiles [https://techcommunity.microsoft.com/blog/exchange/update-to-ews-access-for-kiosk--frontline-worker-licensed-users/4474299 must be migrated] to Graph API and IMAP.

Archiving Exchange Online archive mailboxes and Exchange Online Public Folders will no longer be possible.

==== October 2026 ====

EWS profiles will continue to function after October 2026 if EWS access in Microsoft 365 is [https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange configured accordingly].

==== April 2027 ====

EWS profiles will no longer function after April 2027. Archiving regular mailboxes using Graph API and exporting to Microsoft 365 using IMAP will continue to function. Archiving Exchange Online archive mailboxes and Exchange Online Public Folders will no longer be possible. Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has hinted] at a future solution, but has not yet published a concrete plan. Microsoft recommends [https://learn.microsoft.com/en-us/exchange/collaboration/public-folders/migrate-to-microsoft-365-groups migrating public folders to Microsoft 365 Groups].

[[de:EWS Migration]]
[[en:EWS Migration]]

MailStore Server Management Shell

2026-04-09T09:59:27Z

Ltalaschus: /* Client side commands */

Many instructions available in the graphical user interface of MailStore Client can also be executed using MailStore's management shell, a command line client which is automatically included when installing MailStore Server and MailStore Client.

The management shell is useful when no graphical user interface is available (e.g. if using telnet or ssh) or for the integration of scripts (e.g. batch files) that are executed either manually or automatically.

Beside the client-side commands, the Management Shell also offers access to server-side commands of the [[Administration API - Using the API|MailStore Server Administration API]]. Output of server-side commands is in JSON format.

== Starting the Management Shell in MailStore Client ==
The management shell can be started directly from MailStore: Log on to MailStore Client as administrator and click on ''Administrative Tools > Management API > Command Prompt''.
[[File:tech_mscmd_01.png|center|450px]]
The font size can be adjusted by holding the Ctrl key and using the mouse wheel or pressing + and -. Holding down the Ctrl key and pressing 0 resets the font size.

== Using MailStoreCmd.exe in Non-Interactive Mode ==
In non-interactive mode, the management shell logs on with the access data passed, executes the command passed, and automatically terminates upon execution. If the login and the execution of the command were successful, the exit code (ERRORLEVEL) of the process is set to 0 (zero), otherwise it is set to any value other than 0. ''MailStoreCmd.exe'' can be found in the installation directory of MailStore Server. ''MailStoreCmdSilent.exe'' does the same, but does not open a console window.

Login credentials for your installation can be found in the scheduled task of an archiving profile of the type ''E-Mail Programs'' or ''E-Mail Files''.

There are multiple ways to pass credentials to ''MailStoreCmd.exe''.

To read credentials from the Windows Credentials Manager, they have to be stored there first. The MailStore Client does this automatically when creating a scheduled task in the Windows Task Planer. This methods prevents reading passwords easily by unauthorized persons.

MailStoreCmd.exe --h=<server> --cred=<user>@<server/ip address> --pkv3=<thumbprint> -c <command> [--param1=<value> --param2=<value> ...]

The credentials can also be passed as plain text.

MailStoreCmd.exe --h=<server> --u=<user> --p=<password> --pkv3=<thumbprint> -c <command> [--param1=<value> --param2=<value> ...]

The below command line parameters are required followed by additional API command parameters if necessary.

{| class="wikitable"
! width=100px | Parameter
! width=100% | Description
|-
| <code>--h</code>
|The machine name of the MailStore server to which <code>MailStoreCmd.exe</code> is to connect.
|-
| <code>--pkv3</code>
| The (optional) Public Key Fingerprint, which guarantees the identity of MailStore Server.
|-
| <code>--u</code>
| User name
|-
| <code>--p</code>
| Password
|-
| <code>--cred</code>
| Alternative to <code>--u</code> and <code>--p</code>, the password is read from the Windows Credential Manager. The parameter must be entered in the from <user>@<server/ip address>.
|-
| <code>--nologo</code>
| Optional. Prevents the logo from being displayed.
|-
| <code>--o</code>
| Optional. Redirects the output to a given file. When this parameter is given, no output is sent to the console. The placeholders ''{DATE}'' and ''{TIME}'' are replaced with the current date and time at execution time.
|-
| <code>-c</code>
| The actual command follows (non-interactive mode). This must be the last parameter.
|}

== Command Overview ==

=== Client side commands ===
Find a list of all client side commands below.

clear

Clears the texts currently displayed improving visibility.

debug-conn

Activates debug protocol for IMAP and HTTP connections during archiving for the running MailStore Client process.

debuglog-browse

Opens the file explorer and shows MailStore's ''Debug Log'' directory.

debuglog-enable, debuglog-disable

Activates or deactivates the global debug protocol (within computer scope).

export-execute [--name=<profilename>] [--id=<profileid>] [--verbose] [--[property]="value"]

Executes an export profile. Following parameters are supported:

{| width=80% |
|-
| width="20%" | <code>--name</code> <nowiki>|</nowiki> <code>--id</code>
| name or ID of the export profile to execute
|-
| <code>--verbose</code>
| activates a detailed status display on the console
|-
| <code>--[property]</code>
| Overwrites the given property of a profile. The internal properties can be displayed, by selecting an export profile and press <code>CTRL + SHIFT + P</code>. The name of the property has to be in brackets. Multiple properties can be modified by repeating the parameter.
|}

export-list

Displays a list of all existing export profiles (ID and profile name).

help

Displays a list of all available commands and their parameters.

import-execute [--name=<profilename>] [--id=<profileid>] [--verbose] [--user=<username>] [--[property]="value"]

Executes the archiving profile. Following parameters are supported:

{| width=80% |
|-
| width="20%" |<code>--name</code> <nowiki>|</nowiki> <code>--id</code>
| name or ID of the import profile to execute
|-
| <code>--verbose</code>
| activates a detailed status display on the console
|-
| <code>--user</code>
| user archive to store archived emails
|-
| <code>--[property]</code>
| Overwrites the given property of a profile. The internal properties can be displayed, by selecting an archiving profile and press <code>CTRL + SHIFT + P</code>. The name of the property has to be in brackets. Multiple properties can be modified by repeating the parameter.
|}

import-list [--user=<username>]

Displays a list of all existing archiving profiles (ID and profile name).

livelog-client-disable, livelog-client-enable, livelog-server-disable, livelog-server-enable

Activates or deactivates the live debug protocol of MailStore Server or MailStore Client. The live protocol can be viewed with Sysinternal's DebugView. DebugView must be started with elevated privileges and it must be configured to capture ''Global Win 32'' events.

store-setprop --name=<name> [--value=true/false]

Changes the value of a global property

{| width=100% |
|-
| scope="col" width="20%" | <code>--name</code>
| Name of the global property
|-
| <code>--value</code>
| Value of the global property
|}

Following global properties are supported:

{| width="100%" border="0" cellpadding="0" cellspacing="0" style="font-size: 90%;"
|-
! scope="col" width="20%" bgcolor="#cccccc" | Name
! scope="col" bgcolor="#cccccc" | Values
! scope="col" bgcolor="#cccccc" | Default
|-
| scope="col" width="20%" align="left" valign="top" | public.arcclient.skipGraphContentConversionFailed
| ''true'' = Microsoft 365 ''text does not support structured data'' errors are ignored and not handled as an archiving error. 
''false'' = Microsoft 365 ''text does not support structured data'' errors are handled as archiving errors.
| align="center" valign="top" | false
|-
| scope="col" width="20%" align="left" valign="top" | public.arcclient.skipMimeContentConversionFailed
| ''true'' = Exchange ''MimeContentConversionFailed'' errors are ignored and not handled as an archiving error. 
''false'' = Exchange ''MimeContentConversionFailed'' errors are handled as archiving errors.
| align="center" valign="top" | false
|-
| scope="col" width="20%" align="left" valign="top" | public.arcclient.skipVirusDetected
| ''true'' = Exchange ''ErrorVirusDetected'' errors are ignored and not handled as an archiving error. 
''false'' = Exchange ''ErrorVirusDetected'' errors are handled as archiving errors.
| align="center" valign="top" | false
|-
| scope="col" width="20%" align="left" valign="top" | public.arcclient.skipEwsErrorItemNotFound
| ''true'' = Exchange ''ErrorItemNotFound'' errors are ignored and not handled as an archiving error. 
''false'' = Exchange ''ErrorItemNotFound'' errors are handled as archiving errors.
| align="center" valign="top" | false
|-
| scope="col" width="20%" align="left" valign="top" | public.backup.hideNotDetectedWarningMessage
| ''true'' = Backup warning messages are not shown on dashboard. 
''false'' = Backup warning messages are shown on dashboard.
| align="center" valign="top" | false
|}

user-list

Display list of users.

=== Server side commands ===

An overview of all available server side commands can be found under [[Administration API - Function Reference|Function Reference]].

The parameters of server side commands are case sensitive and must be entered with two dashes (--). Boolean values must be entered as ''true'' or ''false''. Strings that contain white space characters must be set in quotes.

'''Examples:'''

GetProfiles --raw=true
Lists all archiving and export profiles.

GetUserInfo --userName="alexis.page"
Lists the properties of the user ''alexis.page''.

GetJobResults --fromIncluding="2018-01-01T00:00:00" --toExcluding="2019-01-01T00:00:00" --timeZoneId="$Local" --jobId=1
Lists the results of the job with id 1 of the year 2018.

GetWorkerResults --fromIncluding="2018-01-01T00:00:00" --toExcluding="2019-01-01T00:00:00" --timeZoneID="$Local" --profileID=1
Lists the results of the archiving profile with id 1 of the year 2018.
The command ''GetWorkerResults'' is the only command where the parameter ''timeZoneID'' is written with a capital ''D''.

RunProfile --id=1
Starts the archiving or export profile with id 1.

[[de:MailStore_Server_Management_Shell]]
[[en:MailStore_Server_Management_Shell]]

MailStore Help

2026-04-09T09:55:03Z

Ltalaschus:

__NOTOC__
{{DISPLAYTITLE:{{Product Name}} Help}}

{| width="100%" cellspacing="3" cellpadding="4"
|-
| valign="top" width="100%" colspan="2" |
== Email Archiving with {{Product Name}} ==
In addition to the latest version of the {{Product Name}} manual, you can find important articles and instructions here, which will help you to set up email archiving. Please do not hesitate to contact our support team if you have any further questions.
|-
| valign="top" width="50%" |
== Getting Started ==
* [[Quick Start Guide]]
* [[System Requirements]]
* [[Choosing the Right Archiving Strategy]]

== What's New ==
* [https://go.mailstore.com?product=MailStore%20Server&target=changelog&lang=en Changelog]
* [[Update Notices for MailStore Server|Update Notices]]
| valign="top" width="50%"|
== Manual ==
* [[Installation]]
* [[Archiving Email]]
* [[Accessing the Archive]]
* [[Exporting Email]]
* [[Administration]]
* [[MailStore Server Service Configuration]]
* [https://help.mailstore.com/en/gateway MailStore Gateway Help]
|-
| valign="top" width="50%" |
== Implementation Guides ==
{{:Implementation}}
| valign="top" width="50% |
== Articles ==
==== Deployment ====
* [[MailStore Client Deployment|MailStore Client]]
* [[MailStore Outlook Add-in Deployment|MailStore Outlook Add-in]]
* [[MailStore Outlook App Deployment|MailStore Outlook App]]

==== Operation ====
* [[Backup and Restore]]
* [[Maintenance and Repair]]
* [[Monitoring]]
==== Security ====
* [[Multi-factor Authentication]]
* [[Firewall Configuration]]
* [[Using_Lets_Encrypt_Certificates|Using Let's Encrypt Certificates]]
* [[Using Your Own SSL Certificate]]
* [[Enhancing SSL Security]]
* [[Notes on Antivirus Software]]
* [[Security Advisories]]

==== Automation & Scripting ====
* [[Scripting|Automation with scripts]]
* [[Bulk Import of Email Files]]
* [[Implementing an Application Integration Server]]
==== How-to ====
* [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* [[Moving the Archive]]
* [[Using Network Attached Storage (NAS)]]
* [[Searching by Message ID]]
* [[Verifying a Signed Export]]

==== Knowledge base ====
* [[EWS Error Codes]]
* [[Graph API Error Codes]]
* [[Flagged Emails]]
* [[Message Date of an Email]]
* [[Email encryption in Microsoft 365]]
* [[EWS Migration]]
|-
| valign="top" width="50%" |

== Troubleshooting ==
In the [https://www.mailstore.com/en/help/knowledgebase/ knowledgebase] of our [https://cs.mailstore.com/ Customer Service Centers] you can find many answers to the most often asked questions or reoccurring error messages. Detailed troubleshooting instructions are also available there. 
== Administration API ==
The Administration API extends the management capabilities of {{Product Name}} by providing command-line as well as HTTP based access to all management functions. This allows to fully automate the administration of {{Product Name}} via scripts or even integration into centralized management solutions. For an even faster development, example API libraries for different scripting and programming languages are provided.
* [[MailStore Server Management Shell]]
* [[Administration API - Using the API|Using the API]]
* [[Administration API - Function Reference|Function Reference]]
==== Example Implementations of API Libraries ====
* [[PowerShell API Wrapper Tutorial|PowerShell]]
* [[Python API Wrapper Tutorial|Python]]
| valign="top" width="50%" |
== Tech Tip Videos ==
In our [https://youtube.com/playlist?list=PLGTSLnfosYvSkdccnpMDv5fjqYhJ_asQp Tech Tip Videos on Youtube] we provide valuable information and useful insights from our technical support team. Our technical support engineers will showcase specific features of MailStore Server and feature common use cases of our clients.
== Downloads ==
<div class="plainlinks">
* [https://www.mailstore.com/en/products/mailstore-server/downloads/ MailStore Setup Files]

==== Active Directory Group Policy Templates ====
* [[Media:MailStore_ADMX.zip|ADMX-Template]]
</div>
|}

[[de:MailStore Hilfe]]
[[en:MailStore Help]]

HelpTopicIds

2026-04-09T09:48:20Z

Ltalaschus:

* accs_export - [[Exporting_Email]]
* accs_extsearch - [[Accessing_the_Archive_with_the_MailStore_Client_software#Advanced_Search]]
* accs_outlook - [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration]]
* accs_outlookapp - [[Accessing_the_Archive_with_the_Microsoft_Outlook_App_integration]]
* accs_preview - [[Accessing_the_Archive_with_the_MailStore_Client_software#Email_Preview]]
* accs_web - [[Accessing_the_Archive_with_MailStore_Web_Access]]
* arch_delete - [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving]]
* arch_filesystem - [[Archiving_Emails_from_External_Systems_(File_Import)]]
* arch_filepst - [[Archiving_Outlook_PST_Files_Directly]]
* arch_gateway - [[Archiving_MailStore_Gateway_Mailbox]]
* arch_m365conversion - [[Microsoft_365_Profile_Conversion_Tool]]
* arch_nospamproxy - [[Archiving_Emails_from_NoSpamProxy]]
* gateway_introduction - [[Archiving_MailStore_Gateway_Mailbox]]
* arch_googleapps_batch - [[Archiving_Emails_from_Google_Workspace#Archiving_Multiple_Mailboxes_Centrally]]
* arch_googleapps - [[Archiving_Emails_from_Google_Workspace]]
* arch_googleapps_multidrop - [[Archiving_Emails_from_Google_Workspace#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_googlemail_installed_app - [[Archiving_Emails_from_Gmail]]
* arch_outlookcom_modern_auth - [[Archiving_Emails_from_Outlook.com]]
* arch_icewarp - [[Archiving_Emails_from_IceWarp_Server]]
* arch_icewarp_mailbox - [[Archiving_Emails_from_IceWarp_Server#Archiving_Individual_Mailboxes]]
* arch_icewarp_mailboxes - [[Archiving_Emails_from_IceWarp_Server#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_icewarp_multidrop - [[Archiving_Emails_from_IceWarp_Server#Archiving_All_Incoming_and_Outgoing_Emails_Directly]]
* arch_imapbatch - [[Batch-archiving_IMAP_Mailboxes]]
* arch_inout - [[MailStore_Proxy]]
* arch_introduction - [[Archiving_Email]]
* arch_kerio - [[Archiving_Emails_from_Kerio_Connect]]
* arch_kerio_mailbox - [[Archiving_Emails_from_Kerio_Connect#Archiving_Individual_Mailboxes]]
* arch_kerio_mailboxes - [[Archiving_Emails_from_Kerio_Connect#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_kerio_multidrop - [[Archiving_Emails_from_Kerio_Connect#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_mailboxes - [[Archiving_Server_Mailboxes]]
* arch_mailclients - [[Archiving_Email_from_Outlook,_Thunderbird_and_others]]
* arch_mdaemon - [[Archiving_Emails_from_MDaemon]]
* arch_mdaemon_mailbox - [[Archiving_Emails_from_MDaemon#Archiving_Individual_Mailboxes]]
* arch_mdaemon_mailboxes - [[Archiving_Emails_from_MDaemon#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_mdaemon_multidrop - [[Archiving_Emails_from_MDaemon#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_multidrop - [[Archiving_IMAP_and_POP3_Multidrop_Mailboxes]]
* arch_profiles - [[Archiving_Email]]
* arch_schedule - [[Email_Archiving_with_MailStore_Basics#Automating_the_Archiving_Process]]
* arch_results - [[Email_Archiving_with_MailStore_Basics]]
* arch_selfolders - [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders]]
* bkup_integrated - [[Backup_and_Restore]]
* comp_auditing - [[Auditing]]
* comp_auditlog - [[Audit_Log]]
* comp_auditlogexport - [[Audit_Log]]
* comp_auditor - [[Compliance_General]]
* comp_forcechangepassword - [[Notes_on_Password_Complexity]]
* comp_general - [[Compliance_General]]
* comp_manage_passwords - [[Accessing_the_Archive_with_the_MailStore_Client_software#Managing_Passwords]]
* comp_password_complexity - [[Notes_on_Password_Complexity]]
* comp_retention - [[Retention_Policies]]
* comp_message_date - [[Message_Date_of_an_Email]]
* expo_googleapps - [[Exporting_Email]]
* gsta_login - [[Accessing_the_Archive_with_the_MailStore_Client_software#Starting_and_Login]]
* job_jobs - [[Jobs]]
* job_scheduling - [[Jobs]]
* job_results - [[Job_Results]]
* mads_sync - [[Administration]]
* tech_config - [[MailStore_Server_Service_Configuration]]
* tech_index - [[Search_Indexes]]
* tech_mscmd - [[MailStore_Server_Management_Shell]]
* tech_proxy - [[MailStore_Proxy]]
* tech_safemode - [[MailStore_Server_Service_Configuration]]
* tech_smtpsettings - [[SMTP_Settings]]
* tech_archives - [[Archives]]
* tech_storageloc - [[Storage_Locations]]
* tech_productupdates - [[Product_Updates]]
* tech_extstoremigration - [[Using External Archive Stores]]
* umgm_privileges - [[Users,_Folders_and_Settings#User_Management]]
* umgm_users - [[Users,_Folders_and_Settings#User_Management]]
* xchg_introduction - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_jour_intro - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_mailbox - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_mailboxes - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_archive_mailbox - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_archive_mailboxes - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_public - [[Archiving_Emails_from_Microsoft_Exchange]]
* impl_noownserver - [[Archiving_Emails_Without_Your_Own_Emailserver|(No own e-mail server)]]
* impl_exim - [[Archiving_Emails_from_an_Exim_Based_Email_Server|Exim]]
* impl_hmailserver - [[Archiving_Emails_from_hMailServer|hMailServer]]
* impl_intranator - [[Archiving_Emails_from_Intra2net_Systems|Intra2net Appliance Pro / Business Server]]
* impl_kerioconnect - [[Archiving_Emails_from_Kerio_Connect|Kerio Connect (Kerio MailServer)]]
* impl_kolab - [[Archiving_Emails_from_Kolab|Kolab]]
* impl_postfix - [[Archiving_Emails_from_a_Postfix_Based_Email_Server|Postfix]]
* impl_qmail - [[Archiving_Emails_from_a_Qmail_Based_Email_Server|Qmail]]
* impl_scalix - [[Archiving_Emails_from_Scalix|Scalix]]
* impl_sendmail - [[Archiving_Emails_from_a_Sendmail_Based_Email_Server|Sendmail]]
* impl_smartermail - [[Archiving_Emails_from_SmarterMail|SmarterMail]]
* impl_tobitdavid - [[Archiving_Emails_from_Tobit_David.fx|Tobit David.fx]]
* impl_zimbra - [[Archiving_Emails_from_Zimbra|Zimbra Collaboration Suite]]
* implexch_2003 - [[Archiving_Emails_from_Microsoft_Exchange_2003|Exchange 2003]]
* implexch_2007 - [[Archiving_Emails_from_Microsoft_Exchange_2007|Exchange 2007]]
* implexch_2010 - [[Archiving_Emails_from_Microsoft_Exchange_2010|Exchange 2010]]
* implexch_2013 - [[Archiving_Emails_from_Microsoft_Exchange_2013|Exchange 2013]]
* implexch_2016 - [[Archiving_Emails_from_Microsoft_Exchange_2016|Exchange 2016]]
* implexch_2019 - [[Archiving_Emails_from_Microsoft_Exchange_2019|Exchange 2019]]
* implexch_se - [[Archiving_Emails_from_Microsoft_Exchange_SE|Exchange SE]]
* implexch_o365 - [[Archiving_Emails_from_Microsoft_Office_365|Office 365]]
* welc_licensing - [[License_Management]]
* arch_microsoft365 - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]
* arch_microsoft365_single - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Individual_Microsoft.C2.A0365_Mailboxes]]
* arch_microsoft365_multiple - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Multiple_Microsoft.C2.A0365_Mailboxes_Centrally]]
* arch_microsoft365_single_archive_mailbox - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Individual_Microsoft.C2.A0365_Archive_Mailboxes]]
* arch_microsoft365_multiple_archive_mailboxes - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Multiple_Microsoft.C2.A0365_Archive_Mailboxes_Centrally]]
* arch_microsoft365_public - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Public_Folders]]
* expo_microsoft365 - [[Exporting_Email]]
* arch_m365_ews_migration - [[EWS_Migration]]
* cred_microsoft365 - [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server]]
* expo_mailstorecloudbulk - [[MailStore_Cloud_Help#Migration_from_MailStore_Server_to_MailStore_Cloud]]
* graphmimeconversionfailed - [[Graph_API_Error_Codes]]
[[de:HelpTopicIds]]
[[en:helpTopicIds]]

Graph API Error Codes

2026-04-09T09:46:16Z

Ltalaschus:

== text does not support structured data ==
'''Problem:''' While archiving email from a Microsoft 365 server an Graph API error code ''text does not support structured data'' occurs.

'''Solution:''' This kind of server error is caused by an internal Microsoft 365 function that is not able to convert a message from its internal format into the RFC822 compliant MIME format which is also used by MailStore Server. In nearly all cases the original MIME message received by the mail server already contained invalid data, such as an appointment request confirmation without references to the original appointment. Therefore it is usually safe to delete those emails.

Due to that error, the archiving profile itself terminates with a non-successful status code. This behavior can be changed by modifying the global property ''public.arcclient.skipGraphContentConversionFailed'' by executing the following command in [[MailStore_Server_Management_Shell|MailStore's Management Shell]]:

store-setprop --name="public.arcclient.skipGraphContentConversionFailed" --value="true"

'''Please note:''' Independent of this global property, MailStore Server is neither able to archive messages where the above error occurred nor delete them from the mail server.

[[de:Graph_API-Fehlermeldungen]]
[[en:Graph_API_Error_Codes]]

Graph API Error Codes

2026-04-09T09:24:14Z

Ltalaschus: Created page with "== ErrorMimeContentConversionFailed == '''Problem:''' While archiving email from a Microsoft Exchange server an EWS error code ErrorMimeContentConversionFailed occurs. '''Sol..."

== ErrorMimeContentConversionFailed ==
'''Problem:''' While archiving email from a Microsoft Exchange server an EWS error code ErrorMimeContentConversionFailed occurs.

'''Solution:''' This kind of Exchange internal server error is caused by an internal Exchange function that is not able to convert a message from Exchange's internal MAPI format into the RFC822 compliant MIME format which is also used by MailStore Server. In nearly all cases the original MIME message received by the Exchange server already contained invalid data, such as an appointment request confirmation without references to the original appointment. Therefore it is usually safe to delete those emails.

Due to that error, the archiving profile itself terminates with a non-successful status code. This behavior can be changed since MailStore Server 8 by modifying the global property public.arcclient.skipMimeContentConversionFailed by executing the following command in [[MailStore_Server_Management_Shell|MailStore's Management Shell]]:

store-setprop --name="public.arcclient.skipMimeContentConversionFailed" --value="true"

'''Please note:''' Independent of this global property, MailStore Server is neither able to archive messages where the above error occurred nor delete them from the Exchange server.

[[de:Graph_API-Fehlermeldungen]]
[[en:Graph_API_Error_Codes]]

Microsoft 365 Profile Conversion Tool

2026-04-08T15:18:48Z

Ltalaschus:

Microsoft is planning to retire the Exchange Web Service(EWS) protocol in Exchange Online. This decision affects all companies that use EWS not just MailStore. This makes it necessary to use alternative access to Exchange Online mailboxes going into the future. Further details about the proposed discontinuation of the EWS protocol can be found in the [[EWS Migration|migration article]].

We provide a conversion tool that will try to help you migrating profiles that rely on EWS and will stop working in the future.

===Accessing the conversion tool===
When your MailStore Server installation is using a Microsoft 365 profile you should see a warning message on your dashboard. Click on that will open the Microsoft 365 Profile Conversion tool.

[[File:ConversionTool_en.png]]

The Conversion tool will show you an overview of all profiles connected to Microsoft 365. Archiving profiles, exporting profiles and gives you the option to convert those profiles to a version that will be able to be used after EWS has been retired.

The grid will show you profiles divided into three different kinds.
* automatic
*; These profiles need a conversion and should be convertible from within this tool. To just check if a conversion creates a usable profile click the ''Test convert'' button. It will do a temporary conversion and will test connection on that profile then. When you click ''Convert'' a test will be executed also and the profile is saved if successful.
* not supported
*; Those profiles can't be supported anymore when EWS is disabled. Microsoft did not provide alternatives yet without the use of EWS.
** Public Folders access will no longer be supported by Microsoft.
** Archive mailboxes or sometimes called In-Place Archives are currently only supported via EWS.
* not needed
*;Those profiles are either already converted or has been created currently with a EWS replacement solution already. Those profile can be considered safe and are shown here for completeness.

[[de:Microsoft_365_Profilkonvertierungstool]]
[[en:Microsoft_365_Profile_Conversion_Tool]]

EWS Migration

2026-04-08T15:00:49Z

Ltalaschus:

__NOTOC__
Exchange Web Services (EWS) is a technology that was developed specifically for accessing Exchange data. The API enables access to data from Microsoft Exchange Server and Exchange Online, including emails and mailboxes. EWS has been a central interface for third-party solutions such as archiving systems.

== Microsoft is discontinuing Exchange Web Services (EWS) for Microsoft 365 ==
Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has announced] that it will block access to Exchange Web Services (EWS) for Exchange Online starting October 1, 2026. EWS will be completely shut down by April 2027. This decision affects all organizations that use EWS in conjunction with Exchange Online (Microsoft 365). After the shutdown, some resources will only be accessible via the Graph API, while for other resources there is [https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-ews-exchange-online currently no Graph API equivalent]. These resources will then no longer be accessible by third-party solutions.

Microsoft will [https://techcommunity.microsoft.com/blog/exchange/exchange-online-ews-your-time-is-almost-up/4492361 preconfigure and potentially restrict access] to EWS based on usage starting in August 2026. Administrators can also [https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange manage the settings themselves].

For customers using Exchange Online Kiosk, Microsoft Office 365, and Office 365 F1/F3, [https://techcommunity.microsoft.com/blog/exchange/update-to-ews-access-for-kiosk--frontline-worker-licensed-users/4474299 Microsoft will disable EWS access as early as June 2026].

== What will change for MailStore Server and MailStore SPE? ==
The shutdown of EWS initiated by Microsoft will require adjustments in MailStore Server and MailStore SPE, depending on the archiving strategy. Archiving methods within MailStore Server and MailStore SPE that previously have used EWS may no longer be able to connect after October 1st and will then encounter errors.

== Which protocols does MailStore use? ==

Up to and including version 25.4, MailStore exclusively created Microsoft 365 archiving and export profiles that used EWS. Starting with version 26.1, new archiving profiles for regular mailboxes use the Graph API. New archiving profiles for archive mailboxes and public folders continue to use EWS, as these are not accessible via the Graph API. New export profiles, starting with version 26.2, use the IMAP protocol, since importing complete emails into a Microsoft 365 mailbox using the Graph API is also not possible.

=== How can MailStore support me during the migration? ===

Make sure you have completed the app registration in Entra ID [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication#Configuring_API_Permissions_in_Microsoft_Entra_ID|according to our instructions]]. In particular, the Mail.ReadWrite and IMAP.AccessAsApp permissions are now required.

The [[Email_Archiving_with_MailStore_Basics|summary of archiving profiles]] contains the protocol used. Microsoft 365 Journal archiving profiles do not typically use EWS and are therefore not affected.

If you have configured Microsoft 365 profiles that can be converted, this message will appear on the dashboard:

[[File:ews_conversion_message.png]]

Click this message to open the [[Microsoft_365_Profile_Conversion_Tool|Microsoft 365 Profile Conversion Tool]]. Use this tool to test and perform a conversion.

[[File:ConversionTool_en.png|450px|center]]

=== When do adjustments need to be made? ===

==== June 2026 ====

If you are an Exchange Online Kiosk, Microsoft Office 365, or Office 365 F1/F3 customer, all profiles must be migrated to Graph API and IMAP.

Archiving Exchange Online archive mailboxes and Exchange Online Public Folders will no longer be possible.

==== October 2026 ====

EWS profiles will continue to function after October 2026 if EWS access in Microsoft 365 is [https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-control-access-to-ews-in-exchange configured accordingly].

==== April 2027 ====

EWS profiles will no longer function after April 2027. Archiving regular mailboxes using Graph API and exporting to Microsoft 365 using IMAP will continue to function. Archiving Exchange Online archive mailboxes and Exchange Online Public Folders will no longer be possible. Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has hinted] at a future solution, but has not yet published a concrete plan. Microsoft recommends [https://learn.microsoft.com/en-us/exchange/collaboration/public-folders/migrate-to-microsoft-365-groups migrating public folders to Microsoft 365 Groups].

[[de:EWS Migration]]
[[en:EWS Migration]]

File:Ews conversion message.png

2026-04-08T14:46:13Z

Ltalaschus:

MailStore Help

2026-03-26T08:41:37Z

Ltalaschus: /* Knowledge base */

__NOTOC__
{{DISPLAYTITLE:{{Product Name}} Help}}

{| width="100%" cellspacing="3" cellpadding="4"
|-
| valign="top" width="100%" colspan="2" |
== Email Archiving with {{Product Name}} ==
In addition to the latest version of the {{Product Name}} manual, you can find important articles and instructions here, which will help you to set up email archiving. Please do not hesitate to contact our support team if you have any further questions.
|-
| valign="top" width="50%" |
== Getting Started ==
* [[Quick Start Guide]]
* [[System Requirements]]
* [[Choosing the Right Archiving Strategy]]

== What's New ==
* [https://go.mailstore.com?product=MailStore%20Server&target=changelog&lang=en Changelog]
* [[Update Notices for MailStore Server|Update Notices]]
| valign="top" width="50%"|
== Manual ==
* [[Installation]]
* [[Archiving Email]]
* [[Accessing the Archive]]
* [[Exporting Email]]
* [[Administration]]
* [[MailStore Server Service Configuration]]
* [https://help.mailstore.com/en/gateway MailStore Gateway Help]
|-
| valign="top" width="50%" |
== Implementation Guides ==
{{:Implementation}}
| valign="top" width="50% |
== Articles ==
==== Deployment ====
* [[MailStore Client Deployment|MailStore Client]]
* [[MailStore Outlook Add-in Deployment|MailStore Outlook Add-in]]
* [[MailStore Outlook App Deployment|MailStore Outlook App]]

==== Operation ====
* [[Backup and Restore]]
* [[Maintenance and Repair]]
* [[Monitoring]]
==== Security ====
* [[Multi-factor Authentication]]
* [[Firewall Configuration]]
* [[Using_Lets_Encrypt_Certificates|Using Let's Encrypt Certificates]]
* [[Using Your Own SSL Certificate]]
* [[Enhancing SSL Security]]
* [[Notes on Antivirus Software]]
* [[Security Advisories]]

==== Automation & Scripting ====
* [[Scripting|Automation with scripts]]
* [[Bulk Import of Email Files]]
* [[Implementing an Application Integration Server]]
==== How-to ====
* [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* [[Moving the Archive]]
* [[Using Network Attached Storage (NAS)]]
* [[Searching by Message ID]]
* [[Verifying a Signed Export]]

==== Knowledge base ====
* [[EWS Error Codes]]
* [[Flagged Emails]]
* [[Message Date of an Email]]
* [[Email encryption in Microsoft 365]]
* [[EWS Migration]]
|-
| valign="top" width="50%" |

== Troubleshooting ==
In the [https://www.mailstore.com/en/help/knowledgebase/ knowledgebase] of our [https://cs.mailstore.com/ Customer Service Centers] you can find many answers to the most often asked questions or reoccurring error messages. Detailed troubleshooting instructions are also available there. 
== Administration API ==
The Administration API extends the management capabilities of {{Product Name}} by providing command-line as well as HTTP based access to all management functions. This allows to fully automate the administration of {{Product Name}} via scripts or even integration into centralized management solutions. For an even faster development, example API libraries for different scripting and programming languages are provided.
* [[MailStore Server Management Shell]]
* [[Administration API - Using the API|Using the API]]
* [[Administration API - Function Reference|Function Reference]]
==== Example Implementations of API Libraries ====
* [[PowerShell API Wrapper Tutorial|PowerShell]]
* [[Python API Wrapper Tutorial|Python]]
| valign="top" width="50%" |
== Tech Tip Videos ==
In our [https://youtube.com/playlist?list=PLGTSLnfosYvSkdccnpMDv5fjqYhJ_asQp Tech Tip Videos on Youtube] we provide valuable information and useful insights from our technical support team. Our technical support engineers will showcase specific features of MailStore Server and feature common use cases of our clients.
== Downloads ==
<div class="plainlinks">
* [https://www.mailstore.com/en/products/mailstore-server/downloads/ MailStore Setup Files]

==== Active Directory Group Policy Templates ====
* [[Media:MailStore_ADMX.zip|ADMX-Template]]
</div>
|}

[[de:MailStore Hilfe]]
[[en:MailStore Help]]

Microsoft 365 Profile Conversion Tool

2026-03-24T11:00:36Z

Ltalaschus:

Microsoft is planning to [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 retire] the Exchange Web Service(EWS) protocol in Exchange Online. This decision affects all companies that use EWS not just MailStore. This makes it necessary to use alternative access to Exchange Online mailboxes going into the future. We provide a conversion tool that will try to help you migrating profiles that rely on EWS and will stop working in the future.
The current Microsoft timeline for that can be followed [https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-ews-exchange-online here].

Further details about the proposed discontinuation of the EWS protocol can be found in the [[EWS Migration]] article or you might want to follow our [https://www.mailstore.com/en/blog/microsoft-is-discontinuing-ews-for-m365/ blog].

===Accessing the conversion tool===
When your MailStore Server installation is using a MIcrosoft 365 profile you should see a warning message on your dashboard. Click on that will open the Microsoft 365 Profile Conversion tool.

[[File:ConversionTool_en.png]]

The Conversion tool will show you an overview of all profiles connected to Microsoft 365. Archiving profiles, exporting profiles and gives you the option to convert those profiles to a version that will be able to be used after EWS has been retired.

The grid will show you profiles divided into three different kinds.
* automatic
*; These profiles need a conversion and should be convertible from within this tool. To just check if a conversion creates a usable profile click the ''Test convert'' button. It will do a temporary conversion and will test connection on that profile then. When you click ''Convert'' a test will be executed also and the profile is saved if successful.
* not supported
*; Those profiles can't be supported anymore when EWS is disabled. Microsoft did not provide alternatives yet without the use of EWS.
** Public Folders access will no longer be supported by Microsoft. Microsoft recommends a [https://learn.microsoft.com/en-us/exchange/collaboration/public-folders/migrate-to-microsoft-365-groups| migration] to Microsoft 365 Groups
** Archive mailboxes or sometimes called In-Place Archives are currently only supported via EWS. A future solution has been [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440| hinted] by Microsoft. But no actual plan has been released yet.
* not needed
*;Those profiles are either already converted or has been created currently with a EWS replacement solution already. Those profile can be considered safe and are shown here for completeness.

[[de:Microsoft_365_Profilkonvertierungstool]]
[[en:Microsoft_365_Profile_Conversion_Tool]]

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-03-24T09:18:49Z

Ltalaschus: /* Configuring API Permissions in Microsoft Entra ID */

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365||}}
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Click on ''Configure'' to add your Redirect URI.
* In the '''Authentication''' section switch to the '''Settings''' panel. Then, in the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Save'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* '''New in 26.1''': Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* '''New in 25.3''': Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* '''New in 26.2''': Also enable the permission ''IMAP.AccessAsApp'' in the ''IMAP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'', ''SMTP.SendAsApp'' and ''IMAP.AccessAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.
*'''Also synchronize all Microsoft 365 Groups as MailStore users''' All [https://learn.microsoft.com/en-us/microsoftteams/office-365-groups Microsoft 365 Groups] with configured email addresses will be synchronized as MailStore users. Since Microsoft 365 Group mailboxes cannot be accessed directly, those have to be excluded when [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Archiving_Multiple_Microsoft_365_Mailboxes_Centrally|archiving multiple Microsoft 365 mailboxes centrally]]. When [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Archiving_Incoming_and_Outgoing_Emails_Directly|archiving incoming and outgoing emails directly]], emails sent from and to these Groups will be archived. These users cannot login to the MailStore archive.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

Microsoft 365 Export

2026-03-23T16:48:40Z

Ltalaschus:

__NOTOC__
To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. This article describes how to set up these permissions. General information about setting up the export process can be found in the article [[Exporting Email]].
== Steps for setting up needed permissions ==
=== Prerequisites in Azure Portal===
A registered App is needed with proper settings to be allowed to use IMAP
* Go to [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps| App Registrations] or navigate from the Azure Portal home to the App registrations service
* Select your Application. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration. If not creating such an app registration is described in [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication|Synchronizing User Accounts with Microsoft 365]].
* Navigate to Manage/API permissions and make sure you have enabled or activated the IMAP.AccessAsApp permission when configuring the API permissions in the Office 365 Exchange Online area.
=== Prerequisites for Powershell===
The PowerShell module ''ExchangeOnlineManagement'' is required to set the permission.
* The presence of the module can be checked with the following command.
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-Module ExchangeOnlineManagement -ListAvailable</source>
* If the output is empty, the module can be installed with the following command:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Install-Module -Name ExchangeOnlineManagement</source>
* If the output is not empty but the version is older than 3.8.0, the module can be updated with the following command:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Update-Module -Name ExchangeOnlineManagement</source>
* Then the module can be loaded:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Import-module ExchangeOnlineManagement</source>
=== Add permission on target mailbox ===
* Connect with your client, use a user who has ''Role Management'' permissions:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Connect-ExchangeOnline -Organization <tenantID></source>
* Creating an app registration also resulted in the creation of an Enterprise App with its ''own ObjectID'' in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at [https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview this page].
* If you haven't before create a service principal for this Enterprise App:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"</source>
* The service principal must now be granted full access on the target mailbox. This email address must later be specified as the export mailbox in the MailStore Export profile:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Add-MailboxPermission -Identity "emailAddressOf@target.user" -User <enterpriseAppObjectID> -AccessRights FullAccess</source>

== Troubleshooting ==
* If you receive a Command Error. 12 (BAD). when executing or testing the export profile the permission is either missing or may not yet have been distributed withing the Exchange Online Infrastructure. You can check the permission with
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-MailboxPermission -Identity "emailAddressOf@target.user" -User <enterpriseAppObjectID></source>

[[de:Microsoft 365 Export]]
[[en:Microsoft 365 Export]]

Microsoft 365 Export

2026-03-23T16:13:07Z

Ltalaschus:

__NOTOC__
To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. This article describes how to set up these permissions. General information about setting up the export process can be found in the article [[Exporting Email]].
== Steps for setting up needed permissions ==
=== Prerequisites in Azure Portal===
A registered App is needed with proper settings to be allowed to use IMAP
* Go to [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps| App Registrations] or navigate from the Azure Portal home to the App registrations service
* Select your Application. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration. If not creating such an app registration is described in [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication|Synchronizing User Accounts with Microsoft 365]].
* Navigate to Manage/API permissions and make sure you have enabled or activated the IMAP.AccessAsApp permission when configuring the API permissions in the Office 365 Exchange Online area.
=== Prerequisites for Powershell===
The PowerShell module ''ExchangeOnlineManagement'' is required to set the permission.
* The presence of the module can be checked with the following command.
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-Module ExchangeOnlineManagement -ListAvailable</source>
* If the output is empty, the module can be installed with the following command:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Install-Module -Name ExchangeOnlineManagement</source>
* If the output is not empty but the version is older than 3.8.0, the module can be updated with the following command:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Update-Module -Name ExchangeOnlineManagement</source>
* Then the module can be loaded:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Import-module ExchangeOnlineManagement</source>
=== Add permission on target mailbox ===
* Connect with your client, use a user who has ''Role Management'' permissions:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Connect-ExchangeOnline -Organization <tenantID></source>
* Creating an app registration also resulted in the creation of an Enterprise App with its ''own ObjectID'' in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at [https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview this page].
* If you haven't before create a service principal for this Enterprise App:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"</source>
* The service principal must now be granted full access on the target mailbox. This email address must later be specified as the export mailbox in the MailStore Export profile:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Add-MailboxPermission -Identity "emailAddressOf@sending.user" -User <enterpriseAppObjectID> -AccessRights FullAccess</source>

== Troubleshooting ==
* If you receive a Command Error. 12 (BAD). when executing or testing the export profile the permission is either missing or may not yet have been distributed withing the Exchange Online Infrastructure. You can check the permission with
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-MailboxPermission -Identity "emailAddressOf@sending.user" -User <enterpriseAppObjectID></source>

[[de:Microsoft 365 Export]]
[[en:Microsoft 365 Export]]

Microsoft 365 Export

2026-03-23T15:34:26Z

Ltalaschus:

__NOTOC__
To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. The more common help for exporting can be found in the article [[Exporting Email]].
== Steps for setting up needed permissions ==
=== Prerequisites in Azure Portal===
A registered App is needed with proper settings to be allowed to use IMAP
* Go to [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps| App Registrations] or navigate from the Azure Portal home to the App registrations service
* Select your Application. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration. If not creating such an app registration is described in [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication|Synchronizing User Accounts with Microsoft 365]].
* Navigate to Manage/API permissions and make sure you have enabled or activated the IMAP.AccessAsApp permission when configuring the API permissions in the Office 365 Exchange Online area.
=== Prerequisites for Powershell===
The PowerShell module ''ExchangeOnlineManagement'' is required to set the permission.
* The presence of the module can be checked with the following command.
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-Module ExchangeOnlineManagement -ListAvailable</source>
* If the output is empty, the module can be installed with the following command:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Install-Module -Name ExchangeOnlineManagement</source>
* If the output is not empty but the version is older than 3.8.0, the module can be updated with the following command:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Update-Module -Name ExchangeOnlineManagement</source>
* Then the module can be loaded:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Import-module ExchangeOnlineManagement</source>
=== Add permission on target mailbox ===
* Connect with your client, use a user who has ''Role Management'' permissions:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Connect-ExchangeOnline -Organization <tenantID></source>
* Creating an app registration also resulted in the creation of an Enterprise App with its ''own ObjectID'' in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at [https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview this page].
* If you haven't before create a service principal for this Enterprise App:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"</source>
* The service principal must now be granted full access on the target mailbox. This email address must later be specified as the export mailbox in the MailStore Export profile:
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Add-MailboxPermission -Identity "emailAddressOf@sending.user" -User <enterpriseAppObjectID> -AccessRights FullAccess</source>

== Troubleshooting ==
* If you receive a Command Error. 12 (BAD). when executing or testing the export profile the permission is either missing or may not yet have been distributed withing the Exchange Online Infrastructure. You can check the permission with
*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-MailboxPermission -Identity "emailAddressOf@sending.user" -User <enterpriseAppObjectID></source>

[[de:Microsoft 365 Export]]
[[en:Microsoft 365 Export]]

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-03-19T13:21:40Z

Ltalaschus: /* User Database Synchronization */

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365||}}
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Click on ''Configure'' to add your Redirect URI.
* In the '''Authentication''' section switch to the '''Settings''' panel. Then, in the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Save'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* '''New in 26.1''': Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* '''New in 25.3''': Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.
*'''Also synchronize all Microsoft 365 Groups as MailStore users''' All [https://learn.microsoft.com/en-us/microsoftteams/office-365-groups Microsoft 365 Groups] with configured email addresses will be synchronized as MailStore users. Since Microsoft 365 Group mailboxes cannot be accessed directly, those have to be excluded when [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Archiving_Multiple_Microsoft_365_Mailboxes_Centrally|archiving multiple Microsoft 365 mailboxes centrally]]. When [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Archiving_Incoming_and_Outgoing_Emails_Directly|archiving incoming and outgoing emails directly]], emails sent from and to these Groups will be archived. These users cannot login to the MailStore archive.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-03-19T13:16:37Z

Ltalaschus: /* User Database Synchronization */

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365||}}
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Click on ''Configure'' to add your Redirect URI.
* In the '''Authentication''' section switch to the '''Settings''' panel. Then, in the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Save'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* '''New in 26.1''': Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* '''New in 25.3''': Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.
*'''Also synchronize all Microsoft 365 Groups as MailStore users''' All [https://learn.microsoft.com/en-us/microsoftteams/office-365-groups Microsoft 365 Groups] with configured email addresses will be synchronized as MailStore users. Since Microsoft 365 Group mailboxes cannot be accessed directly, those have to be excluded when [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Archiving_Multiple_Microsoft_365_Mailboxes_Centrally|archiving multiple Microsoft 365 mailboxes centrally]]. When [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Archiving_Incoming_and_Outgoing_Emails_Directly|archiving incoming and outgoing emails directly]], emails sent from and to these Groups will archived. These users cannot login to the MailStore archive.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

File:Microsoft 365 sync 02.png

2026-03-19T12:48:52Z

Ltalaschus: Ltalaschus uploaded a new version of File:Microsoft 365 sync 02.png

File:Microsoft 365 sync 01.png

2026-03-19T12:47:54Z

Ltalaschus: Ltalaschus uploaded a new version of File:Microsoft 365 sync 01.png

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-03-19T12:47:34Z

Ltalaschus: /* User Database Synchronization */

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365||}}
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Click on ''Configure'' to add your Redirect URI.
* In the '''Authentication''' section switch to the '''Settings''' panel. Then, in the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Save'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* '''New in 26.1''': Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* '''New in 25.3''': Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.
*'''Also synchronize all Microsoft 365 Groups as MailStore users''' All [https://learn.microsoft.com/en-us/microsoftteams/office-365-groups Microsoft 365 Groups] with a configured email addresses will be synchronized as MailStore users. Since Microsoft 365 Group mailboxes cannot be accessed directly, those have to be excluded when [[Archiving_Emails_from_Microsoft_Exchange_SE#Archiving_Multiple_Exchange_Mailboxes_Centrally|archiving multiple Exchange mailboxes centrally]]. When [[Archiving_Emails_from_Microsoft_Exchange_SE#Archiving_Incoming_and_Outgoing_Emails_Directly|archiving incoming and outgoing emails directly]], emails sent from and to these Groups will archived.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

Archiving Emails from Microsoft Exchange

2026-03-19T12:40:08Z

Ltalaschus:

<noinclude>
Please select your version of Microsoft Exchange Server.
</noinclude>
{{Hosted_Exchange_Versions}}* [[Archiving_Emails_from_Microsoft_Exchange_2019|Microsoft Exchange 2019 (Legacy System)]]
* [[Archiving_Emails_from_Microsoft_Exchange_2016|Microsoft Exchange 2016 (Legacy System)]]
* [[Archiving_Emails_from_Microsoft_Exchange_2013|Microsoft Exchange 2013 (Legacy System)]]
* [[Archiving_Emails_from_Microsoft_Exchange_2010|Microsoft Exchange 2010 (Legacy System)]]
* [[Archiving_Emails_from_Microsoft_Exchange_2007|Microsoft Exchange 2007 (Legacy System)]]
<noinclude>
[[de:E-Mail-Archivierung von Microsoft Exchange]]
[[en:Archiving_Emails_from_Microsoft_Exchange]]
</noinclude>

Storage Locations

2026-03-18T10:34:35Z

Ltalaschus: /* Creating an External Archive Store */

A MailStore archive physically (i.e. on the storage) consists of individual archive stores, each with its own database, search indexes and data containers. To MailStore users these archive stores are fully transparent; they have access to all archived emails in all active archive stores and thus get a logical view on the archive according to their respective privileges.

Under ''Administrative Tools > Storage > Storage Locations'' you can configure the parameters of the archive stores' auto-create, manually create new archive stores and manage the archive's existing archive stores. You can also view the location of the master database here.

== Changing the Storage Location of the Master Database ==
The storage location of the master database can only be viewed here. In case the MailStore Client is started on the MailStore Server machine, clicking on ''Change...'' closes the MailStore Client and starts the [[MailStore Server Service Configuration]].

== Archive Store Basics ==
In MailStore, there are two types of archive stores: ''Internal Archive Stores'' and ''External Archive Stores''.

Internal archive stores are stored entirely in configurable file system directories and can be created, managed and backed up automatically by MailStore. For most environments using internal archive stores is recommended.

External archive stores offer storage in SQL databases, but have several limitations. Information about external archive stores is available in chapter [[Using External Archive Stores]].

Both internal and external archive stores always consist of the following three components:
{{Archive Stores Structure}}
MailStore archive stores as a whole as well as their individual components can be put on different physical storage locations, including network based storages. For additional information, please refer to the article [[Using Network Attached Storage (NAS)]].

'''Important notice: '''When choosing the physical storage system, please attend to the [[System Requirements]].

== Creating Archive Stores ==
In MailStore Server, internal archive stores are created automatically and additionally can be created manually. External archive stores can only be created manually.

=== Creating Internal Archive Stores Automatically ===
From time to time, MailStore Server automatically creates a new internal archive store for optimal system performance and stability. The maximum size and amount of emails are determined by MailStore Server internally.

If needed, you can limit the size that an archive store can reach at most before a new one is created to align with your backup routine. You can also configure the storage location where new archive stores will be created automatically.

'''Important notice: '''The maximum size should not be configured manually without good reason, so that MailStore Server can determine the optimal time automatically for creating a new archive store.

To change these settings, please proceed as follows:

* Below the list of archive stores, click on the ''Create automatically...'' button.
* [[File:tech_storageauto_01.png|right|350px]]The ''Auto-Create Archive Stores'' dialog opens.
* Customize the settings as preferred.
* Under ''Base directory'' enter the directory below which you want MailStore Server to create the new internal archive stores. The internal archive stores that are created automatically by MailStore Server, including any subfolders, follow the naming scheme ''year-month'', e.g. ''2021-10''.
* ''Optional: ''With the option ''Use different base directories for databases, content and search indexes'' you can configure separate directories for the individual components of an archive store. For example, you can put database and search index on a fast storage to accelerate folder operations and the MailStore search while leaving the email content files on a slower storage.
* Click on ''OK''. 

=== Creating an Internal Archive Store Manually ===
To create a new internal archive store manually, please proceed as follows:

* Below the list of archive stores, click on the ''Create...'' button.
* The ''Create New Archive Store'' wizard opens.
* Select the option ''Internal Archive Store'' and click on ''Next''.
* [[File:tech_storageloc_int_01.png|right|350px]]Enter a name for the new internal archive store in the ''Name'' field, e.g. ''2021-10''.
* If you don't want MailStore to archive new emails in the new archive store, deselect the option ''Archive new messages here''.
* MailStore Server derives a base directory for the new internal archive store from the name entered and the path of the master database. By default, MailStore Server stores all components of an archive store in a folder structure that is created automatically below the base directory. You can optionally either change the proposed path manually or select an existing directory; an existing directory must not contain any files or subfolders.
* ''Optional: ''With the option ''Use different base directories for databases, content and search indexes'' you can configure separate directories for the individual components of an archive store. For example, you can put database and search index on a fast storage to accelerate folder operations and the MailStore search while leaving the email content files on a slower storage.
* Click on ''Finish'' to create the internal archive store. 

=== Creating an External Archive Store ===

{{Template:SQLDeprecation}}

Managing external archive stores is described in chapter [[Using External Archive Stores]].

== Managing Archive Stores ==
[[File:tech_storageloc_01.png|center|550px]]
=== Setting the Status ===
Right-click on an archive store and select the status from the ''Set Status'' submenu. As an alternative, you can select an archive store and set the status via the drop-down list in the details pane on the right of the archive store list. You can set the following status:

* ''Archive here'' In MailStore Server, there can only be one archive store with this status. All newly archived emails are written into this archive store. The emails are available to all MailStore users and can be located by searching and through the folder structure. Emails in this archive store can be deleted or moved according to configured user privileges and compliance settings. '''Notice: '''If a new internal archive store has been created automatically, its status is initially set to ''Archive here''. If you set an external archive store's status to ''Archive here'', the automatic creation of internal archive stores will be suspended until you set an internal archive store to this status.
* ''Normal'' Emails in archive stores with status ''Normal'' are available to all MailStore users and can be located by searching and through the folder structure. Emails in this archive store can be deleted or moved according to configured user privileges and compliance settings.
* ''Write-Protected'' Irrespective of user privileges and compliance settings, emails in write-protected archive stores can only be accessed read-only. The emails are available to all MailStore users and can be located by searching and through the folder structure. However, emails in such archive stores cannot be deleted or moved. '''Notice: '''Please note that file system write access to the directory of the archive store is still required and that this status prevents automatic processing of retention policies.
* ''Disabled'' Disabling an archive store allows you to make changes to its configuration. This may be necessary after [[Moving the Archive]], for example. While an archive store is disabled, the emails contained therein are not available to the archive. '''Notice: '''Please note that this status prevents the execution of archiving profiles.

=== Editing ===
Through the context menu item ''Edit...'' you can change the name and the directories of an archive store with status ''Disabled''.

=== Renaming ===
Through the context menu item ''Rename...'' you can change the name of an archive store irrespective of its status.

=== Detaching ===
Through the context menu item ''Detach'' you can detach an archive store from the archive, for example if all email contained therein do no longer have to be archived. The detached archive store and the emails contained therein are no longer available to the archive.

=== Attaching ===
A detached archive store can be reattached to the archive using the ''Attach...'' button. If the archive store cannot be decrypted automatically, you will be asked for the respective recovery key. For example, this could be the case for archive stores that belonged to another MailStore installation or which have been moved from another machine. You can find more information on the recovery key in section [[MailStore_Server_Service_Configuration#Security_and_Encryption|Security and Encryption]] of chapter [[MailStore Server Service Configuration]].

=== Unlocking ===
If an archive store cannot be decrypted automatically, it will be listed as ''Locked'' in the list of archive stores. Through the context menu item ''Unlock'' or by changing the status you will be asked for the respective recovery key. You can find more information on the recovery key in section [[MailStore_Server_Service_Configuration#Security_and_Encryption|Security and Encryption]] of chapter [[MailStore Server Service Configuration]].

== Maintenance of Archive Stores ==
All available maintenance commands can be accessed through the context menu of the list of archive stores. Alternatively, you can select an archive store and click on the ''Maintenance'' drop-down list in the details pane. The following commands are available:

* ''Cleanup (Compact)'' Optimizes the data structures while compacting the data.
* ''Check Data Integrity'' Verifies the data integrity between "Folder Information and Meta Data" as well as "Email Headers and Contents".
* ''Maintain All FDB Files'' Maintains the master database and all databases of internal archive stores.
* ''Recalculate all statistics'' Recalculates the statistics (number of emails per archive store) for all archive stores.

Maintenance commands can also be scheduled for automatic execution via [[Jobs]].

[[de:Speicherorte]]
[[en:Storage Locations]]

Template:Archiving Exchange Throttling

2026-01-30T10:35:48Z

Ltalaschus:

Exchange {{{1|2013}}} supports throttling since the RTM version. With throttling you can control on the Exchange side the speed and the amount of emails individual users can download from the Exchange server. {{#switch: {{{1|2013}}}|2010 = Since Exchange 2010 SP1 this feature is enabled by default.|This feature is enabled by default.}}

=== Determining the Throttling Policy Applied to the MailStore Service Account ===

You can use the following Powershell script to check which throttling policy is applied to the <includeonly>[[#Step 1: Setting up a service account for accessing mailboxes|service account that MailStore uses for archiving]]</includeonly><noinclude>service account that MailStore uses for archiving</noinclude>:
{{#switch: {{{1|2013}}}|2010 =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
Param([Parameter(Mandatory=$True)][string]$serviceAccount)
$policy = $null
$policyLink = (Get-Mailbox $serviceAccount).ThrottlingPolicy
if ($policyLink -eq $null)
{
$policy = Get-ThrottlingPolicy | where-object {$_.IsDefault -eq $true}
}
else
{
$policy = $policyLink | Get-ThrottlingPolicy
}

$result = $policy | format-list -property Name, IsDefault, EWS*
$result
</source>|2013|2016|2019|SE =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
Param([Parameter(Mandatory=$True)][string]$serviceAccount)
$policy = (Get-ThrottlingPolicyAssociation -Identity $serviceAccount).ThrottlingPolicyId
$policy = switch($policy) {$null {Get-ThrottlingPolicy | Where ThrottlingPolicyScope -eq 'Global'} default {$policy | Get-ThrottlingPolicy}}
$policy | format-list -property Name, ThrottlingPolicyScope, EWS*
</source>}}
To use the script, please copy the entire content into a text editor and save the script as '''policycheck.ps1''', for example on the desktop of the Exchange server.

You can now run the script from the Exchange Management Shell with the UPN (User Principal Name) of the MailStore service account (e.g. ''mailstore@example.com'') as parameter. Since, in the context of MailStore Server, only the EWS values are of any interest, the following result may be displayed:
{{#switch: {{{1|2013}}}|2010 =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
[PS] C:\Users\Administrator\Desktop>.\policycheck.ps1 mailstore@example.com

Name : DefaultThrottlingPolicy_8c5771...
IsDefault : True
EWSMaxConcurrency : 100
EWSPercentTimeInAD : 50
EWSPercentTimeInCAS : 90
EWSPercentTimeInMailboxRPC : 60
EWSMaxSubscriptions : 5000
EWSFastSearchTimeoutInSeconds : 60
EWSFindCountLimit : 1000
</source>
In this case, no separate policy exists for the MailStore service account. The value 'True' of the property <tt>IsDefault</tt> indicates that the default throttling policy of the system applies to the MailStore service account ''mailstore@example.com'' as well. Had the value been 'False', the individual policy <tt>Name</tt> would already have been applied to the MailStore service account.
|2013|2016|2019|SE =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
[PS] C:\Users\Administrator\Desktop>.\policycheck.ps1 mailstore@example.com

Name : GlobalThrottlingPolicy_b4ef32cb-3677-44fd-be1a-ad784931f16f
ThrottlingPolicyScope : Global
EwsMaxConcurrency : 27
EwsMaxBurst : 300000
EwsRechargeRate : 900000
EwsCutoffBalance : 3000000
EwsMaxSubscriptions : 5000
</source>
In this case, no separate policy exists for the MailStore service account. The value 'Global' of the property <tt>ThrottlingPolicyScope</tt> indicates that the global throttling policy of the system applies to the MailStore service account ''mailstore@example.com'' as well. Had the value been 'Regular', the individual policy <tt>Name</tt> would already have been applied to the MailStore service account.}}

=== Creating and Assigning an Individual Throttling Policy ===
Because MailStore regularly establishes many connections to the Exchange server and may have to download large amounts of emails through its service account, the account should be exempt from the restrictions of the global throttling policy. You can achieve this by creating a dedicated throttling policy for the MailStore service account:
{{#switch: {{{1|2013}}}|2010 =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
New-ThrottlingPolicy MailStoreServerPolicy
Get-ThrottlingPolicy MailStoreServerPolicy | Set-ThrottlingPolicy -EWSFindCountLimit 2500 -EWSPercentTimeInAD 70 -EWSPercentTimeInCAS 120 -EWSPercentTimeInMailboxRPC 80
Set-Mailbox 'mailstore@example.com' -ThrottlingPolicy MailStoreServerPolicy
</source>
In line 1, a new throttling policy with the desired values is created, in line 2, this individual throttling policy is assigned to the MailStore service account.
The result can be checked again with the script listed above:
<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
[PS] C:\Users\Administrator\Desktop>.\policycheck.ps1 mailstore@example.com

Name : MailStoreServerPolicy
IsDefault : False
EWSMaxConcurrency : 100
EWSPercentTimeInAD : 70
EWSPercentTimeInCAS : 120
EWSPercentTimeInMailboxRPC : 80
EWSMaxSubscriptions : 5000
EWSFastSearchTimeoutInSeconds : 60
EWSFindCountLimit : 2500
</source>
'''Important:''' Please note that a mailbox must be set up for the MailStore service account in order to be able to assign a dedicated throttling policy to it.
|2013|2016|2019|SE =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
New-ThrottlingPolicy MailStoreServerPolicy -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited -IsServiceAccount -ThrottlingPolicyScope Regular

Set-ThrottlingPolicyAssociation -Identity 'mailstore@example.com' -ThrottlingPolicy MailStoreServerPolicy
</source>
In line 1, a new throttling policy with the desired values is created, in line 2, this individual throttling policy is assigned to the MailStore service account.
The result can be checked again with the script listed above:
<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
[PS] C:\Users\Administrator\Desktop>.\policycheck.ps1 mailstore@example.com

Name : MailStoreServerPolicy
ThrottlingPolicyScope : Regular
EwsMaxConcurrency : Unlimited
EwsMaxBurst : Unlimited
EwsRechargeRate : Unlimited
EwsCutoffBalance : Unlimited
EwsMaxSubscriptions : Unlimited
</source>}}
=== Removing and Deleting an Individual Throttling Policy ===
To delete an individual throttling policy from a mailbox or user account, execute the following command in the Exchange Management Shell:
{{#switch: {{{1|2013}}}|2010 =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
Set-Mailbox 'mailstore@example.com' -ThrottlingPolicy $null
</source>
|2013|2016|2019|SE =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
Set-ThrottlingPolicyAssociation -Identity 'mailstore@example.com' -ThrottlingPolicy $null
</source>}}
This removes the assignment of a throttling policy. To delete the throttling policy from the Exchange system, execute the following command in the Exchange Management Shell:
{{#switch: {{{1|2013}}}|2010 =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
Remove-ThrottlingPolicy MailStoreServerPolicy
</source>
|2013|2016|2019|SE =<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">
Remove-ThrottlingPolicy MailStoreServerPolicy
</source>}}
Confirm this by entering "Y". The policy is now deleted from the system.
<noinclude>
[[de:Vorlage:Archivierung Exchange Throttling]]
[[en:Template:Archiving Exchange Throttling]]
</noinclude>

Exporting Email

2026-01-29T12:42:58Z

Ltalaschus: /* Working with Exporting Profiles */

MailStore Server provides several options to export archived emails. Emails can be exported directly into server mailboxes or to the file system as individual email files (EML or MSG format), for example.

'''Please note:''' Backup strategies (a backup of the entire archive) are discussed separately in the article [[Backup and Restore]].

== Available Export Destinations ==

=== Email Server ===
*'''Microsoft 365 Mailbox''' - A folder named ''MailStore Export'' is created in the Microsoft 365 mailbox into which emails are copied. If the option ''Retain folder structure'' is checked, the archive's folder hierarchy will be created in the destination, otherwise all email will be stored in the same folder.
*'''Exchange Mailbox''' - A folder named ''MailStore Export'' is created in the Exchange mailbox into which emails are copied. If the option ''Retain folder structure'' is checked, the archive's folder hierarchy will be created in the destination, otherwise all email will be stored in the same folder.
*'''Google Workspace''' - A folder named ''MailStore Export'' is created in a Google Workspace mailbox into which emails are copied.
*'''Gmail''' - A folder named ''MailStore Export'' is created in a Gmail mailbox into which emails are copied.
*'''IMAP mailbox''' - A folder named ''MailStore Export'' is created in an IMAP mailbox into which emails are copied. If the option ''Retain folder structure'' is checked, the archive's folder hierarchy will be created in the destination, otherwise all email will be stored in the same folder.

=== Email Clients ===
* '''Microsoft Outlook''' - A folder named ''MailStore Export'' is created in Microsoft Outlook into which emails are copied. If the option ''Retain folder structure'' is checked, the archive's folder hierarchy will be created in the destination, otherwise all email will be stored in the same folder.
* '''Mozilla Thunderbird''' - A folder named ''MailStore Export'' is created in Mozilla Thunderbird into which emails are copied. If the option ''Retain folder structure'' is checked, the archive's folder hierarchy will be created in the destination, otherwise all email will be stored in the same folder.
* '''Mozilla SeaMonkey''' - A folder named ''MailStore Export'' is created in Mozilla SeaMonkey into which emails are copied. If the option ''Retain folder structure'' is checked, the archive's folder hierarchy will be created in the destination, otherwise all email will be stored in the same folder.

=== Email Files ===
*'''Directory (File System)''' - Either EML or MSG files are created (one per email). When enabling the option ''Update existing export'' only not already existing email files will be written into the target folders, or else all email files will be written again. The option ''Sign Export'' allows to ensure integrity of the exported data outside of the archive. Refer to [[Verifying a Signed Export]] for further details on how to verify integrity. If the option ''Retain folder structure'' is checked, the archive's folder hierarchy will be created in the destination, otherwise all email will be stored in the same folder.
* '''Outlook PST File''' - A folder named ''MailStore Export'' is created in a Microsoft Outlook PST file into which emails are copied. If the option ''Retain folder structure'' is checked, the archive's folder hierarchy will be created in the destination, otherwise all email will be stored in the same folder.

'''Please note:''' EML files can be opened independently from MailStore Server by double-clicking and moving to applications such as Mozilla Thunderbird via drag & drop. Outlook MSG files can be opened or archived directly with all versions of Microsoft Outlook.

== Starting an Export ==
Depending on the user's permissions, MailStore Server allows exporting multiple emails in one step. Exporting or opening individual emails is possible at all time. In case an admin user wants to export emails of other users, [[Compliance_General#Archive_Access|Archive Access]] has to be unblocked.

=== Using the folder tree ===
Right-click on an element in the folder tree (user archive, folder or saved search), then select ''Export to...'' from the context menu and select the export destination. A dialog appears in which additional settings may have to be specified.

=== Using the list of emails ===
Highlight the emails to be exported by holding down the control key (Ctrl) and clicking onto the emails. Pressing Ctrl and A selects all emails. Right-click on the highlighted emails, then select ''Export to...'' from the context menu and select the export destination. A dialog appears in which additional settings may have to be specified.

=== Using the page "Export Email" ===
On this page, exporting tasks can be created and executed as export profiles (just like archiving profiles). Export profiles hold information about which emails will be exported to which destination. Each profile (i.e. the exporting task) can be executed manually or regularly according to a schedule. To learn more, please read on in the next section.

== Working with Exporting Profiles ==
In MailStore Server, every exporting task is stored as an exporting profile. The exporting process is started by executing such a profile.

Such an exporting profile could contain the following information:

* WHAT: Archive of alexis.page@example.com
* TO: Exchange Server exchange.example.com

Like archiving profiles, existing export profiles can be executed, modified, deleted or even executed automatically. Further details can be found in the chapters [[Email_Archiving_with_MailStore_Basics#Working_with_Archiving_Profiles|Working with Archiving Profiles]] and [[Email_Archiving_with_MailStore_Basics#Automating_the_Archiving_Process|Automating the Archiving Process]]

'''Important notice:''' Be aware that an export does not verify if the messages already exist in the destination. Therefore, duplicates are created in the selected destination when re-executing an export profile multiple times. Thus it is not recommended to automate the execution of export profiles. Only exception is the ''Directory (File System)'' export profile, where MailStore Server is able to do a comparison based on the file names.

=== Creating an Export Profile ===
To create a new export profile, please proceed as follows:

* Start MailStore Client on the computer which is to execute the export. Log on as administrator if the emails of other users are to be exported as well. Only a MailStore Server administrator is allowed to export the emails of others.
* Click on ''Export Email''.

[[File:accs_export_01.png|center|450px]]

* From the lists in the upper ''Create Profile'' area, select the destination to which emails are to be exported.
* A wizard opens to assist in specifying the export settings.
* At the first step, specify which folder is to be exported (subfolders are always included). Depending on the export destination, the file format to be used (e.g. EML , MSG or PST) can be selected as well. Click on ''Next''. '''Please note:''' Below the list of folders, a saved search can also be selected. MailStore runs the search before executing the actual export procedure; all emails returned by the search will be exported.
* At the second step, specify the exact target location to which emails are to be exported. For example, if ''Exchange Mailbox'' was selected as export destination earlier, the access data for the target mailbox can be specified and verified by clicking on ''Test''. Then click on ''Next''.
* Depending on the export destination specified, additional settings can be selected at the next step. For example, if ''IMAP mailbox'' was selected as the destination, a timeout value can be set, if needed.
* At the last step, a name for the export profile can be specified. After clicking on ''Finish'', the profile will be listed under ''Saved Profiles'' and can be run immediately, if desired.

[[de:E-Mails_exportieren]]
[[en:Exporting Email]]

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-01-27T10:54:59Z

Ltalaschus: /* Configuring App Authentication in Microsoft Entra ID */

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365||}}
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Click on ''Configure'' to add your Redirect URI.
* In the '''Authentication''' section switch to the '''Settings''' panel. Then, in the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Save'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* '''New in 26.1''': Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* '''New in 25.3''': Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

Archiving Emails from Microsoft 365 - Modern Authentication

2026-01-26T16:25:06Z

Ltalaschus: /* Archiving Multiple Microsoft 365 Archive Mailboxes Centrally */

{{Implementation Guide Preamble|Exchange Online / Microsoft 365|| }}
 
{{Multiline Notices|Heading=Important Notices|If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]].|MailStore Server supports archiving emails from the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported.|For better readability, the terms ''Microsoft 365'' and ''Exchange Online'' are used interchangeably hereinafter instead of ''Exchange Online / Microsoft 365''.}}

== App Registration & User Synchronization ==
Before archiving Microsoft 365 mailboxes, registering MailStore Server in your Microsoft 365 tenant is required. It is also highly recommended to synchronize users in MailStore Server directly with that tenant to fetch all information that is relevant for archiving such as email addresses. The registration and synchronization procedures are described in the chapter [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)]] of the MailStore Server manual.

'''Please note:''' MailStore Server runs as a [[MailStore Server Service Configuration|Windows service]] and thus must use ''Application Permissions'' to access user mailboxes in Microsoft 365. By design, on the Microsoft identity platform, which is at the heart of Microsoft 365 authentication and authorization, this permission scope encloses the full level of privileges implied by a permission. As a consequence, once registered as described above, MailStore Server has access to all mailboxes in your Microsoft 365 tenant. Therefore, with regard to security, access to the Microsoft 365 archiving profiles in MailStore Server is limited to MailStore Server administrators.

=== Including Microsoft 365 Shared Mailboxes ===
In Microsoft 365, shared mailboxes are special mailboxes that multiple users have access to. Unlike a normal mailbox, a shared mailbox is not associated to a licensed Microsoft 365 user. For MailStore Server to create user entries for shared mailboxes, you must therefore deactivate the option ''Synchronize licensed Microsoft Exchange Online users only'' in the section [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)#User_Database_Synchronization|User Database Synchronization]]. 
After synchronization you can grant MailStore Server users access to the archive of the shared mailbox by [[Users,_Folders_and_Settings#Folder_Access_.28e.g._Access_to_the_Emails_of_Other_Users.29|assigning privileges]]. For archiving shared mailboxes, just proceed as for individual or multiple mailboxes as detailed below.

== Archiving Individual Microsoft 365 Mailboxes ==
{{Archiving Single Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailbox 01.png|center|347px]]
* Select ''Single Mailbox'' and click on ''OK''.
*; [[File:Microsoft 365 mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Mailboxes Centrally ==
{{Archiving Multiple Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailboxes 01.png|center|347px]]
* Select ''Multiple Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft 365 mailboxes 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 mailboxes 03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_mailboxes_04.png|Microsoft 365}}

== Archiving Incoming and Outgoing Emails Directly ==
{{Archiving Exchange Journal Mailbox Preamble|Exchange Online}}

=== Step 1: Setup and Configure MailStore Gateway ===
Please refer to the [https://help.mailstore.com/en/gateway/ MailStore Gateway Manual] for detailed instructions about:

* Installation and Setup of MailStore Gateway
* Logging on to MailStore Gateway's Management Console
* Creating MailStore Gateway mailboxes

After these steps, a mailbox with an individual email address (e.g. mbx-dead1234beef5678@gateway.example.com) should exist.

=== Step 2: Configure MailStore Server ===
{{Archiving MailStore Gateway Mailbox|''In- and Outbound E-Mail Automatically''|Microsoft 365 journal 01.png|Arch_MailStore_Gateway_Office365_02.png|''Microsoft 365''|TargetFolderHint=DontShow|POP3Hint=DontShow|DSLink=[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}

=== Step 3: Creating a Journal Rule ===
The following steps describe how to set up journaling for your Microsoft 365 account.

Since you are planning to use an external mailbox (MailStore Gateway) as the recipient for Journal reports, we highly recommend to first create an external contact with this mail address in your Exchange mailbox administration to prevent any later errors or warnings about an unknown recipient in the process.

* Sign in to the [https://purview.microsoft.com/ Microsoft 365 Purview portal] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* In the left navigation menu select ''Settings''.
* In the now shown ''Settings'' submenu select ''Data Lifecycle Management'' and then select ''Exchange (legacy)'' or use [https://purview.microsoft.com/settings/application-settings/datalifecyclemanagement this link].
* Enter a mailbox in the ''Send undeliverable journal reports to'' section. This mailbox receives None Delivery Reports (NDRs) for undeliverable journal reports in case the primary journal mailbox is unreachable.
** This mailbox should be a dedicated mailbox for this purpose, which cannot reside in any Microsoft 365 tenant.
** The same journal report non-delivery reports mailbox must not be used for multiple tenants.
** The receiving mail server must not alter the ''X-MS-Exchange-Message-Is-Ndr'' email header.
** For this purpose, you can set up a second gateway on another server with an additional mailbox, as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_1:_Setup_and_Configure_MailStore_Gateway|Step 1]]. Alternatively you can use any external mailbox that matches the above criteria.
** MailStore is able to extract the journal reports contained in the NDRs, then archive them like normal journal reports and thus assign the emails they contain to users. You can therefore create a second archiving profile as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_2:_Configure_MailStore_Server|Step 2]], which archives from the Microsoft 365 journal report non-delivery reports mailbox.
* In the leftmost navigation menu select ''Data Lifecycle Management'', then ''Exchange (legacy)'', and finally ''Journal rules'' and therefore leave the ''Settings'' section or use [https://purview.microsoft.com/datalifecyclemanagement/exchange/journalrules this link]. In case ''Data Lifecycle Management'' is not listed, click ''Solutions'' > ''Data Lifecycle Management''.
* Create a new journaling rule by clicking on ''+ (New rule)''.
*:[[File:Arch_office365_journal_01.png|center|550px]]
* Enter the email address of the previously created MailStore Gateway mailbox in the ''Send journal reports to:'' box.
* Enter a name for the journal rule, e.g. ''Journaling''.
* In the ''Journal messages sent or received from'' section, select whether the rule should apply to everyone or to specific users or groups.
* Under ''Type of message to journal'', choose whether to capture all messages, internal messages only, or external messages only.
* Click on ''Next'', then validate your settings, click ''Submit'' to activate the rule.

== Public Folders ==

'''Please note:''' Support for archiving of Public Folders for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Exchange Public Folders Preamble|Exchange Online|Microsoft 365}}
* Sign in to the [https://admin.exchange.microsoft.com/#/publicfolders Microsoft 365 Exchange admin center] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* Navigate to ''Public folders'', in case it it not already opened.
* Click on ''Root permissions''.
*: [[File:Microsoft_365_pf_01.png|center|480px]]
* The side-panel ''Folder permissions'' opens. Click on ''+ Add permissions''.
* Use the text box beneath ''Select User'' to choose the Microsoft 365 user you want to grant permissions.
* Choose ''Custom'' as ''Permission level'' and grant ''Read items'' and ''Delete all'' permissions.
*: [[File:Microsoft_365_pf_02.png|center|480px]]
* Click on ''Save Changes''.

=== Step 3: Setting up the Archiving Process ===
* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 pf 03.png|center|347px]]
* Select ''Public Folders'' and click on ''OK''. 
*; [[File:Microsoft 365 pf 04.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user that has access to the public folders as described above.
* The value of the ''Target Folder'' box defines the top level folder below which the public folder hierarchy will be created in the target archive. Usually, you can leave this value to its default.
* Click on ''Test'' to verify that MailStore can access the public folders.
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 05.png|center|347px]]
* Adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]]. By default, all public folders that contain emails will be archived.
* If needed, adjust [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|the filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the public folders. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 06.png|center|347px]]
* In the next step, select the archive of the user you have prepared in step 1.
* In the last step, specify a name for the archiving profile. After clicking ''Finish'' the archiving profile will be listed under ''Saved Profiles'' and can be run immediately or automatically if desired.

== About Archiving Archive Mailboxes ==
{{Archive_Mailbox_Folder_Structure}}

== Archiving Individual Microsoft 365 Archive Mailboxes ==

'''Please note:''' Support for archiving Archive Mailboxes for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Single Archive Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailbox 01.png|center|347px]]
* Select ''Single Archive Mailbox'' and click on ''OK''.
*; [[File:Microsoft_365_archive_mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose archive mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the archive mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_archive_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected archive mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_archive_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Archive Mailboxes Centrally ==

'''Please note:''' Support for archiving Archive Mailboxes for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Multiple Archive Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailboxes_01.png|center|347px]]
* Select ''Multiple Archive Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple archive mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft_365_archive_mailboxes_02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft_365_archive_mailboxes_03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_archive_mailboxes_04.png|Microsoft 365}}

[[de:E-Mail-Archivierung_von_Microsoft_365_(Modern_Authentication)]]
[[en:Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-01-21T14:22:24Z

Ltalaschus: /* Configuring API Permissions in Microsoft Entra ID */

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365||}}
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Leave the field ''Logout URL'' blank.
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Configure'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* '''New in 26.1''': Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* '''New in 25.3''': Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-01-20T15:09:44Z

Ltalaschus: /* Configuring API Permissions in Microsoft Entra ID */

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365||}}
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Leave the field ''Logout URL'' blank.
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Configure'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* '''New in 26.1''': Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

EWS Migration

2026-01-20T14:27:46Z

Ltalaschus: /* What Will Change for MailStore Server and the MailStore SPE? */

== Microsoft Is Discontinuing Its Exchange Web Services (EWS) for Microsoft 365 ==
Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has announced] that it will no longer support Exchange Web Services (EWS) for Exchange Online as of October 1, 2026. This decision affects all companies that use EWS in combination with Exchange Online (Microsoft 365).

EWS is a technology that was developed specifically for accessing Exchange data. The API enables access to data from Microsoft Exchange Server and Exchange Online, including emails and mailboxes. EWS has been a central interface for third-party solutions such as archiving systems.

What Will Happen in October?
Microsoft plans to disable EWS for Exchange Online starting October 1. This decision will force manufacturers to switch to the Microsoft Graph API.

Please note: If you use Exchange Online Kiosk, Microsoft Office 365, and Office 365 F1/F3, you should make the change by June. Further information can be found [https://techcommunity.microsoft.com/blog/exchange/update-to-ews-access-for-kiosk--frontline-worker-licensed-users/4474299 here].

== What Will Change for MailStore Server and the MailStore SPE? ==
The shutdown of EWS initiated by Microsoft will require adjustments to MailStore Server and the MailStore SPE, depending on your archiving strategy.
This is because archiving methods within MailStore Server and MailStore SPE that were accessing EWS will no longer be available from October 1 and will then run into errors.

The following profiles are expected to be affected from October onwards, Graph API does not expose access to these and support is effectifely dropped:

* Importing Exchange Online archive mailboxes
* Importing Exchange Online public folders

Regular Exchange Online Mailboxes and Shared Mailboxes are available using Graph API. New [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication|mailbox archiving profiles]] in MailStore will use Graph API starting with version 26.1.
Please ensure you have registered the app in Entra ID [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication#Configuring_API_Permissions_in_Microsoft_Entra_ID|according to our instructions]]; in particular, the Mail.ReadWrite permission is now required.
New export profiles will change with version 26.2. Existing EWS archiving and export profiles will work until October 2026. We will offer a migration path in the coming months.

The [[Email_Archiving_with_MailStore_Basics|summary panel]] of the archiving or export profile tells which protocol is used. Microsoft 365 Journal archiving profiles do not typically use EWS and are therefore not affected.

[[de:EWS Migration]]
[[en:EWS Migration]]

Update Notices for MailStore Server

2026-01-20T14:25:00Z

Ltalaschus: /* Upgrading to 26.1.0 */

== General Information ==

* '''Before you start the installation, please check if your current license really allows to upgrade the software.'''
* '''Before the installation, read the [https://go.mailstore.com?product=MailStore%20Server&target=changelog&lang=en changelog] for information about all changes in the respective versions.'''
* '''Make sure you have a recent backup of your archive. Learn more about backing up and restoring MailStore Server [[Backup and Restore|here]]'''.
* '''Make sure the server where MailStore Server is installed on meets the [[System_Requirements|system requirements]]'''.
* Close all open MailStore programs on the server, such as the MailStore Server Service Configuration, the MailStore Client, and Outlook. Open programs cannot be overwritten by the installation program, and this will result in an access error 5.
* The installation process will uninstall older versions of the software automatically. All archives and the configuration data will be kept. There is no need to manually uninstall old versions previously.
* Installations with version 23.4 or older must first be updated to version 24.4 and all archive stores must be updated to Firebird 4. You can then update to the latest version. Please also read the [[Update Notices for MailStore Server to version 25.1 or newer]].
* During the installation process the MailStore Server service is automatically stopped and restarted afterwards. Running archiving profiles will be cancelled and may show up as failed. Should stopping the service fail for any reason, please stop the service manually and run the installation again.
* Carefully check the auto-detected settings during the installation process.
* Updating the MailStore Client installations and/or the MailStore Outlook Add-In installations is only necessary if this is specifically stated in the version-specific notes.
*; Further information can be found in the articles [[MailStore Client Deployment]] and [[MailStore Outlook Add-in Deployment]]
* The following version specific upgrade notices are cumulative. Therefore, also read the notices regarding all version numbers between yours and the one you are going to install.
* For versions that are not explicitly listed here, the upgrade notices for preceding versions apply accordingly.

== Upgrading to 26.1.0 ==

* External Microsoft SQL and PostgreSQL-based archive stores are deprecated and support will be removed in a future MailStore version.
* New Microsoft 365 mailbox archiving profiles now use the Graph API. Please ensure you have registered the app in Entra ID according to our instructions; in particular, the Mail.ReadWrite permission is now required. This only applies to new profiles! See [[EWS_Migration|here]] for more information on this topic.

== Upgrading to 25.4.0 ==
* MailStore Client prefers Kerberos when Windows Authentication (Single-Sign-on) is configured via GPO.

== Upgrading to 25.3.1 ==
The known issues of version 25.3.0 have been fixed.

== Upgrading to 25.3.0 ==
* ''' Microsoft Windows Live Mail '''
*; Support for the Microsoft Windows Live Mail email client has been removed from MailStore in this version.
* ''' SmarterMail '''
*; Support for the SmarterMail email server has been removed from MailStore in this version.
* ''' Directory Service Synchronization '''
*; After updating, check your directory service settings for functionality. Support for older authentication methods has been removed from MailStore in this version (Microsoft 365 Basic authentication and Google Workspace IMAP authentication), and third-party components have been updated.
* ''' SMTP OAuth2 Authentication with Microsoft 365 '''
*; Please note the [[SMTP Settings]] article if you would like to use your existing app registration in Entra ID to transmit emails via Microsoft 365 server.
* ''' Gateway archiving '''
*; Gateway archiving profiles that are meant for Google, generic mail servers and email clients do not extract journal reports and NDRs anymore. When archiving Microsoft 365 journal emails from a MailStore Gateway mailbox ensure you are using the proper Gateway archiving profile before updating. You can tell this because you cannot configure the target path in the archive in the archiving profile and the emails are sorted into the ''Journal Incoming'' and ''Journal Outgoing'' folders.

=== Known Issues ===
* '''PostgreSQL databases cannot be loaded after an upgrade. Do not upgrade if you are using PostgreSQL based archive stores.''' This bug was fixed with version 25.3.1.
* In WebAccess, emails that contain only plain text are not displayed correctly. This bug was fixed with version 25.3.1.

== Upgrading to 25.2.0 ==
There are no notes for this version.

== Upgrading to 25.1.0 ==

* '''Only installations with versions 24.2.0 to 24.4.0 can be updated directly.'''
* '''Until all archive stores have been updated, you must not update to version 25.1.0.'''
* It is '''obligatory''' to also note the [[Update Notices for MailStore Server to version 25.1 or newer]].

== Upgrading to 24.4.0 ==
There are no notes for this version.

== Upgrading to 24.3.0 ==
* Saved searches containing search criteria that can be interpreted as [[Accessing_the_Archive_with_the_MailStore_Client_software#Searching_for_Alternatives|search for alternatives]] will return different search results than before the update.
* Retention policies do not support [[Accessing_the_Archive_with_the_MailStore_Client_software#Searching_for_Alternatives|searches for alternatives]]. In case existing retention policies contain search criteria that can be interpreted as searches for alternatives, those have to be changed for retention policies to being able to be processed again.

== Upgrading to 24.2.2 ==

There are no notes for this version.

== Upgrading to 24.2.1 ==
If you are upgrading from a MailStore version before 24.2.0, please also note the instructions for upgrading to version 24.2.0.

* '''Upgrading Archive Stores''' If you upgrade from MailStore 24.2.0, the archive stores need to be upgraded. To do this, proceed as follows:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all archive stores at once or right-click on an archive store and select ''Perform Upgrade'' to upgrade a single archive store.
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
**: [[File:Fg_upgrade10.png|center]]
:Until all archive stores have been upgraded, retention policies are not available.

== Upgrading to 24.2.0 ==
* '''Upgrade of Master Database''' The master database is upgraded to Firebird 4 during the first start of the MailStore Server service. This process might extend the time required for the first start of the service by several minutes.
* '''Upgrading Archive Stores''' For the update to Firebird 4 the databases of the archive stores must be upgraded. Proceed as follows to upgrade:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all archive stores at once or right-click on an archive store and select ''Perform Upgrade'' to upgrade a single archive store.
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
**: [[File:Fg_upgrade10.png|center]]
:Until all archive stores have been upgraded, retention policies are not available.
* '''System Requirements'''
*; Internet Explorer support has been removed from MailStore in this version. For a current list of supported browsers, please refer to [[System Requirements]].
* ''' Python API Wrapper '''
*; In order to be able to use the new API commands, an update of the [[Python_API_Wrapper_Tutorial|Python API wrapper library]] is required.

=== Known Issues ===
* As long as an internal, Firebird-based archive store has not been updated, no recovery records will be written for emails in this archive store. This bug was fixed with version 24.2.1.
* Users who have been synchronized from an Active Directory and who have MailStore multi-factor authentication (MFA) activated cannot log in using Windows authentication. To work around the issue, disable multi-factor authentication for those users in MailStore or let them use their username and password to log in. This bug was fixed with version 24.2.2.

== Upgrading to 23.4.0 ==
* '''System Requirements'''
*; Windows Server 2012 and Windows Server 2012 R2 support has been removed from MailStore in this version. For a current list of supported operating systems, please refer to [[System Requirements]].
* ''' Python API Wrapper '''
*; In order to be able to use the new API commands, an update of the [[Python_API_Wrapper_Tutorial|Python API wrapper library]] is required.

== Upgrading to 23.3.0 ==
* ''' Microsoft Exchange 2013 Support '''
*; Support for Microsoft Exchange 2013 has been removed from MailStore in this version.

== Upgrading to 23.2.0 ==
* ''' Outlook Add-in '''
*; Starting with version 23.2.0, MailStore Server supports multi-factor authentication for users with integrated authentication. To support multi-factor authentication an update of the Outlook Add-in is required.
*; The Outlook Add-In 23.2.0 is not backward compatible with older MailStore Server versions. When updating, MailStore Server should be updated first and then the Outlook Add-in.
* ''' Scheduled Tasks, Management API, IMAP Access ''' 
*; When multi-factor authentication is enabled for a user and that user wants to schedule client-side archiving profiles, access the Management API or access the IMAP server, an app password has to be used instead of the regular password.
* ''' Python API Wrapper '''
*; In order to be able to use the new API commands, an update of the [[Python_API_Wrapper_Tutorial|Python API wrapper library]] is required.

== Upgrading to 23.1.2 ==
* Important: Let's Encrypt has announced to change their production request flow permanently on April 24th 2023. After that date, previous versions of MailStore Server will not be able to successfully request certificates from Let's Encrypt.

== Upgrading to 23.1.0 ==
* '''System Requirements'''
*; Windows 7, Windows 8.1, Windows Server 2008 R2 and Windows Small Business Server 2011 support has been removed from MailStore in this version. For a current list of supported operating systems, please refer to [[System Requirements]].

== Upgrading to 22.4.0 ==
There are no notes for this version.

== Upgrading to 22.3.0 ==
* ''' Outlook Add-in '''
*; Starting with version 22.3.0, failed login attempts will slow down the login process. While this process is backwards compatible to older Outlook Add-ins, we strongly recommend updating the Outlook Add-in for the best user experience.

== Upgrading to 22.2.x ==
* '''System Requirements'''
*; Starting with version 22.2 MailStore Server, MailStore Client and MailStore Outlook Add-in require Microsoft .NET Framework version 4.8. Please refer to our [[System Requirements]]. If the framework is installed by the MailStore setup, the system might reboot without further notice.
* '''External Archive Stores'''
*; Starting with version 22.2, only versions 10 or newer are supported for PostgreSQL.

== Upgrading to 13.x ==
* '''Update of MailStore Client and Outlook Add-in''' Irrespective of MailStore Client's auto-update mechanism, a reinstallation of MailStore Client and the MailStore Outlook Add-in is required to make use of the following improvements:
** Unified validation of TLS certificates.
** Unified evaluation of group policies.
** Distinct error messages for certain certificate errors.
** Outlook Add-in: Due to the required changes of the login process to support modern authentication with Microsoft 365 and Google Workspace, the Outlook Add-in must be updated to version 13 to be able to connect to MailStore Server 13.x. Connecting to an older version of MailStore Server is no longer supported after the update.
* '''Unencrypted Connections'''
*; Support for unencrypted connections to MailStore Server has been fully removed. This affects MailStore Outlook Add-in, and the Legacy Web Access. After updating the Outlook Add-in, it automatically tries to connect to the default HTTPS port (8462) if either the default HTTP port (8461) or no port was set as part of the server name previously. In all other cases, the initial connections may fail and requires the server name to be adjusted by the user, or by an administrator via group policies.
* '''HTTP-to-HTTPS Redirect'''
*; The HTTP-to-HTTPS redirect option, which must be considered insecure without the use of properly configured [[wikipedia:HTTP_Strict_Transport_Security|HTTP Strict Transport Security (HSTS)]], has been removed. Users are required to use the correct HTTPS URL to access MailStore Web Access.
* '''Windows Authentication'''
*; The authentication method selection has been removed from the newly design login dialog. Therefore, traditional Windows Authentication available in on-prem Active Directory controlled environments, can only be enabled through group policies. Further information on group policies can be found in [[MailStore Client Deployment]] and [[MailStore Outlook Add-in Deployment]].
* '''Microsoft 365 Support'''
*; A new directory service synchronization profile [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)|Microsoft 365 (Modern Authentication)]] as well as new profiles for archiving and exporting emails from or to Microsoft 365 have been introduced. These support modern authentication (OAuth 2.0 & OpenID Connect) and customers of Microsoft 365 are advised to regularly check for Microsoft's announcement on the timeline for removing HTTP Basic Auth from Microsoft Exchange Web Services (EWS) and to plan the migration to the new profiles in advance. Once Microsoft disables support for HTTP Basic Auth in Exchange Web Services on Microsoft 365, the existing directory service synchronization profile ''Microsoft 365 (Basic Auth)'' (formerly named ''Office 365'') and the Microsoft Exchange archiving and export profiles will stop working.
* '''Google Workspace Support'''
*; The [[Google Workspace Integration|Google Workspace directory service synchronization profile]] has been extended with support for modern authentication (OAuth 2.0 & OpenID Connect). Customers of Google Workspace are advised to regularly check for Google's announcement on the timeline for removing support for less secure apps, and should plan the migration to the new setting in advance. Once Google disables support for Less Secure Apps in Google Workspace, the existing directory service synchronization profile ''Google Workspace'' will no longer allow users to login to MailStore as long as the authentication method is still set to ''IMAP''.
* '''IMAP Access to Archive'''
*; When using either the new ''Microsoft 365 (Modern Authentication)'' or ''Google Workspace'' directory service synchronization profile, user that have been added by these profiles, can not access their archive via the integrated IMAP server as MailStore Server is not able to verify those passwords itself.
* '''Startup Scripts'''
*; The [[MailStore Server Service Configuration]] now provides functionality to configure connections to remote SMB/CIFS network shares without having to store credential in a plain text batch file. Therefore, startup scripts are no longer recommended to be used for that purpose. Unless there actually is a startup script found in MailStore Server's program directory, the corresponding menu item ''Startup Script'' will not be shown in the MailStore Server Service Configuration.
* '''Mobile Web Access'''
*; The dedicated Mobile Web Access has been removed due to no longer supported third-party components (e.g. jQuery Mobile) and in favor of MailStore Web Access, which has been received major enhancements in terms of performance and usability.
* '''Legacy Web Access'''
*; As parts of Legacy Web Access are representing the server-side of the Outlook Add-in, the Legacy Web Access is still present, but no longer advertised on the login screen of the Web Access.
* '''Group Policies'''
*; The following group policy settings are no longer supported in MailStore 13:
** '''MailStore Client: Accept Thumbprint'''
**; If a server name has been defined by a group policy, the certificate used by MailStore Server must be trusted by the client computer and it must not be revoked or expired.
** '''MailStore Outlook Add-in: Accept Thumbprint'''
**; If a server name has been defined by a group policy, the certificate used by MailStore Server must be trusted by the client computer and it must not be revoked or expired.
** '''MailStore Outlook Add-in: Enable TLS/SSL encryption'''
**; As MailStore Server no longer supports unencrypted inbound connections and the default behavior of MailStore Outlook Add-in as been modified accordingly, this option is ignored.

== Upgrading to 12.1 ==
* '''System Requirements'''
*; Windows Vista, Windows Server 2008, and Windows Small Business Server 2008 support has been removed from MailStore in this version. For a current list of supported operating systems, please refer to [[System Requirements]].

== Upgrading to 12 ==
* '''Expired Certificates'''
*; Irrespective of whether the certificate's trust can be verified, no connection is established by MailStore Client to server's whose certificate has expired or was revoked. In such a case, the certificate must be replaced by means of the MailStore Server service configuration tool first.
* '''Using Certificates'''
*; If in the past, different certificates were used for the services provided by MailStore Server, the same certificate configuration as for new installations will be shown during the installation. The certificate configured in that step will afterwards be used for all provided services and can be change in the MailStore Server service configuration tool.

== Upgrading to 11 ==
* '''Upgrading Archive Stores'''
*; '''Depending on the archive size this can take an excessive amount of time. On average 50.000 messages are processed per minute during the upgrade.'''
*; Until the archive stores have been upgraded, not all functionality of the software is available. To facilitate
** retention policies,
** the search functionality,
** the improved recovery records,
*; the databases of the archive stores must be upgraded.
*;Proceed as follows to upgrade:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all archive stores at once or right-click on an archive store and select ''Perform Upgrade'' to upgrade a single archive store.
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
**: [[File:Fg_upgrade10.png|center]]
* '''Retention Policies''' If not all attached archive stores are available (State: ''Archive here'', ''Normal''), or their status is ''Write-Protected'', no automatic processing of retention policies takes place. Therefore verify if an archive store is set to ''Disabled'' or ''Write-Protected'' after the upgrade and change it to one of the above states or detach it completely.
* '''Access via Integrated IMAP Server''' To access the archive via the integrated IMAP server, an encrypted connection is now mandatory. If necessary, adjust the configuration of your email clients accordingly and enable TLS or STARTTLS.
* '''Management API Commands Get-/SetComplianceConfiguration''' The property ''globalRetentionTimeYears'' has been removed from the commands. Own scripts using these commands have to be adjusted accordingly. To manage retention policies, two new commands are available: ''GetRetentionPolicies'' and ''SetRetentionPolicies''.

== Upgrading to 10.2 ==
* '''Web Access''' The new responsive Web Access is exclusively available via the HTTPS port. User who are still using the unencrypted HTTP port to access Web Access, will see a corresponding notice about this circumstance. Thus it is recommended to use a trustworthy certificate signed by an official or internal certificate authority. See [[Using Your Own SSL Certificate]] for details.
=== Known Issues ===
* The backend of the new responsive Web Access expects MailStore Server to be reachable on IP address 127.0.0.1 (localhost) and the default TCP port 8460. If you configured MailStore to listen on a specific IP address for MailStore Client connections in the [[MailStore Server Service Configuration]], please reset it to ''(All IP Addresses)'' and ''Port'' 8460. This problem was fixed with version 10.2.3.

== Upgrading to 10.1 ==
* '''Archiving Emails''' If not all attached archive stores are available (State: ''Archive here'', ''Normal'', or ''Write-Protected''), no archiving takes place. Running archiving profiles are terminated with an appropriate message. Under certain circumstances this prevents the creation of duplicate emails while archiving. Therefore verify if an archive store is set to ''disabled'' after the upgrade and change it to one of the above states or detach it completely.
* '''Status Reports''' If a longer period should be covered by status reports, it must be ensured that the profile and job results are kept for at least that period. The default value of previous installations is one week and should be adjusted to the new default value of 90 days.

== Upgrading to Version 10 ==
* '''Encryption Notices''' Due to enhanced encryption mechanisms, MailStore archives that have been upgraded to version 10 are tied to the Windows-Installation on which MailStore Server has been installed. Under certain conditions some actions (e.g. restoring the default admin, attaching foreign archive stores, etc.) in MailStore require the input of a recovery key. By default this is the product key of the installation.Please make sure to store the product key entered during installation in a safe location.In environments with higher security requirements it is recommended to change the default recovery key and, depending on the backup target, exclude the unencrypted search indexes from backups. Corresponding information can be found in the [[MailStore Server Service Configuration]] article.
* '''Upgrade of Master Database''' To facilitate encryption of the master database it is upgraded to Firebird 3 during the first start of the MailStore Server service and encrypted afterwards. This process might extend the time required for the first start of the service by several minutes.
* '''Upgrading Archive Stores''' To facilitate encryption the databases of the archive store must be upgraded. Proceed as follows to upgrade:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all archive stores at once or right-click on an archive store and select ''Perform Upgrade'' to upgrade a single archive store.
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
**: [[File:Fg_upgrade10.png|center]]
* '''Archives of Other Users''' These are no longer visible for MailStore administrators if the ''Archive Access'' (formerly knows as ''E-mail Preview'') is blocked. Administrative functions such as deleting or renaming user archives are accessible through [[Archives|Administrative Tools > Users and Archives > Archives]].
* '''Export E-mails''' The previous change may also have an impact on export profiles owned by a MailStore administrator, in case the export scope contains archives of other users. As these are no longer visible to MailStore administrators if the ''Archive Access'' (formerly knows as ''E-mail Preview'') is blocked, they are not taken into account by export profiles.
* '''Auditing''' All activities that are exclusively executable by MailStore administrators are displayed as ''Enabled (locked)'' at ''Compliance'' > ''Auditing''. Irrespective of the ''Disabled'' status, all activities of MailStore administrators, excluding ''MessageRetrieveContent'', are written into the audit log.
* '''Default Password''' If you have not changed the default MailStore administrators (admin) password yet, you will be asked to set a new password during the first logon after the update. The same occurs when the password has been reset to ''admin'' after restoring the default admin.

== Upgrading to Version 9.7 ==
* '''Search Indexes''' Due to changes in the area of indexing email attachment contents, the search index settings should be opened and confirmed after the update, so that MailStore can identify potentially missing or unsupported IFilters.
* '''Archiving from Gmail''' This version contains a new Gmail profile, that provides additional functionality such as support for deleting emails from the Gmail mailbox and OAuth2 authentication. Please notice, that it does not support any other folders than "All Mail" and "Sent Items". This new behavior anticipates scenarios which have been recognized as confusing by users in the past and that where caused by the interaction of Gmail labels, IMAP folders and MailStore's single instance store. Existing Google Mail profiles can still be modified and executed, but no new ones can be created. It is recommended to replace old "Google Mail" profiles by this new Gmail profile.

=== Known Issues ===
* Indexing the content of Open Document Format email attachments requires a working installation of OpenOffice or LibreOffice, though Microsoft Office 2010 Filter Pack officially provides support for these file types. Additional information can be found in the [[Search Indexes]] article.

== Upgrading to Version 9.6 ==
* '''Update of MailStore Client and Outlook Add-in''' Independent of MailStore Client's auto-update mechanism, a reinstallation of MailStore Client and the MailStore Outlook Add-in is required to make use of the following improvements:
** Client: Pin to taskbar now possible on Windows 7 and newer.
** Support for different SSL certificate thumbprint formats in group policies.
** Group policies allow configuration of client and Outlook Add-in language.
* '''MailStore Proxy''' Starting with version 9.6, MailStore Proxy requires .NET Framework 4.5.1. Hence the [[MailStore_Proxy#System_Requirements|system requirements of MailStore proxy]] have also changed in regards to the operating system.

== Upgrading to Version 9.3 ==
* '''Supported SSL certificates''' Using SSL certificates which utilize MD5-hash based signature algorithms (e.g. ''md5rsa'') is technically no longer possible since version 9.3. For years (approx. 2010) MD5-hash based signature algorithms have no longer been used for signing certificates. However, should the error message ''Authentication failed because the remote party has closed the transport stream.'' occur after installing the upgrade, please follow the instructions in the corresponding [https://cs.mailstore.com/index.php?/Knowledgebase/Article/View/120/5/erro-message-authentication-failed-because-the-remote-party-has-closed-the-transport-stream Knowledgebase article].

== Upgrading to Version 9.x ==
* '''System Requirements''' Please ensure that your system configuration matches the updated system requirements. MailStore Server, MailStore Client and MailStore Outlook Add-in now require .NET Framework 4.5.1 and Internet Explorer 8 or higher. Thus Windows Vista SP2 or newer is required.
* '''Server-side Execution of E-mail-Server Profiles and Internal Backup''' Archiving from and exporting to email servers as well as the internal backup function is now carried out by the MailStore Server service itself. Thus it is necessary that the MailStore Server computer has the required permissions to access email servers and network shares where applicable (see [[Using Network Attached Storage (NAS)]]). In either case, verify carefully that all automated tasks are still working properly after updating.
* '''Scheduling of Profiles''' For executing archiving and export profiles of type ''E-mail Servers'', an internal scheduler is now used. This scheduler is used for all newly created profiles as soon as automatic execution is enabled in the profile settings. Existing profiles of type ''E-mail Servers'' are set to manual execution after upgrading to MailStore Server 9. Their execution remains triggered based in the corresponding by task in the Windows Task Scheduler. To completely turn these profiles into independent server-side profiles, remove the corresponding task from the Windows Task Scheduler first and then enable automatic execution in the profile setting in MailStore Server. Further information can be found in [[Email_Archiving_with_MailStore_Basics#Working_with_Archiving_Profiles|Working with Archiving Profiles]] and [[Email_Archiving_with_MailStore_Basics#Automating_the_Archiving_Process|Automating the Archiving Process]]
* '''Group Policies''' New ADM and ADMX templates are used for the configuration of MailStore Client and MailStore Outlook Add-in. Group Policies created with the new templates are not compatible with older versions of MailStore Client and MailStore Outlook Add-In, nor does MailStore Client 9 and MailStore Outlook Add-in 9 support Group Policies that have been created based on previous versions of the ADM and ADMX templates. Please replace any existing Group Policies when upgrading to MailStore Server 9. Further information can be found in [[MailStore Client Deployment]] and [[MailStore Outlook Add-in Deployment]].
* '''Automatic Creation of New Archive Stores''' A new default threshold of 5 million emails has been introduced for the automatic creation of new archive stores in MailStore Server 9. For existing installations it is recommended to adjust this value after upgrading to MailStore Server 9 as described in [[Storage Locations]].
* '''PDF Support of Full Text Search''' PDF support has been removed from MailStore Server's own indexer. Therefore it is required to either install a recent version of Adobe Reader or an appropriate IFilter driver (i.e. [http://www.adobe.com/support/downloads/detail.jsp?ftpID=5542 Adobe PDF iFilter] on the MailStore Server computer.
* '''MailStore Server Administration API''' The API has been completely rewritten. As it does not provide and kind of backward compatibility with previous versions, it is required to carefully verify and, if necessary, to modify scripts that make use of the Administration API.
* '''AVM KEN! Support Removed''' After the vendor's support for AVM KEN! has already stopped in September 2010, the support by MailStore ends with MailStore Server 9. Existing AVM KEN! profiles are automatically removed from MailStore - archived emails remain in the archive.

=== Known Issues ===
* '''Missing Email Headers when Printing from MailStore Web Access''' '''''(resolved in version 9.6)''''' Due to the technical implementation of the HTML view, emails printed from within MailStore Web Access do not contain information about sender, recipient and subject. Until a fix is available, the workaround is to open the emails in an email client such as Microsoft Outlook or Mozilla Thunderbird for printing.

== Upgrading to Version 8.x ==

* '''System Requirements''' Please ensure that your system configuration matches the updated system requirements. MailStore Client and MailStore Outlook Add-in now require .NET Framework 3.5 SP1 and Internet Explorer 8 or higher.

== Upgrading to Version 7.0 ==

* '''Management Shell / Batch Scripts''' The server-side part of the Management Shell command set, which included commands such as <code>user-add</code> or <code>filegroup-create</code>, has completely been replaced by the more powerful [[Administration_API_-_Using_the_API|MailStore Server Administration API]]. If you have written custom scripts (e.g. batch scripts) for user management or store management, please update them so that it uses the new command set. [[MailStore_Server_Management_Shell|More information about the MailStore Server Management Shell]]

== Upgrading to Version 6.0 ==

* '''Upgrading File Groups''' The file group format has changed to ensure high performance and stability in the future. To upgrade existing file groups to the new format, proceed as follows:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all file groups at once or right-click on a file group and select ''Perform Upgrade'' to upgrade a single file group.
**: [[File:Fg_upgrade6.png]]
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
** While the upgrade process is running, you will see a window showing information about the upgrade progress. You can click on ''Cancel'' at any time to interrupt the upgrade process in order to continue it later.
* '''Automatic Creation of New File Groups''' If you are using a scheduled task to create new file groups regularly, we recommend to remove that scheduled task and proceed as described in chapter [[Storage_Locations#Creating_File_Groups_Automatically|Creating File Groups Automatically]] of the MailStore Server manual. Please notice the recommended limit of 500.000 messages per file group; that is the default value for all new installations of MailStore Server 6.
* '''Active Directory Integration''' After upgrading to MailStore Server 6 it is required to reconfigure the Active Directory integration with the new Directory Service interface. Please follow the instructions in chapter [[Active Directory Integration]] of the MailStore Server manual. '''Important notice:''' From MailStore Server 6 on, accessing the Active Directory is done under the security scope of the MailStore Server service (instead of MailStore Client). Therefor, please pay attention to ''Authentication'' under ''Specifying Connection Settings''.
* '''Generic LDAP Integration''' After upgrading to MailStore Server 6 it is required to reconfigure the generic LDAP integration with the new Directory Service interface. Please follow the steps in chapter [[Generic LDAP Integration]] of the MailStore Server manual.
* '''Firewall Settings''' If you have set up firewall rules manually to allow access to MailStore Server, MailStore Web Access, MailStore Outlook Add-in or the MailStore integrated IMAP server, we recommend to remove the firewall rules before installing MailStore Server 6. If desired, MailStore Server 6 can set up and update firewall rules on its own, after changes have been made in the [[MailStore Server Service Configuration]] (formerly known as MailStore Server Base Configuration).
* '''No More Separate Downloads''' There is only one MailStore Server setup file, that includes all appropriate setup files for MailStore Client, MailStore Outlook Add-in and MailStore Proxy. MailStore Server setup creates a link on your desktop that opens an Explorer window with the setup files. If the desktop link does not exist you can find the setup files in the ''Setup-<version>'' sub-folder of your MailStore Server installation directory.

== Upgrading to Version 5.0 ==

* '''MailStore Outlook Add-In''' MailStore Outlook Add-in requires access to MailStore Web Access. Should the situation arise that your firewall block the MailStore Web Access ports (default: 8461 for HTTP and 8462 for HTTPS), please reconfigure you firewall accordingly.

== Upgrading to Version 4.5 ==

* '''Database Backups''' Database backup tasks or profiles which were created with an earlier version of MailStore Server need to be re-created with this version. Use the new backup functionality in Administrative Tools which provides you with several new features.
* '''Search Indexes''' If you have created search indexes with a MailStore Server version equal or earlier than 3.0.2, you will be prompted to rebuild them after your first administrator logon to MailStore Server. Depending on the number of users and file groups, this process might take several minutes or hours. You can continue to use MailStore Server during this process, however the search functionality might be limited until the process is finished.

[[de:Hinweise_zum_Update_von_MailStore_Server]]
[[en:Update Notices for MailStore Server]]

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-01-19T13:36:21Z

Ltalaschus:

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365||}}
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Leave the field ''Logout URL'' blank.
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Configure'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

Archiving Emails from Microsoft 365 - Modern Authentication

2026-01-19T13:32:57Z

Ltalaschus:

{{Implementation Guide Preamble|Exchange Online / Microsoft 365|| }}
 
{{Multiline Notices|Heading=Important Notices|If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]].|MailStore Server supports archiving emails from the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported.|For better readability, the terms ''Microsoft 365'' and ''Exchange Online'' are used interchangeably hereinafter instead of ''Exchange Online / Microsoft 365''.}}

== App Registration & User Synchronization ==
Before archiving Microsoft 365 mailboxes, registering MailStore Server in your Microsoft 365 tenant is required. It is also highly recommended to synchronize users in MailStore Server directly with that tenant to fetch all information that is relevant for archiving such as email addresses. The registration and synchronization procedures are described in the chapter [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)]] of the MailStore Server manual.

'''Please note:''' MailStore Server runs as a [[MailStore Server Service Configuration|Windows service]] and thus must use ''Application Permissions'' to access user mailboxes in Microsoft 365. By design, on the Microsoft identity platform, which is at the heart of Microsoft 365 authentication and authorization, this permission scope encloses the full level of privileges implied by a permission. As a consequence, once registered as described above, MailStore Server has access to all mailboxes in your Microsoft 365 tenant. Therefore, with regard to security, access to the Microsoft 365 archiving profiles in MailStore Server is limited to MailStore Server administrators.

=== Including Microsoft 365 Shared Mailboxes ===
In Microsoft 365, shared mailboxes are special mailboxes that multiple users have access to. Unlike a normal mailbox, a shared mailbox is not associated to a licensed Microsoft 365 user. For MailStore Server to create user entries for shared mailboxes, you must therefore deactivate the option ''Synchronize licensed Microsoft Exchange Online users only'' in the section [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)#User_Database_Synchronization|User Database Synchronization]]. 
After synchronization you can grant MailStore Server users access to the archive of the shared mailbox by [[Users,_Folders_and_Settings#Folder_Access_.28e.g._Access_to_the_Emails_of_Other_Users.29|assigning privileges]]. For archiving shared mailboxes, just proceed as for individual or multiple mailboxes as detailed below.

== Archiving Individual Microsoft 365 Mailboxes ==
{{Archiving Single Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailbox 01.png|center|347px]]
* Select ''Single Mailbox'' and click on ''OK''.
*; [[File:Microsoft 365 mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Mailboxes Centrally ==
{{Archiving Multiple Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailboxes 01.png|center|347px]]
* Select ''Multiple Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft 365 mailboxes 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 mailboxes 03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_mailboxes_04.png|Microsoft 365}}

== Archiving Incoming and Outgoing Emails Directly ==
{{Archiving Exchange Journal Mailbox Preamble|Exchange Online}}

=== Step 1: Setup and Configure MailStore Gateway ===
Please refer to the [https://help.mailstore.com/en/gateway/ MailStore Gateway Manual] for detailed instructions about:

* Installation and Setup of MailStore Gateway
* Logging on to MailStore Gateway's Management Console
* Creating MailStore Gateway mailboxes

After these steps, a mailbox with an individual email address (e.g. mbx-dead1234beef5678@gateway.example.com) should exist.

=== Step 2: Configure MailStore Server ===
{{Archiving MailStore Gateway Mailbox|''In- and Outbound E-Mail Automatically''|Microsoft 365 journal 01.png|Arch_MailStore_Gateway_Office365_02.png|''Microsoft 365''|TargetFolderHint=DontShow|POP3Hint=DontShow|DSLink=[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}

=== Step 3: Creating a Journal Rule ===
The following steps describe how to set up journaling for your Microsoft 365 account.

Since you are planning to use an external mailbox (MailStore Gateway) as the recipient for Journal reports, we highly recommend to first create an external contact with this mail address in your Exchange mailbox administration to prevent any later errors or warnings about an unknown recipient in the process.

* Sign in to the [https://purview.microsoft.com/ Microsoft 365 Purview portal] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* In the left navigation menu select ''Settings''.
* In the now shown ''Settings'' submenu select ''Data Lifecycle Management'' and then select ''Exchange (legacy)'' or use [https://purview.microsoft.com/settings/application-settings/datalifecyclemanagement this link].
* Enter a mailbox in the ''Send undeliverable journal reports to'' section. This mailbox receives None Delivery Reports (NDRs) for undeliverable journal reports in case the primary journal mailbox is unreachable.
** This mailbox should be a dedicated mailbox for this purpose, which cannot reside in any Microsoft 365 tenant.
** The same journal report non-delivery reports mailbox must not be used for multiple tenants.
** The receiving mail server must not alter the ''X-MS-Exchange-Message-Is-Ndr'' email header.
** For this purpose, you can set up a second gateway on another server with an additional mailbox, as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_1:_Setup_and_Configure_MailStore_Gateway|Step 1]]. Alternatively you can use any external mailbox that matches the above criteria.
** MailStore is able to extract the journal reports contained in the NDRs, then archive them like normal journal reports and thus assign the emails they contain to users. You can therefore create a second archiving profile as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_2:_Configure_MailStore_Server|Step 2]], which archives from the Microsoft 365 journal report non-delivery reports mailbox.
* In the leftmost navigation menu select ''Data Lifecycle Management'', then ''Exchange (legacy)'', and finally ''Journal rules'' and therefore leave the ''Settings'' section or use [https://purview.microsoft.com/datalifecyclemanagement/exchange/journalrules this link]. In case ''Data Lifecycle Management'' is not listed, click ''Solutions'' > ''Data Lifecycle Management''.
* Create a new journaling rule by clicking on ''+ (New rule)''.
*:[[File:Arch_office365_journal_01.png|center|550px]]
* Enter the email address of the previously created MailStore Gateway mailbox in the ''Send journal reports to:'' box.
* Enter a name for the journal rule, e.g. ''Journaling''.
* In the ''Journal messages sent or received from'' section, select whether the rule should apply to everyone or to specific users or groups.
* Under ''Type of message to journal'', choose whether to capture all messages, internal messages only, or external messages only.
* Click on ''Next'', then validate your settings, click ''Submit'' to activate the rule.

== Public Folders ==

'''Please note:''' Support for archiving of Public Folders for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Exchange Public Folders Preamble|Exchange Online|Microsoft 365}}
* Sign in to the [https://admin.exchange.microsoft.com/#/publicfolders Microsoft 365 Exchange admin center] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* Navigate to ''Public folders'', in case it it not already opened.
* Click on ''Root permissions''.
*: [[File:Microsoft_365_pf_01.png|center|480px]]
* The side-panel ''Folder permissions'' opens. Click on ''+ Add permissions''.
* Use the text box beneath ''Select User'' to choose the Microsoft 365 user you want to grant permissions.
* Choose ''Custom'' as ''Permission level'' and grant ''Read items'' and ''Delete all'' permissions.
*: [[File:Microsoft_365_pf_02.png|center|480px]]
* Click on ''Save Changes''.

=== Step 3: Setting up the Archiving Process ===
* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 pf 03.png|center|347px]]
* Select ''Public Folders'' and click on ''OK''. 
*; [[File:Microsoft 365 pf 04.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user that has access to the public folders as described above.
* The value of the ''Target Folder'' box defines the top level folder below which the public folder hierarchy will be created in the target archive. Usually, you can leave this value to its default.
* Click on ''Test'' to verify that MailStore can access the public folders.
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 05.png|center|347px]]
* Adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]]. By default, all public folders that contain emails will be archived.
* If needed, adjust [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|the filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the public folders. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 06.png|center|347px]]
* In the next step, select the archive of the user you have prepared in step 1.
* In the last step, specify a name for the archiving profile. After clicking ''Finish'' the archiving profile will be listed under ''Saved Profiles'' and can be run immediately or automatically if desired.

== About Archiving Archive Mailboxes ==
{{Archive_Mailbox_Folder_Structure}}

== Archiving Individual Microsoft 365 Archive Mailboxes ==

'''Please note:''' Support for archiving Archive Mailboxes for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Single Archive Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailbox 01.png|center|347px]]
* Select ''Single Archive Mailbox'' and click on ''OK''.
*; [[File:Microsoft_365_archive_mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose archive mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the archive mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_archive_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected archive mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_archive_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Archive Mailboxes Centrally ==
{{Archiving Multiple Archive Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailboxes_01.png|center|347px]]
* Select ''Multiple Archive Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple archive mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft_365_archive_mailboxes_02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft_365_archive_mailboxes_03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_archive_mailboxes_04.png|Microsoft 365}}

[[de:E-Mail-Archivierung_von_Microsoft_365_(Modern_Authentication)]]
[[en:Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]

Administration API - Function Reference

2026-01-16T14:05:53Z

Ltalaschus: /* CreateStore */

__NOTOC__

== AttachStore ==
Attach existing archive store.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>name</tt>
| string
| Meaningful name of archive store.
|-
| <tt>type</tt>
| string
| Type of archive store.
|-
| <tt>databaseName</tt>
| string (optional)
| Name of database on Microsoft SQL Server or PostgreSQL server.
|-
| <tt>databasePath</tt>
| string (optional)
| Path to directory in which database folder information and email meta data are stored.
|-
| <tt>contentPath</tt>
| string (optional)
| Path to directory in which email headers and contents are stored.
|-
| <tt>indexPath</tt>
| string (optional)
| Path to directory in which full text search indexes are stored.
|-
| <tt>serverName</tt>
| string (optional)
| Name of Microsoft SQL Server or PostgreSQL server.
|-
| <tt>userName</tt>
| string (optional)
| User name for accessing Microsoft SQL Server or PostgreSQL server.
|-
| <tt>password</tt>
| string (optional)
| Password for accessing Microsoft SQL Server or PostgreSQL server.
|-
| <tt>requestedState</tt>
| string (optional)
| State of archive store after attaching.
|}

=== Argument Values ===

==== type ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>FileSystemInternal</tt>
| Advanced file system-based archive store.
|-
| <tt>SQLServer</tt>
| Microsoft SQL Server-based archive store.
|-
| <tt>PostgreSQL</tt>
| PostgreSQL server-based archive store.
|}

==== requestedState ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>current</tt>
| Same as Normal but new messages will be archived in the archive store that is set to Current.
|-
| <tt>normal</tt>
| The content of archives store is available to users and can be modified if the user has the appropriate permission.
|-
| <tt>writeProtected</tt>
| The content of write protected archive stores is available to users, but cannot be modified (e.g. delete or move messages, rename or move folders)
|-
| <tt>disabled</tt>
| Disabled archive stores are not in use but the instance still knows about their existence. Therefore the content is not available to users.
|}

== CancelJobAsync ==
Cancel a running job asynchronously.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| The unique identifier of the job to be canceled.
|}

== ClearUserPrivilegesOnFolders ==
Removes all privileges of a user on all archive folders.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|}

== CompactMasterDatabase ==
Compact master database.

== CompactStore ==
Compact archive store.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store
|}

== CreateBackup ==
Create a backup of the entire archive.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>path</tt>
| string
| Path to directory into which the backup should be written.
|-
| <tt>excludeSearchIndexes</tt>
| bool (optional)
| Indicates whether the search index files should be excluded from the backup.
|}

== CreateJob ==
Create a new job to execute Management API commands.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>name</tt>
| string (optional)
| A meaningful name for the job. Example: ''Daily Backup''.
|-
| <tt>action</tt>
| string (optional)
| Management API command to execute.
|-
| <tt>owner</tt>
| string (optional)
| Username of the job owner; must be an administrator.
|-
| <tt>timeZoneId</tt>
| string (optional)
| The id of the time zone the date should be converted to, e.g. ''$Local'', which represents the time zone of the operating system.
|-
| <tt>date</tt>
| string (optional)
| Datetime string (YYYY-MM-DDThh:mm:ss) for running the job once.
|-
| <tt>interval</tt>
| number (optional)
| Interval for running job.
|-
| <tt>time</tt>
| string (optional)
| Time for running job. Without additional parameter, this means daily execution.
|-
| <tt>dayOfWeek</tt>
| string (optional)
| Day of week to run job. Parameter "time" also required.
|-
| <tt>dayOfMonth</tt>
| string (optional)
| Day of month to run job. Parameter "time" also required. dayOfWeek can optionally be used to define further.
|}

Use the API command [[Administration_API_-_Function_Reference#GetTimeZones|GetTimeZones]] to retrieve a list of all available time zones and their ids.

=== Argument Values ===

==== dayOfWeek ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>Sunday</tt>
| Sunday
|-
| <tt>Monday</tt>
| Monday
|-
| <tt>Tuesday</tt>
| Tuesday
|-
| <tt>Wednesday</tt>
| Wednesday
|-
| <tt>Thursday</tt>
| Thursday
|-
| <tt>Friday</tt>
| Friday
|-
| <tt>Saturday</tt>
| Saturday
|}

==== dayOfMonth ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>1 to 31</tt>
| Numeric representation of day of month.
|-
| <tt>Last</tt>
| Last day of month.
|}

==== interval ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>5</tt>
| Every 5 minutes.
|-
| <tt>10</tt>
| Every 10 minutes.
|-
| <tt>15</tt>
| Every 15 minutes.
|-
| <tt>20</tt>
| Every 20 minutes.
|-
| <tt>30</tt>
| Every 30 minutes.
|-
| <tt>60</tt>
| Every hour.
|-
| <tt>120</tt>
| Every 2 hours.
|-
| <tt>180</tt>
| Every 3 hours.
|-
| <tt>240</tt>
| Every 4 hours.
|-
| <tt>360</tt>
| Every 6 hours.
|-
| <tt>720</tt>
| Every 12 hours.
|}

== CreateProfile ==
Create a new archiving or exporting profile.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>properties</tt>
| json
| Profile properties.
|-
| <tt>raw</tt>
| bool
| Currently only 'true' is supported.
|}

=== Argument Values ===

==== properties ====
To receive available profile properties create a profile of the desired type via MailStore Client and then use the GetProfiles method to receive supported values. The properties ''id'' and ''version'' must be omitted, the password field must be filled properly.

== CreateStore ==
Create and attach a new archive store.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>name</tt>
| string
| Meaningful name of archive store.
|-
| <tt>type</tt>
| string
| Type of archive store.
|-
| <tt>databaseName</tt>
| string (optional)
| Name of database on Microsoft SQL Server or PostgreSQL server.
|-
| <tt>databasePath</tt>
| string (optional)
| Path to directory in which database folder information and email meta data are stored.
|-
| <tt>contentPath</tt>
| string (optional)
| Path to directory in which email headers and contents are stored.
|-
| <tt>indexPath</tt>
| string (optional)
| Path to directory in which full text search indexes are stored.
|-
| <tt>serverName</tt>
| string (optional)
| Name of Microsoft SQL Server or PostgreSQL server.
|-
| <tt>userName</tt>
| string (optional)
| User name for accessing Microsoft SQL Server or PostgreSQL server.
|-
| <tt>password</tt>
| string (optional)
| Password for accessing Microsoft SQL Server or PostgreSQL server.
|-
| <tt>requestedState</tt>
| string (optional)
| State of archive store after attaching.
|}

=== Argument Values ===

==== type ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>FileSystemInternal</tt>
| Standard archive store.
|-
| <tt>SQLServer</tt>
| Microsoft SQL Server-based archive store.
|-
| <tt>PostgreSQL</tt>
| PostgreSQL server-based archive store.
|}

==== requestedState ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>current</tt>
| Same as Normal but new messages will be archived in the archive store that is set to Current.
|-
| <tt>normal</tt>
| The content of archives store is available to users and can be modified if the user has the appropriate permission.
|-
| <tt>writeProtected</tt>
| The content of write protected archive stores is available to users, but cannot be modified (e.g. delete or move messages, rename or move folders)
|-
| <tt>disabled</tt>
| Disabled archive stores are not in use but the instance still knows about their existence. Therefore the content is not available to users.
|}

== CreateUser ==
Create new MailStore user. Use [[Administration_API_-_Function_Reference#SetUserPrivilegesOnFolder|SetUserPrivilegesOnFolder]] to grant that user privileges on the user's own archive.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of new MailStore user.
|-
| <tt>privileges</tt>
| string
| Comma separated list of privileges.
|-
| <tt>fullName</tt>
| string (optional)
| Full name of user.
|-
| <tt>distinguishedName</tt>
| string (optional)
| LDAP DN string.
|-
| <tt>authentication</tt>
| string (optional)
| Authentication setting for user: 'integrated or 'directoryServices'.
|-
| <tt>password</tt>
| string (optional)
| Password of new user.
|-
| <tt>loginPrivileges</tt>
| string (optional)
| Comma separated list of log in privileges. If not given, all login privileges are assigned.
|}

=== Argument Values ===

==== privileges ====
{{Administration_API_User_Privileges}}

==== loginPrivileges ====
{{Administration_API_User_Login_Privileges}}

== DeleteAppPasswords ==
Deletes all app passwords of a user, hence all non-interactive logins will fail and have to be reconfigured by the user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| The user name of the user whose app passwords shall be deleted.
|}

== DeleteEmptyFolders ==
Remove folders from folder tree that do not contain emails.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>folder</tt>
| string (optional)
| Entry point in folder tree.
|}

== DeleteJob ==
Deletes a job.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| string
| The unique identifier of the job to be deleted.
|}

== DeleteMessage ==
Delete a single message

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| string
| Unique ID of message. Format: <store_id>:<message_num>
|-
| <tt>reason</tt>
| string
| The reason why that message has to be deleted which will be written into the audit log.
|}

== DeleteProfile ==
Delete an archiving or exporting profile.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of profile.
|}

== DeleteUser ==
Delete a MailStore user.
Neither the user's archive nor the user's archive emails are deleted when deleting a user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|}

== DetachStore ==
Detach an archive store.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store.
|}

== DisableMFA ==
Disables multi-factor authentication of a user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| The user name of the user for whom MFA shall be disabled.
|}

[[Administration_API_-_Function_Reference#InitializeMFA|InitializeMFA]] enables multi-factor authentication of a user.

== GetActiveSessions ==
Get list of current user sessions.

== GetChildFolders ==
Get child folders.
Depending on compliance settings this method may return only the first folder hierarchy level.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>folder</tt>
| string (optional)
| Parent folder whose child folders should be returned. If omitted, all archives and folder will be returned.
|-
| <tt>maxLevels</tt>
| number (optional)
| Depth of child folders.
|}

== GetComplianceConfiguration ==
Get current compliance configuration settings.

== CreateCredential ==
Create a new credential object that can be used by directory configuration settings or profiles.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>type</tt>
| string
| Credential type. Supported values are: 
* <tt>Office365_Modern</tt> – credential for authenticating against Entra ID (Office 365 modern authentication). 
* <tt>SignedEnvelope</tt> – credential used for an export to MailStore Cloud.
|-
| <tt>description</tt>
| string
| Human readable description of the credential.
|-
| <tt>tenantId</tt>
| string (optional)
| Tenant identifier used for Office365_Modern type credentials.
|-
| <tt>applicationId</tt>
| string (optional)
| Application/client identifier used for Office365_Modern type credentials.
|}

== DeleteCredential ==
Delete an existing credential object.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| int
| Unique ID of the credential to delete.
|}

== GetCredential ==
Get details of a single credential object.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| int
| Unique ID of the credential whose details should be returned.
|}

== GetCredentials ==
Get the list of all credential objects and their details.

== SetCredentialDescription ==
Set the description of an existing credential object.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| int
| Unique ID of the credential to modify.
|-
| <tt>description</tt>
| string
| New human readable description of the credential.
|}

== SetCredentialSettings ==
Change configuration settings of an existing credential object.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| int
| Unique ID of the credential to modify.
|-
| <tt>createNewCertificate</tt>
| bool (optional)
| Indicates whether a new certificate should be created for this credential (<tt>true</tt>) or the existing certificate settings should be kept (<tt>false</tt>).
|-
| <tt>tenantId</tt>
| string (optional)
| Tenant identifier used for Office365_Modern type credentials.
|-
| <tt>applicationId</tt>
| string (optional)
| Application/client identifier used for Office365_Modern type credentials.
|}

== GetDirectoryServicesConfiguration ==
Get current Directory Services configuration settings.

== GetFolderStatistics ==
Get folder statistics.

== GetJobResults ==
Retrieves list of finished job executions.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>fromIncluding</tt>
| string
| Beginning of time range to fetch.
|-
| <tt>toExcluding</tt>
| string
| End of time range to fetch.
|-
| <tt>timeZoneId</tt>
| string
| The id of the time zone the date should be converted to, e.g. $Local, which represents the time zone of the operating system.
|-
| <tt>jobId</tt>
| number (optional)
| The job id for which to retrieve results.
|}

Interactive Management Shell Example: ''GetJobResults --fromIncluding="2022-12-01T00:00:00" --toExcluding="2023-01-01T00:00:00" --timeZoneId="$Local" --jobId=1''

Use the API command [[Administration_API_-_Function_Reference#GetTimeZones|GetTimeZones]] to retrieve a list of all available time zones and their ids.

== GetJobs ==
Retrieve list of jobs.

== GetLicenseInformation ==
Retrieve license information.

Example license information object:

{
"productKey": "YOUR-MAIL-STORE-PRODUCT-KEY",
"productVersion": "13.1.0.12345",
"maxNamedUsers": 100,
"namedUsers": 95,
"unusedNamedUsers": 5,
"supportExpiryDate": "2023-12-31",
"supportLevel": "Premium Service",
"validFrom": null,
"validTo": null,
"licensedTo": "MailStore Software GmbH",
"machineName": "MAILSTORE"
}

The properties ''validFrom'' and ''validTo'' are only set when Trial or NFR product keys are used.

== GetMessages ==
Get list of messages from a folder.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>folder</tt>
| string (optional)
| Folder whose content to list.
|}

== GetProfiles ==
Get list of archiving and exporting profiles.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>raw</tt>
| bool
| Currently only 'true' is supported.
|}

== GetRetentionPolicies ==
Get the retention policies.

Example retention policies object:

[
{
"name": "Keep All Mails for 10 Years",
"order": 1,
"enabled": true,
"searchCriteria": {
"from": null,
"to": null,
"query": null,
"queryAttachmentContents": false,
"queryAttachments": false,
"queryMessageBody": false,
"querySubject": false,
"includedArchives": null,
"excludedArchives": [
"admin"
]
},
"period": 10,
"periodInterval": "year",
"referenceDateType": "ArchiveDate",
"delete": false
}
]

The ''referenceDateType'' can bei either ''ArchiveDate'' or ''MessageDate''.

== GetServerInfo ==
Get MailStore Server version and machine name.

== GetServiceConfiguration ==
Get MailStore Server service configuration. This includes the path to the Master Database, the location of the audit log, whether the different debug logs are enabled and the endpoint configuration.

== GetSmtpSettings ==
Get current SMTP configuration.

== GetStoreAutoCreateConfiguration ==
Get automatic archive store creation settings.

== GetStoreIndexes ==
Get list of full text indexes.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number (optional)
| Unique ID of archive store.
|}

== GetStores ==
Get list of archive stores.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>includeSize</tt>
| bool (optional)
| Includes size of archive store. Default: ''true''. May be slow when running on slow hardware.
|}

== GetTimeZones ==
Get the list of available time zones and their IDs.

The ''id'' of the output can be used as ''timeZoneId'' in [[Administration_API_-_Function_Reference#CreateJob|CreateJob]], [[Administration_API_-_Function_Reference#GetJobResults|GetJobResults]], [[Administration_API_-_Function_Reference#SetJobSchedule|SetJobSchedule]] and [[Administration_API_-_Function_Reference#SendStatusReport|SendStatusReport]] and as ''timeZoneID'' (with a capital ''ID'') in [[Administration_API_-_Function_Reference#GetWorkerResults|GetWorkerResults]].

== GetUserInfo ==
Get detailed information about user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user
|}

== GetUsers ==
Get list of users.

== GetWorkerResults ==
Get results of profile executions.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>fromIncluding</tt>
| string
| Beginning of time range to fetch.
|-
| <tt>toExcluding</tt>
| string
| End of time range to fetch.
|-
| <tt>timeZoneID</tt>
| string
| The id of the time zone the date should be converted to, e.g. $Local, which represents the time zone of the operating system.
|-
| <tt>profileID</tt>
| number (optional)
| Filter results by given profile ID.
|-
| <tt>userName</tt>
| string (optional)
| If given, must be equal to the current username. Filters results by current user.
|}

Interactive Management Shell Example: ''GetWorkerResults --fromIncluding="2022-01-01T00:00:00" --toExcluding="2023-01-01T00:00:00" --timeZoneID="$Local" --profileID=1 --userName="admin"''

Use the API command [[Administration_API_-_Function_Reference#GetTimeZones|GetTimeZones]] to retrieve a list of all available time zones and their ids.

Be aware that ''timeZoneID'' has to be written with a capital ''ID'' where all other commands with a ''timeZoneId'' are expecting ''Id''.

== GetWorkerResultReport ==
Get the details of a profile execution result.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| The ID of the result for which the details should be fetched.
|}

Use the [[Administration_API_-_Function_Reference#GetWorkerResults|GetWorkerResults]] command to get the IDs of results.

== InitializeMFA ==
Initializes multi-factor authentication of a user. During the next login with an MFA-capable client, the user has to scan a QR code with a TOTP compatible app and has to enter an MFA code to be able to login.
When ''InitializeMFA'' is called when MFA is already active for a user, a new secret is generated and the user has to scan the QR code again. This also invalidates all trusted device tokens of a user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| The user name of the user for whom MFA shall be initialized.
|}

[[Administration_API_-_Function_Reference#DisableMFA|DisableMFA]] disables multi-factor authentication of a user.

== MaintainFileSystemDatabases ==
Run database maintenance on all databases of file system based archive stores.

== MergeStore ==
Merge two archive stores.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of destination archive store.
|-
| <tt>sourceId</tt>
| number
| Unique ID of source archive store.
|}

== MoveFolder ==
Move folder.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>fromFolder</tt>
| string
| Old folder name.
|-
| <tt>toFolder</tt>
| string
| New folder name.
|}

== ProcessRetentionPolicies ==
Processes the configured retention policies.

== RebuildSelectedStoreIndexes ==
Rebuild all full-text indexes selected for rebuild.

== RebuildStoreIndex ==
Rebuild search index for given archive folder.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store.
|-
| <tt>folder</tt>
| string
| Name of folder name.
|}

== RecoverStore ==
Recreates a broken Firebird database from recovery records. The archive store must have been upgraded to the latest version and the recovery records must not be corrupt. The archive store must be in the ''Disabled'' or ''Error'' state.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store.
|-
| <tt>encryptionKey</tt>
| string (optional)
| Encryption key of the archive store. Must be given, when the encryption key cannot be read from the key file of the archive store.
|-
| <tt>recoverDeletedMessages</tt>
| bool (optional)
| Defines whether to recover deleted messages.
|}

When the ''recoverDeletedMessages'' parameter is set to ''true'', only deleted messages that still have leftovers in the recovery records can be recovered. When an archive store has been compacted with [[#CompactStore|CompactStore]] or recovery record files have grown to their auto-compacting size of 32 MiB these leftovers could already be removed and deleted messages cannot be recovered.

== RecreateRecoveryRecords ==
Recreates broken Recovery Records of an archive store. Use [[#VerifyStore|VerifyStore]] or [[#VerifyStores|VerifyStores]] to verify the state of the Recovery Records. Cannot be used for external archive stores that store their content in the database.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store.
|}

== RefreshAllStoreStatistics ==
Refresh statistics of all archive stores.

== RenameJob ==
Rename job.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number (optional)
| The unique identifier of the job to be renamed.
|-
| <tt>name</tt>
| string (optional)
| The new job name.
|}

== RenameStore ==
Rename archive store

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store.
|-
| <tt>name</tt>
| string
| New name of archive store.
|}

== RenameUser ==
Rename a MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>oldUserName</tt>
| string
| Old user name.
|-
| <tt>newUserName</tt>
| string
| New user name.
|}

== RenewMasterKey ==
Renews the master key which is used to encrypt the encryption keys.

== RepairStoreDatabase ==
Tries to resolve certain issues with archive store databases (e.g. missing database indexes).

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store.
|}

== RetryOpenStores ==
Retry opening stores that failed previously.

== RunJobAsync ==
Run an existing job.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| The identifier of the job to be run.
|}

== RunProfile ==
Run an existing archiving or exporting profile. Only profiles that are executed on server side can be started by this command. That are all profiles which are listed under ''E-Mail Servers'' in the MailStore Client. Client side profiles can be started by using the [[MailStore_Server_Management_Shell|MailStoreCmd]] and the commands ''import-execute'' and ''export-execute''.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique profile ID.
|}

== RunTemporaryProfile ==
Run a temporary/non-existent profile. Only profiles that are executed on server side can be started by this command. That are all profiles which are listed under ''E-Mail Servers'' in the MailStore Client.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>properties</tt>
| json
| Profile properties.
|-
| <tt>raw</tt>
| bool
| Currently only 'true' is supported.
|}

=== Argument Values ===

==== properties ====
To receive available profile properties create a profile of the desired type via MailStore Client and use the GetProfiles method to receive supported value.

== SelectAllStoreIndexesForRebuild ==
Select all full-text indexes for rebuild.

== SendStatusReport ==
Send a status report to the given recipients.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>timespan</tt>
| string
| Timespan that is covered by the status report.
|-
| <tt>timeZoneId</tt>
| string
| The id of the time zone the date should be converted to, e.g. $Local, which represents the time zone of the operating system.
|-
| <tt>recipients</tt>
| string
| Comma separated list of recipients that will receive the status report.
|}

Use the API command [[Administration_API_-_Function_Reference#GetTimeZones|GetTimeZones]] to retrieve a list of all available time zones and their ids.
=== Argument Values ===

==== Timespan ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>today</tt>
| The day when the status report is sent.
|-
| <tt>yesterday</tt>
| The day before the status report is sent.
|-
| <tt>thisweek</tt>
| The week when the status report is sent.
|-
| <tt>lastweek</tt>
| The week before the status report is sent.
|-
| <tt>thismonth</tt>
| The month when the status report is sent.
|-
| <tt>lastmonth</tt>
| The month before the status report is sent.
|}

== SetComplianceConfiguration ==
Set compliance configuration settings.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>config</tt>
| json
| Compliance configuration.
|}

=== Argument Values ===

==== config ====
Use [[Administration_API_-_Function_Reference#GetComplianceConfiguration|GetComplianceConfiguration]] to receive supported values.

Example settings object:
<source lang="js" smart-tabs="true" toolbar="false" gutter="false">
{
"adminEmailPreviewEnabled": true,
"legalHoldEnabled": false,
"passwordPolicyEnabled": true,
"logSuccessfulUserActivities": [
"AdminRestored",
"ComplianceChangeSettings",
"FileGroupAttach",
"FileGroupCreate",
"FileGroupDetach",
"FileGroupRename",
"FileGroupSetProperties",
"FileGroupSetRequestedState",
"ProfileChangeUserName",
"UserAdd",
"UserDelete",
"UserRename",
"UserSetFolderAccess",
"UserSetMappings",
"UserUpdate"
]
}
</source>

== SetDirectoryServicesConfiguration ==
Set directory services configuration settings.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>config</tt>
| json
| Directory services configuration.
|}

=== Argument Values ===

==== config ====
Use GetDirectoryServicesConfiguration to receive supported value.

== SetJobEnabled ==
Set enabled status of a job.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number (optional)
| The unique identifier of the job to be modified.
|-
| <tt>enabled</tt>
| bool (optional)
| Boolean value of '''enabled''' attribute.
|}

== SetJobSchedule ==
Modify the schedule of a job.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| The unique identifier of the job to be modified.
|-
| <tt>timeZoneId</tt>
| string
| The id of the time zone the date should be converted to, e.g. $Local, which represents the time zone of the operating system.
|-
| <tt>date</tt>
| string (optional)
| Datetime string (YYYY-MM-DDThh:mm:ss) for running the job once.
|-
| <tt>interval</tt>
| number (optional)
| Interval for running job.
|-
| <tt>time</tt>
| string (optional)
| Time for running job. Without additional parameter, this means daily execution.
|-
| <tt>dayOfWeek</tt>
| string (optional)
| Day of week to run job. Parameter "time" also required.
|-
| <tt>dayOfMonth</tt>
| string (optional)
| Day of month to run job. Parameter "time" also required. dayOfWeek can optionally be used to define further.
|}

Use the API command [[Administration_API_-_Function_Reference#GetTimeZones|GetTimeZones]] to retrieve a list of all available time zones and their ids.
=== Argument Values ===

==== dayOfWeek ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>Sunday</tt>
| Sunday
|-
| <tt>Monday</tt>
| Monday
|-
| <tt>Tuesday</tt>
| Tuesday
|-
| <tt>Wednesday</tt>
| Wednesday
|-
| <tt>Thursday</tt>
| Thursday
|-
| <tt>Friday</tt>
| Friday
|-
| <tt>Saturday</tt>
| Saturday
|}

==== dayOfMonth ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>1 to 31</tt>
| Numeric representation of day of month.
|-
| <tt>Last</tt>
| Last day of month.
|}

==== interval ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>5</tt>
| Every 5 minutes.
|-
| <tt>10</tt>
| Every 10 minutes.
|-
| <tt>15</tt>
| Every 15 minutes.
|-
| <tt>20</tt>
| Every 20 minutes.
|-
| <tt>30</tt>
| Every 30 minutes.
|-
| <tt>60</tt>
| Every hour.
|-
| <tt>120</tt>
| Every 2 hours.
|-
| <tt>180</tt>
| Every 3 hours.
|-
| <tt>260</tt>
| Every 4 hours.
|-
| <tt>360</tt>
| Every 6 hours.
|-
| <tt>720</tt>
| Every 12 hours.
|}

== SetProfileServerSideExecution ==
Disables or enables the automatic server-sided execution with its parameters.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| The unique profile ID of the profile to be modified.
|-
| <tt>automatic</tt>
| bool
| Enables (true) or disables (false) the profile's server-side automation.
|-
| <tt>automaticPauseBetweenExecutions</tt>
| number (optional)
| Integer value (0 - 2147483647) of seconds to pause between re-executing an automatic profile.
|-
| <tt>automaticMaintenanceWindows</tt>
| string (optional)
| TimeSpan string (hh:mm-hh:mm, e.g. 22:00-04:00) for the time window where the execution should not be executed, e.g. to schedule maintenance tasks.
|}

Use the API command [[Administration_API_-_Function_Reference#GetProfiles|GetProfiles]] to retrieve a list of all profiles and their current "serverSideExecution" section details.

The command can be executed with either the argument ''automatic=false'' and no additional parameters to disable the automation, or with ''automatic=true'' and at least the ''automaticPauseBetweenExecutions'' value given. The ''automaticMaintenanceWindows'' parameter is optional. Setting an already automated profile to automatic again, will restart the profile.

== SetRetentionPolicies ==
Set retention policies.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>config</tt>
| json
| Retention policy configuration.
|}

To get example policies use the client to create retention policies manually. Then use the API command [[Administration_API_-_Function_Reference#GetRetentionPolicies|GetRetentionPolicies]] to retrieve the json values. 
Please be aware that the API is case-sensitive. Especially the archive inclusion/exclusion criteria must not contain upper case characters, as the user archives are always handled lower-case internally.
Due to a more complex distributed permission concept, retention policies can not be edited via the API for the MailStore Service Provider Edition.

== SetServiceCertificate ==
Set the X509 certificate that is used by MailStore Server for incoming connections.
The certificate must already reside in the computer's local certificate store.
The thumbprint of the currently used certificate can be retrieved with [[Administration_API_-_Function_Reference#GetServiceConfiguration|GetServiceConfiguration]].

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>thumbprint</tt>
| string
| Thumbprint of X509 certificate.
|}

== SetSmtpSettings ==
Set SMTP configuration.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>settings</tt>
| json
| SMTP configuration.
|}

=== Argument Values ===

==== settings====
Example settings object:
<source lang="js" smart-tabs="true" toolbar="false" gutter="false">
{
"hostname": "mail.example.com",
"port": 587,
"protocol": "SMTP-TLS",
"ignoreSslPolicyErrors": false,
"authenticationRequired": true,
"username": "sending.user@example.com",
"password": "userpassword",
"fromDisplayName": "Sending User",
"fromEmailAddress": "sending.user@example.com",
"recipientEmailAddresses": ["administrator@example.com", "user@example.com"]
}
</source>

== SetStoreAutoCreateConfiguration ==
Set configuration for automatic archive store creation.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>config</tt>
| json
| Archive store automatic creation configuration.
|}

=== Argument Values ===

==== config ====
<source lang="js" smart-tabs="true" toolbar="false" gutter="false">
{
"sizeThreshold" : int or null,
"databaseBaseDirectory" : string,
"contentBaseDirectory" : string,
"indexBaseDirectory" : string
}
</source>

== SetStoreProperties ==
Set properties of archive store.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Set properties of archive store.
|-
| <tt>type</tt>
| string (optional)
|
|-
| <tt>databaseName</tt>
| string (optional)
| Name of database on Microsoft SQL Server or PostgreSQL server.
|-
| <tt>databasePath</tt>
| string (optional)
| Path to directory in which database folder information and email meta data are stored.
|-
| <tt>contentPath</tt>
| string (optional)
| Path to directory in which email headers and contents are stored.
|-
| <tt>indexPath</tt>
| string (optional)
| Path to directory in which full text search indexes are stored.
|-
| <tt>serverName</tt>
| string (optional)
| Name of Microsoft SQL Server or PostgreSQL server.
|-
| <tt>userName</tt>
| string (optional)
| User name for accessing Microsoft SQL Server or PostgreSQL server.
|-
| <tt>password</tt>
| string (optional)
| Password for accessing Microsoft SQL Server or PostgreSQL server.
|}

=== Argument Values ===

==== type ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>FileSystemInternal</tt>
| Advanced file system-based archive store.
|-
| <tt>SQLServer</tt>
| Microsoft SQL Server-based archive store.
|-
| <tt>PostgreSQL</tt>
| PostgreSQL server-based archive store.
|}

== SetStoreRequestedState ==
Set state of archive store.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store.
|-
| <tt>requestedState</tt>
| string (optional)
| State of archive store after attaching.
|}

=== Argument Values ===

==== requestedState ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>current</tt>
| Same as Normal but new messages will be archived in the archive store that is set to Current.
|-
| <tt>normal</tt>
| The content of archives store is available to users and can be modified if the user has the appropriate permission.
|-
| <tt>writeProtected</tt>
| The content of write protected archive stores is available to users, but cannot be modified (e.g. delete or move messages, rename or move folders)
|-
| <tt>disabled</tt>
| Disabled archive stores are not in use but the instance still knows about their existence. Therefore the content is not available to users.
|}

== SetUserAuthentication ==
Set authentication settings of a MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>authentication</tt>
| string
| Authentication method. Either 'integrated' or 'directoryServices'.
|}

== SetUserDistinguishedName ==
Set the LDAP distinguished name of a MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>distinguishedName</tt>
| string (optional)
| LDAP DN string.
|}

== SetUserEmailAddresses ==
Set email addresses of MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>emailAddresses</tt>
| string (optional)
| List of email addresses.
|}

== SetUserFullName ==
Set full name of MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>fullName</tt>
| string (optional)
| Full name of MailStore user.
|}

== SetUserLoginPrivileges ==
Set login privileges of a MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>loginPrivileges</tt>
| string
| Comma separated list of login privileges.
|}

=== Argument Values ===

==== loginPrivileges ====
{{Administration_API_User_Login_Privileges}}

== SetUserPassword ==
Set password of MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>password</tt>
| string
| Password of MailStore user.
|}

== SetUserPop3UserNames ==
Set POP3 user name of MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>pop3UserNames</tt>
| string (optional)
| Comma separated list of POP3 user names.
|}

== SetUserPrivileges ==
Set privileges of MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>privileges</tt>
| string
| Comma separated list of privileges.
|}

=== Argument Values ===

==== privileges ====
{{Administration_API_User_Privileges}}

== SetUserPrivilegesOnAllFolders ==
Set privileges on all folders for MailStore user, except for the folders that are excluded

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>privileges</tt>
| string
| Comma separated list of folder privileges.
|-
| <tt>excludeFolders</tt>
| string (optional)
| Comma separated list of folders to exclude.
|}

=== Argument Values ===

==== privileges ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>read</tt>
| The user is granted read access to the specified folders.
|-
| <tt>write</tt>
| The user is granted write access to the specified folders. Messages can be moved within an archive.
|-
| <tt>delete</tt>
| The user is granted delete access to the specified folders.
|}

== SetUserPrivilegesOnFolder ==
Set privileges on folder for MailStore user.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>userName</tt>
| string
| User name of MailStore user.
|-
| <tt>folder</tt>
| string
| Folder name.
|-
| <tt>privileges</tt>
| string
| Comma separated list of folder privileges.
|}

=== Argument Values ===

==== privileges ====
{| class="wikitable"
! width=270px | Name
! Description
|-
| <tt>none</tt>
| The user is denied access to the specified folder. If specified, this value has to be the only value in the list. This effectively removes all privileges on the specified folder.
|-
| <tt>read</tt>
| The user is granted read access to the specified folder.
|-
| <tt>write</tt>
| The user is granted write access to the specified folder. Messages can be moved within an archive.
|-
| <tt>delete</tt>
| The user is granted delete access to the specified folder.
|}

== SyncUsersWithDirectoryServices ==
Sync users of MailStore instance with directory services.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>dryRun</tt>
| bool (optional)
| Simulate sync only.
|}

== TestSmtpSettings ==
Test current SMTP configuration.

== TransferStores ==
Copy the content of one or more archive store into another archive store.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>sourceStores</tt>
| string
| Comma-separated list of one or more source archive stores.
|-
| <tt>targetStore</tt>
| number (optional)
| The target store of the messages to be copied. If not given, the archive store in the "current" state will be used.
|-
| <tt>startIndex</tt>
| string (optional)
| A string in the format "archiveStoreId:messageId". The transfer process starts with the this message.
|}

== UnlockStore ==
Unlock a foreign archive store. In case an archive store from a foreign MailStore installation is attached, this method can be used to unlock that archive store.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store to unlock.
|-
| <tt>passphrase</tt>
| string
| Product key or recovery key of the foreign MailStore installation.
|}

== UpgradeStore ==
Upgrade an archive store from an older version to the current format.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| Unique ID of archive store.
|}

== UpgradeStores ==
Upgrade all archive stores from an older version to the current format.

== VerifyStore ==
Verify archive stores consistency.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>id</tt>
| number
| The unique identifier of the archive store to be verified.
|-
| <tt>includeIndexes</tt>
| bool
| Defines whether to verify the search indexes as well. Default: true. May be slow when running on slow hardware.
|}

== VerifyStores ==
Verify consistency of all archive stores.

=== Arguments ===
{| class="wikitable"
! width=150px | Name
! width=120px | Type
! Description
|-
| <tt>includeIndexes</tt>
| bool
| Defines whether to verify the search indexes as well. Default: true. May be slow when running on slow hardware.
|}

[[de:Administration API - Function Reference]]
[[en:Administration API - Function Reference]]

Template:SQLDeprecation

2026-01-15T11:14:32Z

Ltalaschus:

Since MailStore Server 26.1 it is not possible to create new Microsoft SQL or PostgreSQL based archive stores anymore. Attaching existing archive stores is still possible. Support for Microsoft SQL and PostgreSQL based archive stores will be removed completely in a future version of MailStore Server.
Read [[Moving_the_Archive#Moving_the_Content_of_an_Archive_Store_to_a_different_Archive_Store|this article]] to learn how external archive storage can be replaced.

<noinclude>
[[de:Vorlage:SQLDeprecation]]
[[en:Template:SQLDeprecation]]
</noinclude>

Template:SQLDeprecation

2026-01-15T11:10:28Z

Ltalaschus:

Since MailStore Server 26.1 it is not possible to create new Microsoft SQL or PostgreSQL based archive stores anymore. Attaching existing archive stores is still possible. Support for Microsoft SQL and PostgreSQL based archive stores will be removed completely in a future version of MailStore Server.
Read [[Moving_the_Archive#Moving_the_Content_of_an_Archive_Store_to_a_different_Archive_Store|this article]] to learn how external archive storage can be replaced.

<noinclude>
[[de:Vorlage:SQLDeprecation]]
[[en:Template:SQLDeprecation]]
</noinclude>

HelpTopicIds

2026-01-15T10:56:00Z

Ltalaschus:

* accs_export - [[Exporting_Email]]
* accs_extsearch - [[Accessing_the_Archive_with_the_MailStore_Client_software#Advanced_Search]]
* accs_outlook - [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration]]
* accs_outlookapp - [[Accessing_the_Archive_with_the_Microsoft_Outlook_App_integration]]
* accs_preview - [[Accessing_the_Archive_with_the_MailStore_Client_software#Email_Preview]]
* accs_web - [[Accessing_the_Archive_with_MailStore_Web_Access]]
* arch_delete - [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving]]
* arch_filesystem - [[Archiving_Emails_from_External_Systems_(File_Import)]]
* arch_filepst - [[Archiving_Outlook_PST_Files_Directly]]
* arch_gateway - [[Archiving_MailStore_Gateway_Mailbox]]
* arch_nospamproxy - [[Archiving_Emails_from_NoSpamProxy]]
* gateway_introduction - [[Archiving_MailStore_Gateway_Mailbox]]
* arch_googleapps_batch - [[Archiving_Emails_from_Google_Workspace#Archiving_Multiple_Mailboxes_Centrally]]
* arch_googleapps - [[Archiving_Emails_from_Google_Workspace]]
* arch_googleapps_multidrop - [[Archiving_Emails_from_Google_Workspace#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_googlemail_installed_app - [[Archiving_Emails_from_Gmail]]
* arch_outlookcom_modern_auth - [[Archiving_Emails_from_Outlook.com]]
* arch_icewarp - [[Archiving_Emails_from_IceWarp_Server]]
* arch_icewarp_mailbox - [[Archiving_Emails_from_IceWarp_Server#Archiving_Individual_Mailboxes]]
* arch_icewarp_mailboxes - [[Archiving_Emails_from_IceWarp_Server#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_icewarp_multidrop - [[Archiving_Emails_from_IceWarp_Server#Archiving_All_Incoming_and_Outgoing_Emails_Directly]]
* arch_imapbatch - [[Batch-archiving_IMAP_Mailboxes]]
* arch_inout - [[MailStore_Proxy]]
* arch_introduction - [[Archiving_Email]]
* arch_kerio - [[Archiving_Emails_from_Kerio_Connect]]
* arch_kerio_mailbox - [[Archiving_Emails_from_Kerio_Connect#Archiving_Individual_Mailboxes]]
* arch_kerio_mailboxes - [[Archiving_Emails_from_Kerio_Connect#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_kerio_multidrop - [[Archiving_Emails_from_Kerio_Connect#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_mailboxes - [[Archiving_Server_Mailboxes]]
* arch_mailclients - [[Archiving_Email_from_Outlook,_Thunderbird_and_others]]
* arch_mdaemon - [[Archiving_Emails_from_MDaemon]]
* arch_mdaemon_mailbox - [[Archiving_Emails_from_MDaemon#Archiving_Individual_Mailboxes]]
* arch_mdaemon_mailboxes - [[Archiving_Emails_from_MDaemon#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_mdaemon_multidrop - [[Archiving_Emails_from_MDaemon#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_multidrop - [[Archiving_IMAP_and_POP3_Multidrop_Mailboxes]]
* arch_profiles - [[Archiving_Email]]
* arch_schedule - [[Email_Archiving_with_MailStore_Basics#Automating_the_Archiving_Process]]
* arch_results - [[Email_Archiving_with_MailStore_Basics]]
* arch_selfolders - [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders]]
* bkup_integrated - [[Backup_and_Restore]]
* comp_auditing - [[Auditing]]
* comp_auditlog - [[Audit_Log]]
* comp_auditlogexport - [[Audit_Log]]
* comp_auditor - [[Compliance_General]]
* comp_forcechangepassword - [[Notes_on_Password_Complexity]]
* comp_general - [[Compliance_General]]
* comp_manage_passwords - [[Accessing_the_Archive_with_the_MailStore_Client_software#Managing_Passwords]]
* comp_password_complexity - [[Notes_on_Password_Complexity]]
* comp_retention - [[Retention_Policies]]
* comp_message_date - [[Message_Date_of_an_Email]]
* expo_googleapps - [[Exporting_Email]]
* gsta_login - [[Accessing_the_Archive_with_the_MailStore_Client_software#Starting_and_Login]]
* job_jobs - [[Jobs]]
* job_scheduling - [[Jobs]]
* job_results - [[Job_Results]]
* mads_sync - [[Administration]]
* tech_config - [[MailStore_Server_Service_Configuration]]
* tech_index - [[Search_Indexes]]
* tech_mscmd - [[MailStore_Server_Management_Shell]]
* tech_proxy - [[MailStore_Proxy]]
* tech_safemode - [[MailStore_Server_Service_Configuration]]
* tech_smtpsettings - [[SMTP_Settings]]
* tech_archives - [[Archives]]
* tech_storageloc - [[Storage_Locations]]
* tech_productupdates - [[Product_Updates]]
* tech_extstoremigration - [[Using External Archive Stores]]
* umgm_privileges - [[Users,_Folders_and_Settings#User_Management]]
* umgm_users - [[Users,_Folders_and_Settings#User_Management]]
* xchg_introduction - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_jour_intro - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_mailbox - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_mailboxes - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_archive_mailbox - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_archive_mailboxes - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_public - [[Archiving_Emails_from_Microsoft_Exchange]]
* impl_noownserver - [[Archiving_Emails_Without_Your_Own_Emailserver|(No own e-mail server)]]
* impl_exim - [[Archiving_Emails_from_an_Exim_Based_Email_Server|Exim]]
* impl_hmailserver - [[Archiving_Emails_from_hMailServer|hMailServer]]
* impl_intranator - [[Archiving_Emails_from_Intra2net_Systems|Intra2net Appliance Pro / Business Server]]
* impl_kerioconnect - [[Archiving_Emails_from_Kerio_Connect|Kerio Connect (Kerio MailServer)]]
* impl_kolab - [[Archiving_Emails_from_Kolab|Kolab]]
* impl_postfix - [[Archiving_Emails_from_a_Postfix_Based_Email_Server|Postfix]]
* impl_qmail - [[Archiving_Emails_from_a_Qmail_Based_Email_Server|Qmail]]
* impl_scalix - [[Archiving_Emails_from_Scalix|Scalix]]
* impl_sendmail - [[Archiving_Emails_from_a_Sendmail_Based_Email_Server|Sendmail]]
* impl_smartermail - [[Archiving_Emails_from_SmarterMail|SmarterMail]]
* impl_tobitdavid - [[Archiving_Emails_from_Tobit_David.fx|Tobit David.fx]]
* impl_zimbra - [[Archiving_Emails_from_Zimbra|Zimbra Collaboration Suite]]
* implexch_2003 - [[Archiving_Emails_from_Microsoft_Exchange_2003|Exchange 2003]]
* implexch_2007 - [[Archiving_Emails_from_Microsoft_Exchange_2007|Exchange 2007]]
* implexch_2010 - [[Archiving_Emails_from_Microsoft_Exchange_2010|Exchange 2010]]
* implexch_2013 - [[Archiving_Emails_from_Microsoft_Exchange_2013|Exchange 2013]]
* implexch_2016 - [[Archiving_Emails_from_Microsoft_Exchange_2016|Exchange 2016]]
* implexch_2019 - [[Archiving_Emails_from_Microsoft_Exchange_2019|Exchange 2019]]
* implexch_se - [[Archiving_Emails_from_Microsoft_Exchange_SE|Exchange SE]]
* implexch_o365 - [[Archiving_Emails_from_Microsoft_Office_365|Office 365]]
* welc_licensing - [[License_Management]]
* arch_microsoft365 - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]
* arch_microsoft365_single - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Individual_Microsoft.C2.A0365_Mailboxes]]
* arch_microsoft365_multiple - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Multiple_Microsoft.C2.A0365_Mailboxes_Centrally]]
* arch_microsoft365_single_archive_mailbox - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Individual_Microsoft.C2.A0365_Archive_Mailboxes]]
* arch_microsoft365_multiple_archive_mailboxes - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Multiple_Microsoft.C2.A0365_Archive_Mailboxes_Centrally]]
* arch_microsoft365_public - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Public_Folders]]
* expo_microsoft365 - [[Exporting_Email]]
* arch_m365_ews_migration - [[EWS_Migration]]
* cred_microsoft365 - [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server]]
* expo_mailstorecloudbulk - [[MailStore_Cloud_Help#Migration_from_MailStore_Server_to_MailStore_Cloud]]

[[de:HelpTopicIds]]
[[en:helpTopicIds]]

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-01-14T15:01:58Z

Ltalaschus:

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365|{{#ev:youtube|https://youtu.be/OtJx2EKEW0Y|350|right|''Tech Tip: Preparation of the Microsoft 365 Tenant and User Synchronization''}}| Our Tech Tip video shows the essential configuration steps in this article.}}
 
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Leave the field ''Logout URL'' blank.
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Configure'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

[[File:Microsoft 365 sync 03.png|center]]

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

File:Microsoft 365 sync 03.png

2026-01-14T15:00:38Z

Ltalaschus:

Synchronizing User Accounts with Microsoft 365 - Modern Authentication

2026-01-14T14:46:41Z

Ltalaschus: /* Configuring API Permissions in Microsoft Entra ID */

{{Directory Services Preamble|Microsoft 365 tenant|Microsoft 365|{{#ev:youtube|https://youtu.be/OtJx2EKEW0Y|350|right|''Tech Tip: Preparation of the Microsoft 365 Tenant and User Synchronization''}}| Our Tech Tip video shows the essential configuration steps in this article.}}
 
== Prerequisites, Recommendations and Limitations ==
* For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by a trusted certificate authority or [[Using_Lets_Encrypt_Certificates|using Let's Encrypt certificates]] is highly recommended.
* If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]]
* If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]], [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration|MailStore Outlook Add-in]] or the [[Accessing_the_Archive_with_MailStore_Web_Access|Web Access]], the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
* When using Microsoft 365 to authenticate users at login, [[Accessing_the_Archive_via_Integrated_IMAP_Server|accessing the archive via IMAP]] is not possible for technical reasons.
* MailStore Server supports the synchronization of user accounts with the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported. In the following article, only the term Microsoft 365 is used for the sake of simplicity.

== Connecting MailStore Server and Microsoft 365 ==
In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Microsoft Entra ID as directory service. Each Microsoft 365 tenant corresponds to an Microsoft Entra ID tenant that stores its user information.

=== Registering of MailStore Server as App in Microsoft Entra ID ===
Through registration, MailStore Server gets an identity in Microsoft Entra ID that makes it possible to authenticate to the tenant's services and use their resources.
* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select ''New Registration''. The ''Register an application'' page appears.
* In the ''Name'' field, enter a meaningful display name, e.g. ''MailStore Server''. This name will be shown to users on logon later on, for example.
* Leave all other settings on this page to their defaults.
* Click on ''Register''. If the registration has been successful, you are shown the overview page of the newly registered app.
The ''Application (client) ID'' shown on this page identifies MailStore Server in your Microsoft Entra ID tenant and has to be copied into MailStore Server next, together with the ''Directory (tenant) ID''. Therefore, for the following steps, leave the overview page open in your web browser.

=== Creating Credentials in MailStore Server ===
Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Microsoft Entra ID. Microsoft recommends using certificates as secrets to identify apps in Microsoft Entra ID. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.
{{Directory Services Accessing Configuration|Microsoft 365 or Microsoft 365 operated by 21 Vianet|Microsoft 365 sync 01.png}}
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on ''Create…''
* In the ''Microsoft Entra ID App Credentials'' dialog, enter the following information in the ''Settings'' section:
** '''Name''' A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
** '''Application (client) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
** '''Directory (tenant) ID''' The value of the corresponding field that you can copy from the Microsoft Entra ID app overview page in your web browser.
[[File:Microsoft 365 cred 01.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your entries by clicking ''OK''.
* The newly created credentials are listed in the ''Credential Manager'' under the name you have entered with the type ''Microsoft 365''. Here you can also edit or delete existing credentials if necessary.
* Leave the ''Credential Manager'' by clicking ''Close''.
* The newly created credentials are selected in the corresponding drop-down list by default.

=== Publishing Credentials in Microsoft Entra ID ===
For Microsoft Entra ID to validate the identity of MailStore Server, the created certificate needs to be published in Microsoft Entra ID.
* Switch to the Microsoft Entra ID app overview page in your web browser.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.

=== Configuring App Authentication in Microsoft Entra ID ===
For Microsoft Entra ID to return the result of a user's authentication request to MailStore Server, the endpoint where MailStore Server expects authentication responses, the so-called ''Redirect URI'', has to be conveyed to Microsoft Entra ID.
* In the Microsoft Entra ID Portal in the web browser, select ''Authentication'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add Redirect URI'' button on the ''Redirect URI configuration'' page.
* Select ''Web'' in the ''Web applications'' section of the platform selection page.
* In the '''Implicit grant and hybrid flows''' section perform the following action:
:'''Enable''' the '''ID tokens''' option.
[[File:Microsoft_365_sync_id_token.png|center]]
* In the field ''Redirect URI'', enter a URI in the format (without brackets)
*: <code>https://<fqdn>[:<port>]/oidc/signin</code>
*; with the following components<nowiki>:</nowiki>
*: '''https://''' Specifying the <code>https://</code> protocol is obligatory. To avoid certificate warnings during user logon, the web browsers on the client machines must trust the [[MailStore_Server_Service_Configuration#Certificate|certificate used by MailStore Server]].
*: '''FQDN''' The Fully Qualified Domain Name (FQDN) of your MailStore Server that consists of the machine name and the DNS domain, e.g. <code>mailstore.example.com</code>. This name must be resolvable by all clients from which users shall be able to log on to MailStore Server.
*: '''Port''' The TCP port of the MailStore Web Access (<code>8462</code> by default). This value must be equal to the port configured in the section ''Base Configuration > Network Settings > MailStore Web Access / Outlook Add-in (HTTPS)'' of the [[MailStore_Server_Service_Configuration#Services|MailStore Server Service Configuration]]. The TCP port has to be specified only if it is different from the default port of the HTTPS protocol (<code>443</code>).
*: '''/oidc/signin''' The endpoint where MailStore Server expects the authentication responses of Microsoft Entra ID. This path has to be specified exactly as stated here at the end of the redirect URI.
* Leave the field ''Logout URL'' blank.
* Ensure that the '''ID tokens''' option is set in the '''Implicit grant and hybrid flows''' section.
* Click on ''Configure'' to finish the configuration of the app authentication in Microsoft Entra ID.
<div class="resp-table">
{| class="wikitable" style="font-size: 85%;"
|+ Examples for valid redirect URIs
|-
! style="width:80px;" | Product
! style="width:80px;" | FQDN
! style="width:40px;" | Port
! Resulting Redirect URI
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 8462
| <code><nowiki>https://mailstore.example.com:8462/oidc/signin</nowiki></code> Redirect URI with Fully Qualified Domain Name and MailStore Web Access default port
|-
| align="center"| MailStore Server
| align="center"| mailstore.example.com
| align="center"| 443
| <code><nowiki>https://mailstore.example.com/oidc/signin</nowiki></code> The port can be ommited if the HTTPS default port 443 has been configured for MailStore Web Access or as source port of a port-forwarding on the firewall or router.
|-
| align="center"| MailStore SPE
| align="center"| archive.example.com
| align="center"| 443
| <code><nowiki>https://archive.example.com/<instanceid>/oidc/signin</nowiki></code> The ''instanceid'' of the instance is part of the Redirect URI.
|-
|}
</div>
:: '''Important Notice:''' Please note that the redirect URI is case-sensitive. Also review the requirements on resolving URIs in the [[#Prerequisites, Recommendations and Limitations|Prerequisites, Recommendations and Limitations]] section.

:: '''Important Notice:''' Please note that without setting the ''ID Token'' option, user authentication will not work.

=== Configuring the Redirect URI in MailStore Server ===
For MailStore Server to convey the redirect URI to requesting clients, it must be configured there, too.
* Switch to the ''Directory Services'' page in the MailStore Client.
* Enter the redirect URI in the corresponding field in the ''Authentication'' section. Just copy the value previously configured in Microsoft Entra ID from the web browser.
[[File:Microsoft 365 sync 02.png|center|450px]]

=== Configuring API Permissions in Microsoft Entra ID ===
* Switch again to Microsoft Entra ID in your web browser.
* Select ''API permissions'' in the ''Manage'' section of the left navigation menu.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section.
* On the ''Request API permissions'' menu page, select the API ''Microsoft Graph'' in the ''Commonly used Microsoft APIs'' section.
* Select the option ''Application permissions''.
* Enable the ''Directory > Directory.Read.All'' permission in the ''Select permissions'' section.
* Also enable the ''Mail > Mail.ReadWrite'' permission in the ''Select permissions'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''Directory.Read.All'' and ''Mail.ReadWrite'' permissions appear in the API permissions list under ''Microsoft Graph''.
* Click on the ''Add a permission'' button in the ''Configured permissions'' section again.
* On the ''Request API permissions'' menu page, select ''APIs my organization uses''.
* Search for ''Office 365 Exchange Online'' and click on the corresponding entry.
* Select the option ''Application permissions''.
* Enable the ''full_access_as_app'' permission in the ''Select permissions'' section.
* Also enable the permission ''SMTP.SendAsApp'' in the ''SMTP'' section.
* Click on ''Add permissions''.
* The permissions are updated and the ''full_access_as_app'' and ''SMTP.SendAsApp'' permissions appear in the API permissions list under ''Exchange''.
* Now click on the ''Grant admin consent for <your tenant name>'' button in the ''Configured permissions'' section.
* Acknowledge the following notice with ''Yes''.
* The status of all granted permissions is updated to ''Granted for <your tenant name>''.
The configuration of MailStore Server's connection to Microsoft 365 within Microsoft Entra ID is now complete. You can sign out of your Microsoft Entra ID tenant and close the browser window. Switch to the ''Directory Services'' page in the MailStore Client again, all remaining configuration steps must be done there.

=== User Database Synchronization ===
After configuring the connection settings as described above, you can specify filter criteria for the Microsoft 365 synchronization in this section.
*'''Synchronize licensed Microsoft Exchange Online users only''' Only Microsoft 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
*'''Synchronize enabled users only''' Only Microsoft 365 user accounts that do not have their login to Microsoft 365 blocked will be taken into account by the synchronization.
*'''Sync only these groups''' Choose one or several Microsoft 365 security groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.

{{Directory Services Options|Microsoft 365 tenant}}
{{Directory Services Assign Default Privileges|Microsoft 365}}
{{Directory Services Run Synchronization|Microsoft 365 tenant}}
[[File:Office365_sync_02.png|450px|center]]

{{Directory Services Test Authentication}}

== Updating credentials ==
The certificate generated by MailStore for logging into Microsoft Entra ID is valid for 3750 days (825 days before version 25.3). In order for user synchronization and archiving to work afterwards, the certificate must be updated before its validity expires.

MailStore Server will show a notification on the dashboard in MailStore Client and in the [[Jobs#Templates|status report]] 28 days before credentials expire. You can also use the [[Administration_API_-_Function_Reference#GetCredentials|GetCredentials API command]] to retrieve the expiration date.

To update the credentials, proceed as follows:

=== Updating credentials in MailStore Server ===

* Log on to MailStore Client as a MailStore Server administrator.
* Click on ''Administrative Tools'' > ''Users and Archives'' > ''Directory Services''.
* In the ''Integration section'', make sure that the directory service type is set to ''Microsoft 365 (Modern Authentication)'' or ''Microsoft 365 operated by 21 Vianet (Modern Authentication)''.
[[File:Microsoft 365 sync 01.png|center|347px]]
* In the ''Connection'' section, click on the button (…) next to the ''Credentials'' drop-down list.
* In the ''Credential Manager'' that appears, click on the currently used credential object and click ''Edit…''
: [[File:Microsoft 365 cred 02.png|center|347px]]
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Create Certificate...''.
* Confirm the process.
* In the ''Authentication'' section, click on the drop-down button next to the ''Certificate'' text box und select ''Download Certificate''. Save the certificate on your hard drive.
* Confirm your changes by clicking ''OK''.
* Leave the ''Credential Manager'' by clicking ''Apply''.
* The newly created credentials are selected in the corresponding drop-down list by default.
* If you are using Microsoft 365 in hybrid mode and synchronizing users from your Active Directory, set the directory service back to ''Active Directory''.

=== Updating credentials in Microsoft Entra ID ===

* Sign in to the [https://portal.azure.com Microsoft Entra ID Portal] as a Global Administrator for your Microsoft 365 tenant. The Microsoft Entra ID Portal of ''Office 365, operated by 21Vianet'' [https://portal.azure.cn/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview can be accessed here].
* In the navigation menu (☰), select the option ''Microsoft Entra ID''.
* On the next page, select ''App registrations'' in the ''Manage'' section of the left navigation menu.
* Select the application that is currently used by MailStore.
* Select ''Certificates & secrets'' in the ''Manage'' section of the left navigation menu.
* Click on ''Upload certificate'' in the ''Certificates'' section. Select the certificate file that you have saved previously and upload it to Microsoft Entra ID by clicking ''Add''.
* If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.
* The previously used certificate can be removed from the list.

[[de:Synchronisieren_von_Benutzerkonten_mit_Microsoft_365_(Modern_Authentication)]]
[[en:Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)]]

File:Python-api-wrapper.zip

2026-01-14T12:08:35Z

Ltalaschus: Ltalaschus uploaded a new version of File:Python-api-wrapper.zip

EWS Migration

2026-01-13T11:20:34Z

Ltalaschus: /* What Will Change for MailStore Server and the MailStore SPE? */

== Microsoft Is Discontinuing Its Exchange Web Services (EWS) for Microsoft 365 ==
Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has announced] that it will no longer support Exchange Web Services (EWS) for Exchange Online as of October 1, 2026. This decision affects all companies that use EWS in combination with Exchange Online (Microsoft 365).

EWS is a technology that was developed specifically for accessing Exchange data. The API enables access to data from Microsoft Exchange Server and Exchange Online, including emails and mailboxes. EWS has been a central interface for third-party solutions such as archiving systems.

What Will Happen in October?
Microsoft plans to disable EWS for Exchange Online starting October 1. This decision will force manufacturers to switch to the Microsoft Graph API.

Please note: If you use Exchange Online Kiosk, Microsoft Office 365, and Office 365 F1/F3, you should make the change by June. Further information can be found [https://techcommunity.microsoft.com/blog/exchange/update-to-ews-access-for-kiosk--frontline-worker-licensed-users/4474299 here].

== What Will Change for MailStore Server and the MailStore SPE? ==
The shutdown of EWS initiated by Microsoft will require adjustments to MailStore Server and the MailStore SPE, depending on your archiving strategy.
This is because archiving methods within MailStore Server and MailStore SPE that were accessing EWS will no longer be available from October 1 and will then run into errors.

The following profiles are expected to be affected from October onwards, Graph API does not expose access to these and support is effectifely dropped:

* Importing Exchange Online archive mailboxes
* Importing Exchange Online public folders

Regular Exchange Online Mailboxes and Shared Mailboxes are available using Graph API. New [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication|mailbox archiving profiles]] in MailStore will use Graph API starting with version 26.1. New export profiles will change with version 26.2. Existing EWS archiving and export profiles will work Until October 2026. We will offer a migration path in the coming months.

The [[Email_Archiving_with_MailStore_Basics|summary panel]] of the archiving or export profile tells which protocol is used. Microsoft 365 Journal archiving profiles do not typically use EWS and are therefore not affected.

[[de:EWS Migration]]
[[en:EWS Migration]]

EWS Migration

2026-01-13T11:14:38Z

Ltalaschus: /* What Will Change for MailStore Server and the MailStore SPE? */

== Microsoft Is Discontinuing Its Exchange Web Services (EWS) for Microsoft 365 ==
Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has announced] that it will no longer support Exchange Web Services (EWS) for Exchange Online as of October 1, 2026. This decision affects all companies that use EWS in combination with Exchange Online (Microsoft 365).

EWS is a technology that was developed specifically for accessing Exchange data. The API enables access to data from Microsoft Exchange Server and Exchange Online, including emails and mailboxes. EWS has been a central interface for third-party solutions such as archiving systems.

What Will Happen in October?
Microsoft plans to disable EWS for Exchange Online starting October 1. This decision will force manufacturers to switch to the Microsoft Graph API.

Please note: If you use Exchange Online Kiosk, Microsoft Office 365, and Office 365 F1/F3, you should make the change by June. Further information can be found [https://techcommunity.microsoft.com/blog/exchange/update-to-ews-access-for-kiosk--frontline-worker-licensed-users/4474299 here].

== What Will Change for MailStore Server and the MailStore SPE? ==
The shutdown of EWS initiated by Microsoft will require adjustments to MailStore Server and the MailStore SPE, depending on your archiving strategy.
This is because archiving methods within MailStore Server and MailStore SPE that were accessing EWS will no longer be available from October 1 and will then run into errors.

The following profiles are expected to be affected from October onwards, Graph API does not expose access to these and support is effectifely dropped:

* Importing Exchange Online archive mailboxes
* Importing Exchange Online public folders

Regular Exchange Online Mailboxes are available using Graph API. New [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication|mailbox archiving profiles]] in MailStore will use Graph API starting with version 26.1. New export profiles will change with version 26.2. Existing EWS archiving and export profiles will work Until October 2026. We will offer a migration path in the coming months.

The [[Email_Archiving_with_MailStore_Basics|summary panel]] of the archiving or export profile tells which protocol is used. Microsoft 365 Journal archiving profiles do not typically use EWS and are therefore not affected.

[[de:EWS Migration]]
[[en:EWS Migration]]

Archiving Emails from Microsoft 365 - Modern Authentication

2026-01-13T10:43:22Z

Ltalaschus: /* Archiving Individual Microsoft 365 Archive Mailboxes */

{{Implementation Guide Preamble|Exchange Online / Microsoft 365|{{#ev:youtube|https://youtu.be/X0Um0cDWGg0|350|right|''Tech Tip: Microsoft 365 Archiving Profiles''}}| Our Tech Tip video shows the essential configuration steps in this article.}}
 
{{Multiline Notices|Heading=Important Notices|If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]].|MailStore Server supports archiving emails from the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported.|For better readability, the terms ''Microsoft 365'' and ''Exchange Online'' are used interchangeably hereinafter instead of ''Exchange Online / Microsoft 365''.}}

== App Registration & User Synchronization ==
Before archiving Microsoft 365 mailboxes, registering MailStore Server in your Microsoft 365 tenant is required. It is also highly recommended to synchronize users in MailStore Server directly with that tenant to fetch all information that is relevant for archiving such as email addresses. The registration and synchronization procedures are described in the chapter [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)]] of the MailStore Server manual.

'''Please note:''' MailStore Server runs as a [[MailStore Server Service Configuration|Windows service]] and thus must use ''Application Permissions'' to access user mailboxes in Microsoft 365. By design, on the Microsoft identity platform, which is at the heart of Microsoft 365 authentication and authorization, this permission scope encloses the full level of privileges implied by a permission. As a consequence, once registered as described above, MailStore Server has access to all mailboxes in your Microsoft 365 tenant. Therefore, with regard to security, access to the Microsoft 365 archiving profiles in MailStore Server is limited to MailStore Server administrators.

=== Including Microsoft 365 Shared Mailboxes ===
In Microsoft 365, shared mailboxes are special mailboxes that multiple users have access to. Unlike a normal mailbox, a shared mailbox is not associated to a licensed Microsoft 365 user. For MailStore Server to create user entries for shared mailboxes, you must therefore deactivate the option ''Synchronize licensed Microsoft Exchange Online users only'' in the section [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)#User_Database_Synchronization|User Database Synchronization]]. 
After synchronization you can grant MailStore Server users access to the archive of the shared mailbox by [[Users,_Folders_and_Settings#Folder_Access_.28e.g._Access_to_the_Emails_of_Other_Users.29|assigning privileges]]. For archiving shared mailboxes, just proceed as for individual or multiple mailboxes as detailed below.

== Archiving Individual Microsoft 365 Mailboxes ==
{{Archiving Single Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailbox 01.png|center|347px]]
* Select ''Single Mailbox'' and click on ''OK''.
*; [[File:Microsoft 365 mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Mailboxes Centrally ==
{{Archiving Multiple Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailboxes 01.png|center|347px]]
* Select ''Multiple Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft 365 mailboxes 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 mailboxes 03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_mailboxes_04.png|Microsoft 365}}

== Archiving Incoming and Outgoing Emails Directly ==
{{Archiving Exchange Journal Mailbox Preamble|Exchange Online}}

=== Step 1: Setup and Configure MailStore Gateway ===
Please refer to the [https://help.mailstore.com/en/gateway/ MailStore Gateway Manual] for detailed instructions about:

* Installation and Setup of MailStore Gateway
* Logging on to MailStore Gateway's Management Console
* Creating MailStore Gateway mailboxes

After these steps, a mailbox with an individual email address (e.g. mbx-dead1234beef5678@gateway.example.com) should exist.

=== Step 2: Configure MailStore Server ===
{{Archiving MailStore Gateway Mailbox|''In- and Outbound E-Mail Automatically''|Microsoft 365 journal 01.png|Arch_MailStore_Gateway_Office365_02.png|''Microsoft 365''|TargetFolderHint=DontShow|POP3Hint=DontShow|DSLink=[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}

=== Step 3: Creating a Journal Rule ===
The following steps describe how to set up journaling for your Microsoft 365 account.

Since you are planning to use an external mailbox (MailStore Gateway) as the recipient for Journal reports, we highly recommend to first create an external contact with this mail address in your Exchange mailbox administration to prevent any later errors or warnings about an unknown recipient in the process.

* Sign in to the [https://purview.microsoft.com/ Microsoft 365 Purview portal] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* In the left navigation menu select ''Settings''.
* In the now shown ''Settings'' submenu select ''Data Lifecycle Management'' and then select ''Exchange (legacy)'' or use [https://purview.microsoft.com/settings/application-settings/datalifecyclemanagement this link].
* Enter a mailbox in the ''Send undeliverable journal reports to'' section. This mailbox receives None Delivery Reports (NDRs) for undeliverable journal reports in case the primary journal mailbox is unreachable.
** This mailbox should be a dedicated mailbox for this purpose, which cannot reside in any Microsoft 365 tenant.
** The same journal report non-delivery reports mailbox must not be used for multiple tenants.
** The receiving mail server must not alter the ''X-MS-Exchange-Message-Is-Ndr'' email header.
** For this purpose, you can set up a second gateway on another server with an additional mailbox, as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_1:_Setup_and_Configure_MailStore_Gateway|Step 1]]. Alternatively you can use any external mailbox that matches the above criteria.
** MailStore is able to extract the journal reports contained in the NDRs, then archive them like normal journal reports and thus assign the emails they contain to users. You can therefore create a second archiving profile as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_2:_Configure_MailStore_Server|Step 2]], which archives from the Microsoft 365 journal report non-delivery reports mailbox.
* In the leftmost navigation menu select ''Data Lifecycle Management'', then ''Exchange (legacy)'', and finally ''Journal rules'' and therefore leave the ''Settings'' section or use [https://purview.microsoft.com/datalifecyclemanagement/exchange/journalrules this link]. In case ''Data Lifecycle Management'' is not listed, click ''Solutions'' > ''Data Lifecycle Management''.
* Create a new journaling rule by clicking on ''+ (New rule)''.
*:[[File:Arch_office365_journal_01.png|center|550px]]
* Enter the email address of the previously created MailStore Gateway mailbox in the ''Send journal reports to:'' box.
* Enter a name for the journal rule, e.g. ''Journaling''.
* In the ''Journal messages sent or received from'' section, select whether the rule should apply to everyone or to specific users or groups.
* Under ''Type of message to journal'', choose whether to capture all messages, internal messages only, or external messages only.
* Click on ''Next'', then validate your settings, click ''Submit'' to activate the rule.

== Public Folders ==

'''Please note:''' Support for archiving of Public Folders for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Exchange Public Folders Preamble|Exchange Online|Microsoft 365}}
* Sign in to the [https://admin.exchange.microsoft.com/#/publicfolders Microsoft 365 Exchange admin center] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* Navigate to ''Public folders'', in case it it not already opened.
* Click on ''Root permissions''.
*: [[File:Microsoft_365_pf_01.png|center|480px]]
* The side-panel ''Folder permissions'' opens. Click on ''+ Add permissions''.
* Use the text box beneath ''Select User'' to choose the Microsoft 365 user you want to grant permissions.
* Choose ''Custom'' as ''Permission level'' and grant ''Read items'' and ''Delete all'' permissions.
*: [[File:Microsoft_365_pf_02.png|center|480px]]
* Click on ''Save Changes''.

=== Step 3: Setting up the Archiving Process ===
* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 pf 03.png|center|347px]]
* Select ''Public Folders'' and click on ''OK''. 
*; [[File:Microsoft 365 pf 04.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user that has access to the public folders as described above.
* The value of the ''Target Folder'' box defines the top level folder below which the public folder hierarchy will be created in the target archive. Usually, you can leave this value to its default.
* Click on ''Test'' to verify that MailStore can access the public folders.
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 05.png|center|347px]]
* Adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]]. By default, all public folders that contain emails will be archived.
* If needed, adjust [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|the filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the public folders. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 06.png|center|347px]]
* In the next step, select the archive of the user you have prepared in step 1.
* In the last step, specify a name for the archiving profile. After clicking ''Finish'' the archiving profile will be listed under ''Saved Profiles'' and can be run immediately or automatically if desired.

== About Archiving Archive Mailboxes ==
{{Archive_Mailbox_Folder_Structure}}

== Archiving Individual Microsoft 365 Archive Mailboxes ==

'''Please note:''' Support for archiving Archive Mailboxes for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Single Archive Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailbox 01.png|center|347px]]
* Select ''Single Archive Mailbox'' and click on ''OK''.
*; [[File:Microsoft_365_archive_mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose archive mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the archive mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_archive_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected archive mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_archive_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Archive Mailboxes Centrally ==
{{Archiving Multiple Archive Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailboxes_01.png|center|347px]]
* Select ''Multiple Archive Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple archive mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft_365_archive_mailboxes_02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft_365_archive_mailboxes_03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_archive_mailboxes_04.png|Microsoft 365}}

[[de:E-Mail-Archivierung_von_Microsoft_365_(Modern_Authentication)]]
[[en:Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]

Archiving Emails from Microsoft 365 - Modern Authentication

2026-01-13T10:42:46Z

Ltalaschus: /* Public Folders */

{{Implementation Guide Preamble|Exchange Online / Microsoft 365|{{#ev:youtube|https://youtu.be/X0Um0cDWGg0|350|right|''Tech Tip: Microsoft 365 Archiving Profiles''}}| Our Tech Tip video shows the essential configuration steps in this article.}}
 
{{Multiline Notices|Heading=Important Notices|If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]].|MailStore Server supports archiving emails from the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported.|For better readability, the terms ''Microsoft 365'' and ''Exchange Online'' are used interchangeably hereinafter instead of ''Exchange Online / Microsoft 365''.}}

== App Registration & User Synchronization ==
Before archiving Microsoft 365 mailboxes, registering MailStore Server in your Microsoft 365 tenant is required. It is also highly recommended to synchronize users in MailStore Server directly with that tenant to fetch all information that is relevant for archiving such as email addresses. The registration and synchronization procedures are described in the chapter [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)]] of the MailStore Server manual.

'''Please note:''' MailStore Server runs as a [[MailStore Server Service Configuration|Windows service]] and thus must use ''Application Permissions'' to access user mailboxes in Microsoft 365. By design, on the Microsoft identity platform, which is at the heart of Microsoft 365 authentication and authorization, this permission scope encloses the full level of privileges implied by a permission. As a consequence, once registered as described above, MailStore Server has access to all mailboxes in your Microsoft 365 tenant. Therefore, with regard to security, access to the Microsoft 365 archiving profiles in MailStore Server is limited to MailStore Server administrators.

=== Including Microsoft 365 Shared Mailboxes ===
In Microsoft 365, shared mailboxes are special mailboxes that multiple users have access to. Unlike a normal mailbox, a shared mailbox is not associated to a licensed Microsoft 365 user. For MailStore Server to create user entries for shared mailboxes, you must therefore deactivate the option ''Synchronize licensed Microsoft Exchange Online users only'' in the section [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)#User_Database_Synchronization|User Database Synchronization]]. 
After synchronization you can grant MailStore Server users access to the archive of the shared mailbox by [[Users,_Folders_and_Settings#Folder_Access_.28e.g._Access_to_the_Emails_of_Other_Users.29|assigning privileges]]. For archiving shared mailboxes, just proceed as for individual or multiple mailboxes as detailed below.

== Archiving Individual Microsoft 365 Mailboxes ==
{{Archiving Single Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailbox 01.png|center|347px]]
* Select ''Single Mailbox'' and click on ''OK''.
*; [[File:Microsoft 365 mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Mailboxes Centrally ==
{{Archiving Multiple Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailboxes 01.png|center|347px]]
* Select ''Multiple Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft 365 mailboxes 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 mailboxes 03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_mailboxes_04.png|Microsoft 365}}

== Archiving Incoming and Outgoing Emails Directly ==
{{Archiving Exchange Journal Mailbox Preamble|Exchange Online}}

=== Step 1: Setup and Configure MailStore Gateway ===
Please refer to the [https://help.mailstore.com/en/gateway/ MailStore Gateway Manual] for detailed instructions about:

* Installation and Setup of MailStore Gateway
* Logging on to MailStore Gateway's Management Console
* Creating MailStore Gateway mailboxes

After these steps, a mailbox with an individual email address (e.g. mbx-dead1234beef5678@gateway.example.com) should exist.

=== Step 2: Configure MailStore Server ===
{{Archiving MailStore Gateway Mailbox|''In- and Outbound E-Mail Automatically''|Microsoft 365 journal 01.png|Arch_MailStore_Gateway_Office365_02.png|''Microsoft 365''|TargetFolderHint=DontShow|POP3Hint=DontShow|DSLink=[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}

=== Step 3: Creating a Journal Rule ===
The following steps describe how to set up journaling for your Microsoft 365 account.

Since you are planning to use an external mailbox (MailStore Gateway) as the recipient for Journal reports, we highly recommend to first create an external contact with this mail address in your Exchange mailbox administration to prevent any later errors or warnings about an unknown recipient in the process.

* Sign in to the [https://purview.microsoft.com/ Microsoft 365 Purview portal] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* In the left navigation menu select ''Settings''.
* In the now shown ''Settings'' submenu select ''Data Lifecycle Management'' and then select ''Exchange (legacy)'' or use [https://purview.microsoft.com/settings/application-settings/datalifecyclemanagement this link].
* Enter a mailbox in the ''Send undeliverable journal reports to'' section. This mailbox receives None Delivery Reports (NDRs) for undeliverable journal reports in case the primary journal mailbox is unreachable.
** This mailbox should be a dedicated mailbox for this purpose, which cannot reside in any Microsoft 365 tenant.
** The same journal report non-delivery reports mailbox must not be used for multiple tenants.
** The receiving mail server must not alter the ''X-MS-Exchange-Message-Is-Ndr'' email header.
** For this purpose, you can set up a second gateway on another server with an additional mailbox, as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_1:_Setup_and_Configure_MailStore_Gateway|Step 1]]. Alternatively you can use any external mailbox that matches the above criteria.
** MailStore is able to extract the journal reports contained in the NDRs, then archive them like normal journal reports and thus assign the emails they contain to users. You can therefore create a second archiving profile as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_2:_Configure_MailStore_Server|Step 2]], which archives from the Microsoft 365 journal report non-delivery reports mailbox.
* In the leftmost navigation menu select ''Data Lifecycle Management'', then ''Exchange (legacy)'', and finally ''Journal rules'' and therefore leave the ''Settings'' section or use [https://purview.microsoft.com/datalifecyclemanagement/exchange/journalrules this link]. In case ''Data Lifecycle Management'' is not listed, click ''Solutions'' > ''Data Lifecycle Management''.
* Create a new journaling rule by clicking on ''+ (New rule)''.
*:[[File:Arch_office365_journal_01.png|center|550px]]
* Enter the email address of the previously created MailStore Gateway mailbox in the ''Send journal reports to:'' box.
* Enter a name for the journal rule, e.g. ''Journaling''.
* In the ''Journal messages sent or received from'' section, select whether the rule should apply to everyone or to specific users or groups.
* Under ''Type of message to journal'', choose whether to capture all messages, internal messages only, or external messages only.
* Click on ''Next'', then validate your settings, click ''Submit'' to activate the rule.

== Public Folders ==

'''Please note:''' Support for archiving of Public Folders for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Exchange Public Folders Preamble|Exchange Online|Microsoft 365}}
* Sign in to the [https://admin.exchange.microsoft.com/#/publicfolders Microsoft 365 Exchange admin center] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* Navigate to ''Public folders'', in case it it not already opened.
* Click on ''Root permissions''.
*: [[File:Microsoft_365_pf_01.png|center|480px]]
* The side-panel ''Folder permissions'' opens. Click on ''+ Add permissions''.
* Use the text box beneath ''Select User'' to choose the Microsoft 365 user you want to grant permissions.
* Choose ''Custom'' as ''Permission level'' and grant ''Read items'' and ''Delete all'' permissions.
*: [[File:Microsoft_365_pf_02.png|center|480px]]
* Click on ''Save Changes''.

=== Step 3: Setting up the Archiving Process ===
* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 pf 03.png|center|347px]]
* Select ''Public Folders'' and click on ''OK''. 
*; [[File:Microsoft 365 pf 04.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user that has access to the public folders as described above.
* The value of the ''Target Folder'' box defines the top level folder below which the public folder hierarchy will be created in the target archive. Usually, you can leave this value to its default.
* Click on ''Test'' to verify that MailStore can access the public folders.
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 05.png|center|347px]]
* Adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]]. By default, all public folders that contain emails will be archived.
* If needed, adjust [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|the filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the public folders. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 06.png|center|347px]]
* In the next step, select the archive of the user you have prepared in step 1.
* In the last step, specify a name for the archiving profile. After clicking ''Finish'' the archiving profile will be listed under ''Saved Profiles'' and can be run immediately or automatically if desired.

== About Archiving Archive Mailboxes ==
{{Archive_Mailbox_Folder_Structure}}

== Archiving Individual Microsoft 365 Archive Mailboxes ==

'''Please note:''' Archive Mailboxes support for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Single Archive Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailbox 01.png|center|347px]]
* Select ''Single Archive Mailbox'' and click on ''OK''.
*; [[File:Microsoft_365_archive_mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose archive mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the archive mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_archive_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected archive mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_archive_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Archive Mailboxes Centrally ==
{{Archiving Multiple Archive Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailboxes_01.png|center|347px]]
* Select ''Multiple Archive Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple archive mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft_365_archive_mailboxes_02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft_365_archive_mailboxes_03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_archive_mailboxes_04.png|Microsoft 365}}

[[de:E-Mail-Archivierung_von_Microsoft_365_(Modern_Authentication)]]
[[en:Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]

Archiving Emails from Microsoft 365 - Modern Authentication

2026-01-13T10:39:24Z

Ltalaschus: /* Archiving Individual Microsoft 365 Archive Mailboxes */

{{Implementation Guide Preamble|Exchange Online / Microsoft 365|{{#ev:youtube|https://youtu.be/X0Um0cDWGg0|350|right|''Tech Tip: Microsoft 365 Archiving Profiles''}}| Our Tech Tip video shows the essential configuration steps in this article.}}
 
{{Multiline Notices|Heading=Important Notices|If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]].|MailStore Server supports archiving emails from the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported.|For better readability, the terms ''Microsoft 365'' and ''Exchange Online'' are used interchangeably hereinafter instead of ''Exchange Online / Microsoft 365''.}}

== App Registration & User Synchronization ==
Before archiving Microsoft 365 mailboxes, registering MailStore Server in your Microsoft 365 tenant is required. It is also highly recommended to synchronize users in MailStore Server directly with that tenant to fetch all information that is relevant for archiving such as email addresses. The registration and synchronization procedures are described in the chapter [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)]] of the MailStore Server manual.

'''Please note:''' MailStore Server runs as a [[MailStore Server Service Configuration|Windows service]] and thus must use ''Application Permissions'' to access user mailboxes in Microsoft 365. By design, on the Microsoft identity platform, which is at the heart of Microsoft 365 authentication and authorization, this permission scope encloses the full level of privileges implied by a permission. As a consequence, once registered as described above, MailStore Server has access to all mailboxes in your Microsoft 365 tenant. Therefore, with regard to security, access to the Microsoft 365 archiving profiles in MailStore Server is limited to MailStore Server administrators.

=== Including Microsoft 365 Shared Mailboxes ===
In Microsoft 365, shared mailboxes are special mailboxes that multiple users have access to. Unlike a normal mailbox, a shared mailbox is not associated to a licensed Microsoft 365 user. For MailStore Server to create user entries for shared mailboxes, you must therefore deactivate the option ''Synchronize licensed Microsoft Exchange Online users only'' in the section [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)#User_Database_Synchronization|User Database Synchronization]]. 
After synchronization you can grant MailStore Server users access to the archive of the shared mailbox by [[Users,_Folders_and_Settings#Folder_Access_.28e.g._Access_to_the_Emails_of_Other_Users.29|assigning privileges]]. For archiving shared mailboxes, just proceed as for individual or multiple mailboxes as detailed below.

== Archiving Individual Microsoft 365 Mailboxes ==
{{Archiving Single Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailbox 01.png|center|347px]]
* Select ''Single Mailbox'' and click on ''OK''.
*; [[File:Microsoft 365 mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Mailboxes Centrally ==
{{Archiving Multiple Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailboxes 01.png|center|347px]]
* Select ''Multiple Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft 365 mailboxes 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 mailboxes 03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_mailboxes_04.png|Microsoft 365}}

== Archiving Incoming and Outgoing Emails Directly ==
{{Archiving Exchange Journal Mailbox Preamble|Exchange Online}}

=== Step 1: Setup and Configure MailStore Gateway ===
Please refer to the [https://help.mailstore.com/en/gateway/ MailStore Gateway Manual] for detailed instructions about:

* Installation and Setup of MailStore Gateway
* Logging on to MailStore Gateway's Management Console
* Creating MailStore Gateway mailboxes

After these steps, a mailbox with an individual email address (e.g. mbx-dead1234beef5678@gateway.example.com) should exist.

=== Step 2: Configure MailStore Server ===
{{Archiving MailStore Gateway Mailbox|''In- and Outbound E-Mail Automatically''|Microsoft 365 journal 01.png|Arch_MailStore_Gateway_Office365_02.png|''Microsoft 365''|TargetFolderHint=DontShow|POP3Hint=DontShow|DSLink=[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}

=== Step 3: Creating a Journal Rule ===
The following steps describe how to set up journaling for your Microsoft 365 account.

Since you are planning to use an external mailbox (MailStore Gateway) as the recipient for Journal reports, we highly recommend to first create an external contact with this mail address in your Exchange mailbox administration to prevent any later errors or warnings about an unknown recipient in the process.

* Sign in to the [https://purview.microsoft.com/ Microsoft 365 Purview portal] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* In the left navigation menu select ''Settings''.
* In the now shown ''Settings'' submenu select ''Data Lifecycle Management'' and then select ''Exchange (legacy)'' or use [https://purview.microsoft.com/settings/application-settings/datalifecyclemanagement this link].
* Enter a mailbox in the ''Send undeliverable journal reports to'' section. This mailbox receives None Delivery Reports (NDRs) for undeliverable journal reports in case the primary journal mailbox is unreachable.
** This mailbox should be a dedicated mailbox for this purpose, which cannot reside in any Microsoft 365 tenant.
** The same journal report non-delivery reports mailbox must not be used for multiple tenants.
** The receiving mail server must not alter the ''X-MS-Exchange-Message-Is-Ndr'' email header.
** For this purpose, you can set up a second gateway on another server with an additional mailbox, as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_1:_Setup_and_Configure_MailStore_Gateway|Step 1]]. Alternatively you can use any external mailbox that matches the above criteria.
** MailStore is able to extract the journal reports contained in the NDRs, then archive them like normal journal reports and thus assign the emails they contain to users. You can therefore create a second archiving profile as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_2:_Configure_MailStore_Server|Step 2]], which archives from the Microsoft 365 journal report non-delivery reports mailbox.
* In the leftmost navigation menu select ''Data Lifecycle Management'', then ''Exchange (legacy)'', and finally ''Journal rules'' and therefore leave the ''Settings'' section or use [https://purview.microsoft.com/datalifecyclemanagement/exchange/journalrules this link]. In case ''Data Lifecycle Management'' is not listed, click ''Solutions'' > ''Data Lifecycle Management''.
* Create a new journaling rule by clicking on ''+ (New rule)''.
*:[[File:Arch_office365_journal_01.png|center|550px]]
* Enter the email address of the previously created MailStore Gateway mailbox in the ''Send journal reports to:'' box.
* Enter a name for the journal rule, e.g. ''Journaling''.
* In the ''Journal messages sent or received from'' section, select whether the rule should apply to everyone or to specific users or groups.
* Under ''Type of message to journal'', choose whether to capture all messages, internal messages only, or external messages only.
* Click on ''Next'', then validate your settings, click ''Submit'' to activate the rule.

== Public Folders ==

'''Please note:''' Puplic Folder support for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Exchange Public Folders Preamble|Exchange Online|Microsoft 365}}
* Sign in to the [https://admin.exchange.microsoft.com/#/publicfolders Microsoft 365 Exchange admin center] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* Navigate to ''Public folders'', in case it it not already opened.
* Click on ''Root permissions''.
*: [[File:Microsoft_365_pf_01.png|center|480px]]
* The side-panel ''Folder permissions'' opens. Click on ''+ Add permissions''.
* Use the text box beneath ''Select User'' to choose the Microsoft 365 user you want to grant permissions.
* Choose ''Custom'' as ''Permission level'' and grant ''Read items'' and ''Delete all'' permissions.
*: [[File:Microsoft_365_pf_02.png|center|480px]]
* Click on ''Save Changes''.

=== Step 3: Setting up the Archiving Process ===
* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 pf 03.png|center|347px]]
* Select ''Public Folders'' and click on ''OK''. 
*; [[File:Microsoft 365 pf 04.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user that has access to the public folders as described above.
* The value of the ''Target Folder'' box defines the top level folder below which the public folder hierarchy will be created in the target archive. Usually, you can leave this value to its default.
* Click on ''Test'' to verify that MailStore can access the public folders.
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 05.png|center|347px]]
* Adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]]. By default, all public folders that contain emails will be archived.
* If needed, adjust [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|the filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the public folders. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 06.png|center|347px]]
* In the next step, select the archive of the user you have prepared in step 1.
* In the last step, specify a name for the archiving profile. After clicking ''Finish'' the archiving profile will be listed under ''Saved Profiles'' and can be run immediately or automatically if desired.

== About Archiving Archive Mailboxes ==
{{Archive_Mailbox_Folder_Structure}}

== Archiving Individual Microsoft 365 Archive Mailboxes ==

'''Please note:''' Archive Mailboxes support for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Single Archive Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailbox 01.png|center|347px]]
* Select ''Single Archive Mailbox'' and click on ''OK''.
*; [[File:Microsoft_365_archive_mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose archive mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the archive mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_archive_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected archive mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_archive_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Archive Mailboxes Centrally ==
{{Archiving Multiple Archive Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailboxes_01.png|center|347px]]
* Select ''Multiple Archive Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple archive mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft_365_archive_mailboxes_02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft_365_archive_mailboxes_03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_archive_mailboxes_04.png|Microsoft 365}}

[[de:E-Mail-Archivierung_von_Microsoft_365_(Modern_Authentication)]]
[[en:Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]

Archiving Emails from Microsoft 365 - Modern Authentication

2026-01-13T10:38:55Z

Ltalaschus: /* Public Folders */

{{Implementation Guide Preamble|Exchange Online / Microsoft 365|{{#ev:youtube|https://youtu.be/X0Um0cDWGg0|350|right|''Tech Tip: Microsoft 365 Archiving Profiles''}}| Our Tech Tip video shows the essential configuration steps in this article.}}
 
{{Multiline Notices|Heading=Important Notices|If you have archived emails from an Exchange server and synchronized users from an Active Directory until now, follow the article [[Changing Archiving from Microsoft Exchange Server to Microsoft 365]].|MailStore Server supports archiving emails from the global Microsoft Cloud ''Microsoft 365'' and ''Office 365, operated by 21Vianet''. Other Environments like GCC, GCC High or DoD are not supported.|For better readability, the terms ''Microsoft 365'' and ''Exchange Online'' are used interchangeably hereinafter instead of ''Exchange Online / Microsoft 365''.}}

== App Registration & User Synchronization ==
Before archiving Microsoft 365 mailboxes, registering MailStore Server in your Microsoft 365 tenant is required. It is also highly recommended to synchronize users in MailStore Server directly with that tenant to fetch all information that is relevant for archiving such as email addresses. The registration and synchronization procedures are described in the chapter [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)]] of the MailStore Server manual.

'''Please note:''' MailStore Server runs as a [[MailStore Server Service Configuration|Windows service]] and thus must use ''Application Permissions'' to access user mailboxes in Microsoft 365. By design, on the Microsoft identity platform, which is at the heart of Microsoft 365 authentication and authorization, this permission scope encloses the full level of privileges implied by a permission. As a consequence, once registered as described above, MailStore Server has access to all mailboxes in your Microsoft 365 tenant. Therefore, with regard to security, access to the Microsoft 365 archiving profiles in MailStore Server is limited to MailStore Server administrators.

=== Including Microsoft 365 Shared Mailboxes ===
In Microsoft 365, shared mailboxes are special mailboxes that multiple users have access to. Unlike a normal mailbox, a shared mailbox is not associated to a licensed Microsoft 365 user. For MailStore Server to create user entries for shared mailboxes, you must therefore deactivate the option ''Synchronize licensed Microsoft Exchange Online users only'' in the section [[Synchronizing User Accounts with Microsoft 365 (Modern Authentication)#User_Database_Synchronization|User Database Synchronization]]. 
After synchronization you can grant MailStore Server users access to the archive of the shared mailbox by [[Users,_Folders_and_Settings#Folder_Access_.28e.g._Access_to_the_Emails_of_Other_Users.29|assigning privileges]]. For archiving shared mailboxes, just proceed as for individual or multiple mailboxes as detailed below.

== Archiving Individual Microsoft 365 Mailboxes ==
{{Archiving Single Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailbox 01.png|center|347px]]
* Select ''Single Mailbox'' and click on ''OK''.
*; [[File:Microsoft 365 mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Mailboxes Centrally ==
{{Archiving Multiple Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 mailboxes 01.png|center|347px]]
* Select ''Multiple Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft 365 mailboxes 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 mailboxes 03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_mailboxes_04.png|Microsoft 365}}

== Archiving Incoming and Outgoing Emails Directly ==
{{Archiving Exchange Journal Mailbox Preamble|Exchange Online}}

=== Step 1: Setup and Configure MailStore Gateway ===
Please refer to the [https://help.mailstore.com/en/gateway/ MailStore Gateway Manual] for detailed instructions about:

* Installation and Setup of MailStore Gateway
* Logging on to MailStore Gateway's Management Console
* Creating MailStore Gateway mailboxes

After these steps, a mailbox with an individual email address (e.g. mbx-dead1234beef5678@gateway.example.com) should exist.

=== Step 2: Configure MailStore Server ===
{{Archiving MailStore Gateway Mailbox|''In- and Outbound E-Mail Automatically''|Microsoft 365 journal 01.png|Arch_MailStore_Gateway_Office365_02.png|''Microsoft 365''|TargetFolderHint=DontShow|POP3Hint=DontShow|DSLink=[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}

=== Step 3: Creating a Journal Rule ===
The following steps describe how to set up journaling for your Microsoft 365 account.

Since you are planning to use an external mailbox (MailStore Gateway) as the recipient for Journal reports, we highly recommend to first create an external contact with this mail address in your Exchange mailbox administration to prevent any later errors or warnings about an unknown recipient in the process.

* Sign in to the [https://purview.microsoft.com/ Microsoft 365 Purview portal] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* In the left navigation menu select ''Settings''.
* In the now shown ''Settings'' submenu select ''Data Lifecycle Management'' and then select ''Exchange (legacy)'' or use [https://purview.microsoft.com/settings/application-settings/datalifecyclemanagement this link].
* Enter a mailbox in the ''Send undeliverable journal reports to'' section. This mailbox receives None Delivery Reports (NDRs) for undeliverable journal reports in case the primary journal mailbox is unreachable.
** This mailbox should be a dedicated mailbox for this purpose, which cannot reside in any Microsoft 365 tenant.
** The same journal report non-delivery reports mailbox must not be used for multiple tenants.
** The receiving mail server must not alter the ''X-MS-Exchange-Message-Is-Ndr'' email header.
** For this purpose, you can set up a second gateway on another server with an additional mailbox, as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_1:_Setup_and_Configure_MailStore_Gateway|Step 1]]. Alternatively you can use any external mailbox that matches the above criteria.
** MailStore is able to extract the journal reports contained in the NDRs, then archive them like normal journal reports and thus assign the emails they contain to users. You can therefore create a second archiving profile as described in [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication#Step_2:_Configure_MailStore_Server|Step 2]], which archives from the Microsoft 365 journal report non-delivery reports mailbox.
* In the leftmost navigation menu select ''Data Lifecycle Management'', then ''Exchange (legacy)'', and finally ''Journal rules'' and therefore leave the ''Settings'' section or use [https://purview.microsoft.com/datalifecyclemanagement/exchange/journalrules this link]. In case ''Data Lifecycle Management'' is not listed, click ''Solutions'' > ''Data Lifecycle Management''.
* Create a new journaling rule by clicking on ''+ (New rule)''.
*:[[File:Arch_office365_journal_01.png|center|550px]]
* Enter the email address of the previously created MailStore Gateway mailbox in the ''Send journal reports to:'' box.
* Enter a name for the journal rule, e.g. ''Journaling''.
* In the ''Journal messages sent or received from'' section, select whether the rule should apply to everyone or to specific users or groups.
* Under ''Type of message to journal'', choose whether to capture all messages, internal messages only, or external messages only.
* Click on ''Next'', then validate your settings, click ''Submit'' to activate the rule.

== Public Folders ==

'''Please note:''' Puplic Folder support for Microsoft 365 will reach its End of Life in October 2026. See [[EWS_Migration|here]] for more information.

{{Archiving Exchange Public Folders Preamble|Exchange Online|Microsoft 365}}
* Sign in to the [https://admin.exchange.microsoft.com/#/publicfolders Microsoft 365 Exchange admin center] as an Exchange or Global Administrator for your Microsoft 365 tenant.
* Navigate to ''Public folders'', in case it it not already opened.
* Click on ''Root permissions''.
*: [[File:Microsoft_365_pf_01.png|center|480px]]
* The side-panel ''Folder permissions'' opens. Click on ''+ Add permissions''.
* Use the text box beneath ''Select User'' to choose the Microsoft 365 user you want to grant permissions.
* Choose ''Custom'' as ''Permission level'' and grant ''Read items'' and ''Delete all'' permissions.
*: [[File:Microsoft_365_pf_02.png|center|480px]]
* Click on ''Save Changes''.

=== Step 3: Setting up the Archiving Process ===
* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft 365 pf 03.png|center|347px]]
* Select ''Public Folders'' and click on ''OK''. 
*; [[File:Microsoft 365 pf 04.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user that has access to the public folders as described above.
* The value of the ''Target Folder'' box defines the top level folder below which the public folder hierarchy will be created in the target archive. Usually, you can leave this value to its default.
* Click on ''Test'' to verify that MailStore can access the public folders.
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 05.png|center|347px]]
* Adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]]. By default, all public folders that contain emails will be archived.
* If needed, adjust [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|the filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the public folders. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
* Click on ''Next'' to continue.
*; [[File:Microsoft 365 pf 06.png|center|347px]]
* In the next step, select the archive of the user you have prepared in step 1.
* In the last step, specify a name for the archiving profile. After clicking ''Finish'' the archiving profile will be listed under ''Saved Profiles'' and can be run immediately or automatically if desired.

== About Archiving Archive Mailboxes ==
{{Archive_Mailbox_Folder_Structure}}

== Archiving Individual Microsoft 365 Archive Mailboxes ==
{{Archiving Single Archive Mailbox Preamble|Microsoft 365}}
For each mailbox, please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailbox 01.png|center|347px]]
* Select ''Single Archive Mailbox'' and click on ''OK''.
*; [[File:Microsoft_365_archive_mailbox 02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* In the ''Mailbox'' field, enter the primary email address of the user whose archive mailbox you want to archive.
* Click on ''Test'' to verify that MailStore Server can access the archive mailbox.
* Click on ''Next''.
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections).
*; [[File:Microsoft_365_archive_mailbox_03.png|center|347px]]
* Click on ''Next'' to continue.
* Select the archive of the user for whom the selected archive mailbox is to be archived. If the user does not exist yet, click on ''Create a New User…''.
*; [[File:Microsoft_365_archive_mailbox_04.png|center|347px]]
* Click on ''Next''.
* In the last step, a name for the archiving profile can be specified. After clicking ''Finish'', the archiving profile will be listed under ''Saved Profiles'' and, if desired, can be run immediately or automatically.

More information on how to execute archiving profiles can be found under the topic [[Email Archiving with MailStore Basics]]

== Archiving Multiple Microsoft 365 Archive Mailboxes Centrally ==
{{Archiving Multiple Archive Mailboxes Preamble|Microsoft 365}}
Please proceed as follows:

* Log on to MailStore Client as MailStore Server administrator.
* Click on ''Archive Email''.
* From the ''Email Servers'' list in the ''Create Profile'' area of the ''Archive Email'' page, select ''Microsoft 365'' or ''Microsoft 365 (21Vianet)'' to create a new archiving profile.
* A wizard opens to assist in specifying the archiving settings. 
*; [[File:Microsoft_365_archive_mailboxes_01.png|center|347px]]
* Select ''Multiple Archive Mailboxes'' and click ''OK''. 
*; {{Archiving_Multiple_or_Multidrop_Note|multiple archive mailboxes|[[#App_Registration_.26_User_Synchronization|directory synchronization]]}}
*; [[File:Microsoft_365_archive_mailboxes_02.png|center|347px]]
* Select the Microsoft 365 credentials that you have created during the registration of MailStore Server with Microsoft 365 from the ''Credentials'' drop-down list. You can also use the button (…) to access the [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server|Credential Manager]].
* Click on ''Next'' to continue.
*; [[File:Microsoft_365_archive_mailboxes_03.png|center|347px]]
* If needed, adjust the settings for the [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders|List of Folders to be Archived]], the [[Email_Archiving_with_MailStore_Basics#Specifying_Filter_Criteria_for_Archiving|filter]] and the [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving|Deletion Rules]]. By default, no emails will be deleted from the archive mailbox. The ''Timeout'' value only has to be adjusted in specific cases (e.g. with very slow network connections). Please keep in mind that these settings apply to all mailboxes to be archived, as specified in the next step.
*; {{Archiving_Multiple_Mailboxes_Centrally_Options|Microsoft_365_archive_mailboxes_04.png|Microsoft 365}}

[[de:E-Mail-Archivierung_von_Microsoft_365_(Modern_Authentication)]]
[[en:Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]

Update Notices for MailStore Server

2026-01-12T15:03:52Z

Ltalaschus:

== General Information ==

* '''Before you start the installation, please check if your current license really allows to upgrade the software.'''
* '''Before the installation, read the [https://go.mailstore.com?product=MailStore%20Server&target=changelog&lang=en changelog] for information about all changes in the respective versions.'''
* '''Make sure you have a recent backup of your archive. Learn more about backing up and restoring MailStore Server [[Backup and Restore|here]]'''.
* '''Make sure the server where MailStore Server is installed on meets the [[System_Requirements|system requirements]]'''.
* Close all open MailStore programs on the server, such as the MailStore Server Service Configuration, the MailStore Client, and Outlook. Open programs cannot be overwritten by the installation program, and this will result in an access error 5.
* The installation process will uninstall older versions of the software automatically. All archives and the configuration data will be kept. There is no need to manually uninstall old versions previously.
* Installations with version 23.4 or older must first be updated to version 24.4 and all archive stores must be updated to Firebird 4. You can then update to the latest version. Please also read the [[Update Notices for MailStore Server to version 25.1 or newer]].
* During the installation process the MailStore Server service is automatically stopped and restarted afterwards. Running archiving profiles will be cancelled and may show up as failed. Should stopping the service fail for any reason, please stop the service manually and run the installation again.
* Carefully check the auto-detected settings during the installation process.
* Updating the MailStore Client installations and/or the MailStore Outlook Add-In installations is only necessary if this is specifically stated in the version-specific notes.
*; Further information can be found in the articles [[MailStore Client Deployment]] and [[MailStore Outlook Add-in Deployment]]
* The following version specific upgrade notices are cumulative. Therefore, also read the notices regarding all version numbers between yours and the one you are going to install.
* For versions that are not explicitly listed here, the upgrade notices for preceding versions apply accordingly.

== Upgrading to 26.1.0 ==

* External Microsoft SQL and PostgreSQL-based archive stores are deprecated and support will be removed in a future MailStore version.
* New Microsoft 365 mailbox archiving profiles now use the Graph API. Please ensure you have registered the app in Entra ID according to our instructions; in particular, the Mail.ReadWrite permission is now required.

== Upgrading to 25.4.0 ==
* MailStore Client prefers Kerberos when Windows Authentication (Single-Sign-on) is configured via GPO.

== Upgrading to 25.3.1 ==
The known issues of version 25.3.0 have been fixed.

== Upgrading to 25.3.0 ==
* ''' Microsoft Windows Live Mail '''
*; Support for the Microsoft Windows Live Mail email client has been removed from MailStore in this version.
* ''' SmarterMail '''
*; Support for the SmarterMail email server has been removed from MailStore in this version.
* ''' Directory Service Synchronization '''
*; After updating, check your directory service settings for functionality. Support for older authentication methods has been removed from MailStore in this version (Microsoft 365 Basic authentication and Google Workspace IMAP authentication), and third-party components have been updated.
* ''' SMTP OAuth2 Authentication with Microsoft 365 '''
*; Please note the [[SMTP Settings]] article if you would like to use your existing app registration in Entra ID to transmit emails via Microsoft 365 server.
* ''' Gateway archiving '''
*; Gateway archiving profiles that are meant for Google, generic mail servers and email clients do not extract journal reports and NDRs anymore. When archiving Microsoft 365 journal emails from a MailStore Gateway mailbox ensure you are using the proper Gateway archiving profile before updating. You can tell this because you cannot configure the target path in the archive in the archiving profile and the emails are sorted into the ''Journal Incoming'' and ''Journal Outgoing'' folders.

=== Known Issues ===
* '''PostgreSQL databases cannot be loaded after an upgrade. Do not upgrade if you are using PostgreSQL based archive stores.''' This bug was fixed with version 25.3.1.
* In WebAccess, emails that contain only plain text are not displayed correctly. This bug was fixed with version 25.3.1.

== Upgrading to 25.2.0 ==
There are no notes for this version.

== Upgrading to 25.1.0 ==

* '''Only installations with versions 24.2.0 to 24.4.0 can be updated directly.'''
* '''Until all archive stores have been updated, you must not update to version 25.1.0.'''
* It is '''obligatory''' to also note the [[Update Notices for MailStore Server to version 25.1 or newer]].

== Upgrading to 24.4.0 ==
There are no notes for this version.

== Upgrading to 24.3.0 ==
* Saved searches containing search criteria that can be interpreted as [[Accessing_the_Archive_with_the_MailStore_Client_software#Searching_for_Alternatives|search for alternatives]] will return different search results than before the update.
* Retention policies do not support [[Accessing_the_Archive_with_the_MailStore_Client_software#Searching_for_Alternatives|searches for alternatives]]. In case existing retention policies contain search criteria that can be interpreted as searches for alternatives, those have to be changed for retention policies to being able to be processed again.

== Upgrading to 24.2.2 ==

There are no notes for this version.

== Upgrading to 24.2.1 ==
If you are upgrading from a MailStore version before 24.2.0, please also note the instructions for upgrading to version 24.2.0.

* '''Upgrading Archive Stores''' If you upgrade from MailStore 24.2.0, the archive stores need to be upgraded. To do this, proceed as follows:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all archive stores at once or right-click on an archive store and select ''Perform Upgrade'' to upgrade a single archive store.
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
**: [[File:Fg_upgrade10.png|center]]
:Until all archive stores have been upgraded, retention policies are not available.

== Upgrading to 24.2.0 ==
* '''Upgrade of Master Database''' The master database is upgraded to Firebird 4 during the first start of the MailStore Server service. This process might extend the time required for the first start of the service by several minutes.
* '''Upgrading Archive Stores''' For the update to Firebird 4 the databases of the archive stores must be upgraded. Proceed as follows to upgrade:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all archive stores at once or right-click on an archive store and select ''Perform Upgrade'' to upgrade a single archive store.
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
**: [[File:Fg_upgrade10.png|center]]
:Until all archive stores have been upgraded, retention policies are not available.
* '''System Requirements'''
*; Internet Explorer support has been removed from MailStore in this version. For a current list of supported browsers, please refer to [[System Requirements]].
* ''' Python API Wrapper '''
*; In order to be able to use the new API commands, an update of the [[Python_API_Wrapper_Tutorial|Python API wrapper library]] is required.

=== Known Issues ===
* As long as an internal, Firebird-based archive store has not been updated, no recovery records will be written for emails in this archive store. This bug was fixed with version 24.2.1.
* Users who have been synchronized from an Active Directory and who have MailStore multi-factor authentication (MFA) activated cannot log in using Windows authentication. To work around the issue, disable multi-factor authentication for those users in MailStore or let them use their username and password to log in. This bug was fixed with version 24.2.2.

== Upgrading to 23.4.0 ==
* '''System Requirements'''
*; Windows Server 2012 and Windows Server 2012 R2 support has been removed from MailStore in this version. For a current list of supported operating systems, please refer to [[System Requirements]].
* ''' Python API Wrapper '''
*; In order to be able to use the new API commands, an update of the [[Python_API_Wrapper_Tutorial|Python API wrapper library]] is required.

== Upgrading to 23.3.0 ==
* ''' Microsoft Exchange 2013 Support '''
*; Support for Microsoft Exchange 2013 has been removed from MailStore in this version.

== Upgrading to 23.2.0 ==
* ''' Outlook Add-in '''
*; Starting with version 23.2.0, MailStore Server supports multi-factor authentication for users with integrated authentication. To support multi-factor authentication an update of the Outlook Add-in is required.
*; The Outlook Add-In 23.2.0 is not backward compatible with older MailStore Server versions. When updating, MailStore Server should be updated first and then the Outlook Add-in.
* ''' Scheduled Tasks, Management API, IMAP Access ''' 
*; When multi-factor authentication is enabled for a user and that user wants to schedule client-side archiving profiles, access the Management API or access the IMAP server, an app password has to be used instead of the regular password.
* ''' Python API Wrapper '''
*; In order to be able to use the new API commands, an update of the [[Python_API_Wrapper_Tutorial|Python API wrapper library]] is required.

== Upgrading to 23.1.2 ==
* Important: Let's Encrypt has announced to change their production request flow permanently on April 24th 2023. After that date, previous versions of MailStore Server will not be able to successfully request certificates from Let's Encrypt.

== Upgrading to 23.1.0 ==
* '''System Requirements'''
*; Windows 7, Windows 8.1, Windows Server 2008 R2 and Windows Small Business Server 2011 support has been removed from MailStore in this version. For a current list of supported operating systems, please refer to [[System Requirements]].

== Upgrading to 22.4.0 ==
There are no notes for this version.

== Upgrading to 22.3.0 ==
* ''' Outlook Add-in '''
*; Starting with version 22.3.0, failed login attempts will slow down the login process. While this process is backwards compatible to older Outlook Add-ins, we strongly recommend updating the Outlook Add-in for the best user experience.

== Upgrading to 22.2.x ==
* '''System Requirements'''
*; Starting with version 22.2 MailStore Server, MailStore Client and MailStore Outlook Add-in require Microsoft .NET Framework version 4.8. Please refer to our [[System Requirements]]. If the framework is installed by the MailStore setup, the system might reboot without further notice.
* '''External Archive Stores'''
*; Starting with version 22.2, only versions 10 or newer are supported for PostgreSQL.

== Upgrading to 13.x ==
* '''Update of MailStore Client and Outlook Add-in''' Irrespective of MailStore Client's auto-update mechanism, a reinstallation of MailStore Client and the MailStore Outlook Add-in is required to make use of the following improvements:
** Unified validation of TLS certificates.
** Unified evaluation of group policies.
** Distinct error messages for certain certificate errors.
** Outlook Add-in: Due to the required changes of the login process to support modern authentication with Microsoft 365 and Google Workspace, the Outlook Add-in must be updated to version 13 to be able to connect to MailStore Server 13.x. Connecting to an older version of MailStore Server is no longer supported after the update.
* '''Unencrypted Connections'''
*; Support for unencrypted connections to MailStore Server has been fully removed. This affects MailStore Outlook Add-in, and the Legacy Web Access. After updating the Outlook Add-in, it automatically tries to connect to the default HTTPS port (8462) if either the default HTTP port (8461) or no port was set as part of the server name previously. In all other cases, the initial connections may fail and requires the server name to be adjusted by the user, or by an administrator via group policies.
* '''HTTP-to-HTTPS Redirect'''
*; The HTTP-to-HTTPS redirect option, which must be considered insecure without the use of properly configured [[wikipedia:HTTP_Strict_Transport_Security|HTTP Strict Transport Security (HSTS)]], has been removed. Users are required to use the correct HTTPS URL to access MailStore Web Access.
* '''Windows Authentication'''
*; The authentication method selection has been removed from the newly design login dialog. Therefore, traditional Windows Authentication available in on-prem Active Directory controlled environments, can only be enabled through group policies. Further information on group policies can be found in [[MailStore Client Deployment]] and [[MailStore Outlook Add-in Deployment]].
* '''Microsoft 365 Support'''
*; A new directory service synchronization profile [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)|Microsoft 365 (Modern Authentication)]] as well as new profiles for archiving and exporting emails from or to Microsoft 365 have been introduced. These support modern authentication (OAuth 2.0 & OpenID Connect) and customers of Microsoft 365 are advised to regularly check for Microsoft's announcement on the timeline for removing HTTP Basic Auth from Microsoft Exchange Web Services (EWS) and to plan the migration to the new profiles in advance. Once Microsoft disables support for HTTP Basic Auth in Exchange Web Services on Microsoft 365, the existing directory service synchronization profile ''Microsoft 365 (Basic Auth)'' (formerly named ''Office 365'') and the Microsoft Exchange archiving and export profiles will stop working.
* '''Google Workspace Support'''
*; The [[Google Workspace Integration|Google Workspace directory service synchronization profile]] has been extended with support for modern authentication (OAuth 2.0 & OpenID Connect). Customers of Google Workspace are advised to regularly check for Google's announcement on the timeline for removing support for less secure apps, and should plan the migration to the new setting in advance. Once Google disables support for Less Secure Apps in Google Workspace, the existing directory service synchronization profile ''Google Workspace'' will no longer allow users to login to MailStore as long as the authentication method is still set to ''IMAP''.
* '''IMAP Access to Archive'''
*; When using either the new ''Microsoft 365 (Modern Authentication)'' or ''Google Workspace'' directory service synchronization profile, user that have been added by these profiles, can not access their archive via the integrated IMAP server as MailStore Server is not able to verify those passwords itself.
* '''Startup Scripts'''
*; The [[MailStore Server Service Configuration]] now provides functionality to configure connections to remote SMB/CIFS network shares without having to store credential in a plain text batch file. Therefore, startup scripts are no longer recommended to be used for that purpose. Unless there actually is a startup script found in MailStore Server's program directory, the corresponding menu item ''Startup Script'' will not be shown in the MailStore Server Service Configuration.
* '''Mobile Web Access'''
*; The dedicated Mobile Web Access has been removed due to no longer supported third-party components (e.g. jQuery Mobile) and in favor of MailStore Web Access, which has been received major enhancements in terms of performance and usability.
* '''Legacy Web Access'''
*; As parts of Legacy Web Access are representing the server-side of the Outlook Add-in, the Legacy Web Access is still present, but no longer advertised on the login screen of the Web Access.
* '''Group Policies'''
*; The following group policy settings are no longer supported in MailStore 13:
** '''MailStore Client: Accept Thumbprint'''
**; If a server name has been defined by a group policy, the certificate used by MailStore Server must be trusted by the client computer and it must not be revoked or expired.
** '''MailStore Outlook Add-in: Accept Thumbprint'''
**; If a server name has been defined by a group policy, the certificate used by MailStore Server must be trusted by the client computer and it must not be revoked or expired.
** '''MailStore Outlook Add-in: Enable TLS/SSL encryption'''
**; As MailStore Server no longer supports unencrypted inbound connections and the default behavior of MailStore Outlook Add-in as been modified accordingly, this option is ignored.

== Upgrading to 12.1 ==
* '''System Requirements'''
*; Windows Vista, Windows Server 2008, and Windows Small Business Server 2008 support has been removed from MailStore in this version. For a current list of supported operating systems, please refer to [[System Requirements]].

== Upgrading to 12 ==
* '''Expired Certificates'''
*; Irrespective of whether the certificate's trust can be verified, no connection is established by MailStore Client to server's whose certificate has expired or was revoked. In such a case, the certificate must be replaced by means of the MailStore Server service configuration tool first.
* '''Using Certificates'''
*; If in the past, different certificates were used for the services provided by MailStore Server, the same certificate configuration as for new installations will be shown during the installation. The certificate configured in that step will afterwards be used for all provided services and can be change in the MailStore Server service configuration tool.

== Upgrading to 11 ==
* '''Upgrading Archive Stores'''
*; '''Depending on the archive size this can take an excessive amount of time. On average 50.000 messages are processed per minute during the upgrade.'''
*; Until the archive stores have been upgraded, not all functionality of the software is available. To facilitate
** retention policies,
** the search functionality,
** the improved recovery records,
*; the databases of the archive stores must be upgraded.
*;Proceed as follows to upgrade:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all archive stores at once or right-click on an archive store and select ''Perform Upgrade'' to upgrade a single archive store.
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
**: [[File:Fg_upgrade10.png|center]]
* '''Retention Policies''' If not all attached archive stores are available (State: ''Archive here'', ''Normal''), or their status is ''Write-Protected'', no automatic processing of retention policies takes place. Therefore verify if an archive store is set to ''Disabled'' or ''Write-Protected'' after the upgrade and change it to one of the above states or detach it completely.
* '''Access via Integrated IMAP Server''' To access the archive via the integrated IMAP server, an encrypted connection is now mandatory. If necessary, adjust the configuration of your email clients accordingly and enable TLS or STARTTLS.
* '''Management API Commands Get-/SetComplianceConfiguration''' The property ''globalRetentionTimeYears'' has been removed from the commands. Own scripts using these commands have to be adjusted accordingly. To manage retention policies, two new commands are available: ''GetRetentionPolicies'' and ''SetRetentionPolicies''.

== Upgrading to 10.2 ==
* '''Web Access''' The new responsive Web Access is exclusively available via the HTTPS port. User who are still using the unencrypted HTTP port to access Web Access, will see a corresponding notice about this circumstance. Thus it is recommended to use a trustworthy certificate signed by an official or internal certificate authority. See [[Using Your Own SSL Certificate]] for details.
=== Known Issues ===
* The backend of the new responsive Web Access expects MailStore Server to be reachable on IP address 127.0.0.1 (localhost) and the default TCP port 8460. If you configured MailStore to listen on a specific IP address for MailStore Client connections in the [[MailStore Server Service Configuration]], please reset it to ''(All IP Addresses)'' and ''Port'' 8460. This problem was fixed with version 10.2.3.

== Upgrading to 10.1 ==
* '''Archiving Emails''' If not all attached archive stores are available (State: ''Archive here'', ''Normal'', or ''Write-Protected''), no archiving takes place. Running archiving profiles are terminated with an appropriate message. Under certain circumstances this prevents the creation of duplicate emails while archiving. Therefore verify if an archive store is set to ''disabled'' after the upgrade and change it to one of the above states or detach it completely.
* '''Status Reports''' If a longer period should be covered by status reports, it must be ensured that the profile and job results are kept for at least that period. The default value of previous installations is one week and should be adjusted to the new default value of 90 days.

== Upgrading to Version 10 ==
* '''Encryption Notices''' Due to enhanced encryption mechanisms, MailStore archives that have been upgraded to version 10 are tied to the Windows-Installation on which MailStore Server has been installed. Under certain conditions some actions (e.g. restoring the default admin, attaching foreign archive stores, etc.) in MailStore require the input of a recovery key. By default this is the product key of the installation.Please make sure to store the product key entered during installation in a safe location.In environments with higher security requirements it is recommended to change the default recovery key and, depending on the backup target, exclude the unencrypted search indexes from backups. Corresponding information can be found in the [[MailStore Server Service Configuration]] article.
* '''Upgrade of Master Database''' To facilitate encryption of the master database it is upgraded to Firebird 3 during the first start of the MailStore Server service and encrypted afterwards. This process might extend the time required for the first start of the service by several minutes.
* '''Upgrading Archive Stores''' To facilitate encryption the databases of the archive store must be upgraded. Proceed as follows to upgrade:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all archive stores at once or right-click on an archive store and select ''Perform Upgrade'' to upgrade a single archive store.
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
**: [[File:Fg_upgrade10.png|center]]
* '''Archives of Other Users''' These are no longer visible for MailStore administrators if the ''Archive Access'' (formerly knows as ''E-mail Preview'') is blocked. Administrative functions such as deleting or renaming user archives are accessible through [[Archives|Administrative Tools > Users and Archives > Archives]].
* '''Export E-mails''' The previous change may also have an impact on export profiles owned by a MailStore administrator, in case the export scope contains archives of other users. As these are no longer visible to MailStore administrators if the ''Archive Access'' (formerly knows as ''E-mail Preview'') is blocked, they are not taken into account by export profiles.
* '''Auditing''' All activities that are exclusively executable by MailStore administrators are displayed as ''Enabled (locked)'' at ''Compliance'' > ''Auditing''. Irrespective of the ''Disabled'' status, all activities of MailStore administrators, excluding ''MessageRetrieveContent'', are written into the audit log.
* '''Default Password''' If you have not changed the default MailStore administrators (admin) password yet, you will be asked to set a new password during the first logon after the update. The same occurs when the password has been reset to ''admin'' after restoring the default admin.

== Upgrading to Version 9.7 ==
* '''Search Indexes''' Due to changes in the area of indexing email attachment contents, the search index settings should be opened and confirmed after the update, so that MailStore can identify potentially missing or unsupported IFilters.
* '''Archiving from Gmail''' This version contains a new Gmail profile, that provides additional functionality such as support for deleting emails from the Gmail mailbox and OAuth2 authentication. Please notice, that it does not support any other folders than "All Mail" and "Sent Items". This new behavior anticipates scenarios which have been recognized as confusing by users in the past and that where caused by the interaction of Gmail labels, IMAP folders and MailStore's single instance store. Existing Google Mail profiles can still be modified and executed, but no new ones can be created. It is recommended to replace old "Google Mail" profiles by this new Gmail profile.

=== Known Issues ===
* Indexing the content of Open Document Format email attachments requires a working installation of OpenOffice or LibreOffice, though Microsoft Office 2010 Filter Pack officially provides support for these file types. Additional information can be found in the [[Search Indexes]] article.

== Upgrading to Version 9.6 ==
* '''Update of MailStore Client and Outlook Add-in''' Independent of MailStore Client's auto-update mechanism, a reinstallation of MailStore Client and the MailStore Outlook Add-in is required to make use of the following improvements:
** Client: Pin to taskbar now possible on Windows 7 and newer.
** Support for different SSL certificate thumbprint formats in group policies.
** Group policies allow configuration of client and Outlook Add-in language.
* '''MailStore Proxy''' Starting with version 9.6, MailStore Proxy requires .NET Framework 4.5.1. Hence the [[MailStore_Proxy#System_Requirements|system requirements of MailStore proxy]] have also changed in regards to the operating system.

== Upgrading to Version 9.3 ==
* '''Supported SSL certificates''' Using SSL certificates which utilize MD5-hash based signature algorithms (e.g. ''md5rsa'') is technically no longer possible since version 9.3. For years (approx. 2010) MD5-hash based signature algorithms have no longer been used for signing certificates. However, should the error message ''Authentication failed because the remote party has closed the transport stream.'' occur after installing the upgrade, please follow the instructions in the corresponding [https://cs.mailstore.com/index.php?/Knowledgebase/Article/View/120/5/erro-message-authentication-failed-because-the-remote-party-has-closed-the-transport-stream Knowledgebase article].

== Upgrading to Version 9.x ==
* '''System Requirements''' Please ensure that your system configuration matches the updated system requirements. MailStore Server, MailStore Client and MailStore Outlook Add-in now require .NET Framework 4.5.1 and Internet Explorer 8 or higher. Thus Windows Vista SP2 or newer is required.
* '''Server-side Execution of E-mail-Server Profiles and Internal Backup''' Archiving from and exporting to email servers as well as the internal backup function is now carried out by the MailStore Server service itself. Thus it is necessary that the MailStore Server computer has the required permissions to access email servers and network shares where applicable (see [[Using Network Attached Storage (NAS)]]). In either case, verify carefully that all automated tasks are still working properly after updating.
* '''Scheduling of Profiles''' For executing archiving and export profiles of type ''E-mail Servers'', an internal scheduler is now used. This scheduler is used for all newly created profiles as soon as automatic execution is enabled in the profile settings. Existing profiles of type ''E-mail Servers'' are set to manual execution after upgrading to MailStore Server 9. Their execution remains triggered based in the corresponding by task in the Windows Task Scheduler. To completely turn these profiles into independent server-side profiles, remove the corresponding task from the Windows Task Scheduler first and then enable automatic execution in the profile setting in MailStore Server. Further information can be found in [[Email_Archiving_with_MailStore_Basics#Working_with_Archiving_Profiles|Working with Archiving Profiles]] and [[Email_Archiving_with_MailStore_Basics#Automating_the_Archiving_Process|Automating the Archiving Process]]
* '''Group Policies''' New ADM and ADMX templates are used for the configuration of MailStore Client and MailStore Outlook Add-in. Group Policies created with the new templates are not compatible with older versions of MailStore Client and MailStore Outlook Add-In, nor does MailStore Client 9 and MailStore Outlook Add-in 9 support Group Policies that have been created based on previous versions of the ADM and ADMX templates. Please replace any existing Group Policies when upgrading to MailStore Server 9. Further information can be found in [[MailStore Client Deployment]] and [[MailStore Outlook Add-in Deployment]].
* '''Automatic Creation of New Archive Stores''' A new default threshold of 5 million emails has been introduced for the automatic creation of new archive stores in MailStore Server 9. For existing installations it is recommended to adjust this value after upgrading to MailStore Server 9 as described in [[Storage Locations]].
* '''PDF Support of Full Text Search''' PDF support has been removed from MailStore Server's own indexer. Therefore it is required to either install a recent version of Adobe Reader or an appropriate IFilter driver (i.e. [http://www.adobe.com/support/downloads/detail.jsp?ftpID=5542 Adobe PDF iFilter] on the MailStore Server computer.
* '''MailStore Server Administration API''' The API has been completely rewritten. As it does not provide and kind of backward compatibility with previous versions, it is required to carefully verify and, if necessary, to modify scripts that make use of the Administration API.
* '''AVM KEN! Support Removed''' After the vendor's support for AVM KEN! has already stopped in September 2010, the support by MailStore ends with MailStore Server 9. Existing AVM KEN! profiles are automatically removed from MailStore - archived emails remain in the archive.

=== Known Issues ===
* '''Missing Email Headers when Printing from MailStore Web Access''' '''''(resolved in version 9.6)''''' Due to the technical implementation of the HTML view, emails printed from within MailStore Web Access do not contain information about sender, recipient and subject. Until a fix is available, the workaround is to open the emails in an email client such as Microsoft Outlook or Mozilla Thunderbird for printing.

== Upgrading to Version 8.x ==

* '''System Requirements''' Please ensure that your system configuration matches the updated system requirements. MailStore Client and MailStore Outlook Add-in now require .NET Framework 3.5 SP1 and Internet Explorer 8 or higher.

== Upgrading to Version 7.0 ==

* '''Management Shell / Batch Scripts''' The server-side part of the Management Shell command set, which included commands such as <code>user-add</code> or <code>filegroup-create</code>, has completely been replaced by the more powerful [[Administration_API_-_Using_the_API|MailStore Server Administration API]]. If you have written custom scripts (e.g. batch scripts) for user management or store management, please update them so that it uses the new command set. [[MailStore_Server_Management_Shell|More information about the MailStore Server Management Shell]]

== Upgrading to Version 6.0 ==

* '''Upgrading File Groups''' The file group format has changed to ensure high performance and stability in the future. To upgrade existing file groups to the new format, proceed as follows:
** Log in as MailStore administrator (admin).
** Click on ''Administrative Tools'' > ''Storage'' and then ''Storage Locations''.
** Either click on the yellow info box to upgrade all file groups at once or right-click on a file group and select ''Perform Upgrade'' to upgrade a single file group.
**: [[File:Fg_upgrade6.png]]
** Carefully read the notices and click on ''OK'' to start the upgrade process or click on ''Cancel''.
** While the upgrade process is running, you will see a window showing information about the upgrade progress. You can click on ''Cancel'' at any time to interrupt the upgrade process in order to continue it later.
* '''Automatic Creation of New File Groups''' If you are using a scheduled task to create new file groups regularly, we recommend to remove that scheduled task and proceed as described in chapter [[Storage_Locations#Creating_File_Groups_Automatically|Creating File Groups Automatically]] of the MailStore Server manual. Please notice the recommended limit of 500.000 messages per file group; that is the default value for all new installations of MailStore Server 6.
* '''Active Directory Integration''' After upgrading to MailStore Server 6 it is required to reconfigure the Active Directory integration with the new Directory Service interface. Please follow the instructions in chapter [[Active Directory Integration]] of the MailStore Server manual. '''Important notice:''' From MailStore Server 6 on, accessing the Active Directory is done under the security scope of the MailStore Server service (instead of MailStore Client). Therefor, please pay attention to ''Authentication'' under ''Specifying Connection Settings''.
* '''Generic LDAP Integration''' After upgrading to MailStore Server 6 it is required to reconfigure the generic LDAP integration with the new Directory Service interface. Please follow the steps in chapter [[Generic LDAP Integration]] of the MailStore Server manual.
* '''Firewall Settings''' If you have set up firewall rules manually to allow access to MailStore Server, MailStore Web Access, MailStore Outlook Add-in or the MailStore integrated IMAP server, we recommend to remove the firewall rules before installing MailStore Server 6. If desired, MailStore Server 6 can set up and update firewall rules on its own, after changes have been made in the [[MailStore Server Service Configuration]] (formerly known as MailStore Server Base Configuration).
* '''No More Separate Downloads''' There is only one MailStore Server setup file, that includes all appropriate setup files for MailStore Client, MailStore Outlook Add-in and MailStore Proxy. MailStore Server setup creates a link on your desktop that opens an Explorer window with the setup files. If the desktop link does not exist you can find the setup files in the ''Setup-<version>'' sub-folder of your MailStore Server installation directory.

== Upgrading to Version 5.0 ==

* '''MailStore Outlook Add-In''' MailStore Outlook Add-in requires access to MailStore Web Access. Should the situation arise that your firewall block the MailStore Web Access ports (default: 8461 for HTTP and 8462 for HTTPS), please reconfigure you firewall accordingly.

== Upgrading to Version 4.5 ==

* '''Database Backups''' Database backup tasks or profiles which were created with an earlier version of MailStore Server need to be re-created with this version. Use the new backup functionality in Administrative Tools which provides you with several new features.
* '''Search Indexes''' If you have created search indexes with a MailStore Server version equal or earlier than 3.0.2, you will be prompted to rebuild them after your first administrator logon to MailStore Server. Depending on the number of users and file groups, this process might take several minutes or hours. You can continue to use MailStore Server during this process, however the search functionality might be limited until the process is finished.

[[de:Hinweise_zum_Update_von_MailStore_Server]]
[[en:Update Notices for MailStore Server]]

EWS Migration

2026-01-12T14:09:30Z

Ltalaschus:

== Microsoft Is Discontinuing Its Exchange Web Services (EWS) for Microsoft 365 ==
Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has announced] that it will no longer support Exchange Web Services (EWS) for Exchange Online as of October 1, 2026. This decision affects all companies that use EWS in combination with Exchange Online (Microsoft 365).

EWS is a technology that was developed specifically for accessing Exchange data. The API enables access to data from Microsoft Exchange Server and Exchange Online, including emails and mailboxes. EWS has been a central interface for third-party solutions such as archiving systems.

What Will Happen in October?
Microsoft plans to disable EWS for Exchange Online starting October 1. This decision will force manufacturers to switch to the Microsoft Graph API.

Please note: If you use Exchange Online Kiosk, Microsoft Office 365, and Office 365 F1/F3, you should make the change by June. Further information can be found [https://techcommunity.microsoft.com/blog/exchange/update-to-ews-access-for-kiosk--frontline-worker-licensed-users/4474299 here].

== What Will Change for MailStore Server and the MailStore SPE? ==
The shutdown of EWS initiated by Microsoft will require adjustments to MailStore Server and the MailStore SPE, depending on your archiving strategy.
This is because archiving methods within MailStore Server and MailStore SPE that were accessing EWS will no longer be available from October 1 and will then run into errors.

The following profiles are expected to be affected in detail from October onwards:

* Importing Exchange Online archive mailboxes
* Importing Exchange Online public folders

New [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication|mailbox archiving profiles]] will use Graph API starting with version 26.1.
The [[Email_Archiving_with_MailStore_Basics|summary panel]] of the archiving or export profile tells which protocol is used. Microsoft 365 Journal archiving profiles do not typically use EWS and are therefore not affected.

[[de:EWS Migration]]
[[en:EWS Migration]]

HelpTopicIds

2026-01-12T13:40:07Z

Ltalaschus:

* accs_export - [[Exporting_Email]]
* accs_extsearch - [[Accessing_the_Archive_with_the_MailStore_Client_software#Advanced_Search]]
* accs_outlook - [[Accessing_the_Archive_with_the_Microsoft_Outlook_integration]]
* accs_outlookapp - [[Accessing_the_Archive_with_the_Microsoft_Outlook_App_integration]]
* accs_preview - [[Accessing_the_Archive_with_the_MailStore_Client_software#Email_Preview]]
* accs_web - [[Accessing_the_Archive_with_MailStore_Web_Access]]
* arch_delete - [[Email_Archiving_with_MailStore_Basics#Deleting_Emails_after_Archiving]]
* arch_filesystem - [[Archiving_Emails_from_External_Systems_(File_Import)]]
* arch_filepst - [[Archiving_Outlook_PST_Files_Directly]]
* arch_gateway - [[Archiving_MailStore_Gateway_Mailbox]]
* arch_nospamproxy - [[Archiving_Emails_from_NoSpamProxy]]
* gateway_introduction - [[Archiving_MailStore_Gateway_Mailbox]]
* arch_googleapps_batch - [[Archiving_Emails_from_Google_Workspace#Archiving_Multiple_Mailboxes_Centrally]]
* arch_googleapps - [[Archiving_Emails_from_Google_Workspace]]
* arch_googleapps_multidrop - [[Archiving_Emails_from_Google_Workspace#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_googlemail_installed_app - [[Archiving_Emails_from_Gmail]]
* arch_outlookcom_modern_auth - [[Archiving_Emails_from_Outlook.com]]
* arch_icewarp - [[Archiving_Emails_from_IceWarp_Server]]
* arch_icewarp_mailbox - [[Archiving_Emails_from_IceWarp_Server#Archiving_Individual_Mailboxes]]
* arch_icewarp_mailboxes - [[Archiving_Emails_from_IceWarp_Server#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_icewarp_multidrop - [[Archiving_Emails_from_IceWarp_Server#Archiving_All_Incoming_and_Outgoing_Emails_Directly]]
* arch_imapbatch - [[Batch-archiving_IMAP_Mailboxes]]
* arch_inout - [[MailStore_Proxy]]
* arch_introduction - [[Archiving_Email]]
* arch_kerio - [[Archiving_Emails_from_Kerio_Connect]]
* arch_kerio_mailbox - [[Archiving_Emails_from_Kerio_Connect#Archiving_Individual_Mailboxes]]
* arch_kerio_mailboxes - [[Archiving_Emails_from_Kerio_Connect#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_kerio_multidrop - [[Archiving_Emails_from_Kerio_Connect#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_mailboxes - [[Archiving_Server_Mailboxes]]
* arch_mailclients - [[Archiving_Email_from_Outlook,_Thunderbird_and_others]]
* arch_mdaemon - [[Archiving_Emails_from_MDaemon]]
* arch_mdaemon_mailbox - [[Archiving_Emails_from_MDaemon#Archiving_Individual_Mailboxes]]
* arch_mdaemon_mailboxes - [[Archiving_Emails_from_MDaemon#Archiving_Multiple_Mailboxes_in_One_Step]]
* arch_mdaemon_multidrop - [[Archiving_Emails_from_MDaemon#Archiving_Incoming_and_Outgoing_Emails_Directly]]
* arch_multidrop - [[Archiving_IMAP_and_POP3_Multidrop_Mailboxes]]
* arch_profiles - [[Archiving_Email]]
* arch_schedule - [[Email_Archiving_with_MailStore_Basics#Automating_the_Archiving_Process]]
* arch_results - [[Email_Archiving_with_MailStore_Basics]]
* arch_selfolders - [[Email_Archiving_with_MailStore_Basics#Archiving_Specific_Folders]]
* bkup_integrated - [[Backup_and_Restore]]
* comp_auditing - [[Auditing]]
* comp_auditlog - [[Audit_Log]]
* comp_auditlogexport - [[Audit_Log]]
* comp_auditor - [[Compliance_General]]
* comp_forcechangepassword - [[Notes_on_Password_Complexity]]
* comp_general - [[Compliance_General]]
* comp_manage_passwords - [[Accessing_the_Archive_with_the_MailStore_Client_software#Managing_Passwords]]
* comp_password_complexity - [[Notes_on_Password_Complexity]]
* comp_retention - [[Retention_Policies]]
* comp_message_date - [[Message_Date_of_an_Email]]
* expo_googleapps - [[Exporting_Email]]
* gsta_login - [[Accessing_the_Archive_with_the_MailStore_Client_software#Starting_and_Login]]
* job_jobs - [[Jobs]]
* job_scheduling - [[Jobs]]
* job_results - [[Job_Results]]
* mads_sync - [[Administration]]
* tech_config - [[MailStore_Server_Service_Configuration]]
* tech_index - [[Search_Indexes]]
* tech_mscmd - [[MailStore_Server_Management_Shell]]
* tech_proxy - [[MailStore_Proxy]]
* tech_safemode - [[MailStore_Server_Service_Configuration]]
* tech_smtpsettings - [[SMTP_Settings]]
* tech_archives - [[Archives]]
* tech_storageloc - [[Storage_Locations]]
* tech_productupdates - [[Product_Updates]]
* umgm_privileges - [[Users,_Folders_and_Settings#User_Management]]
* umgm_users - [[Users,_Folders_and_Settings#User_Management]]
* xchg_introduction - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_jour_intro - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_mailbox - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_mailboxes - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_archive_mailbox - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_archive_mailboxes - [[Archiving_Emails_from_Microsoft_Exchange]]
* xchg_public - [[Archiving_Emails_from_Microsoft_Exchange]]
* impl_noownserver - [[Archiving_Emails_Without_Your_Own_Emailserver|(No own e-mail server)]]
* impl_exim - [[Archiving_Emails_from_an_Exim_Based_Email_Server|Exim]]
* impl_hmailserver - [[Archiving_Emails_from_hMailServer|hMailServer]]
* impl_intranator - [[Archiving_Emails_from_Intra2net_Systems|Intra2net Appliance Pro / Business Server]]
* impl_kerioconnect - [[Archiving_Emails_from_Kerio_Connect|Kerio Connect (Kerio MailServer)]]
* impl_kolab - [[Archiving_Emails_from_Kolab|Kolab]]
* impl_postfix - [[Archiving_Emails_from_a_Postfix_Based_Email_Server|Postfix]]
* impl_qmail - [[Archiving_Emails_from_a_Qmail_Based_Email_Server|Qmail]]
* impl_scalix - [[Archiving_Emails_from_Scalix|Scalix]]
* impl_sendmail - [[Archiving_Emails_from_a_Sendmail_Based_Email_Server|Sendmail]]
* impl_smartermail - [[Archiving_Emails_from_SmarterMail|SmarterMail]]
* impl_tobitdavid - [[Archiving_Emails_from_Tobit_David.fx|Tobit David.fx]]
* impl_zimbra - [[Archiving_Emails_from_Zimbra|Zimbra Collaboration Suite]]
* implexch_2003 - [[Archiving_Emails_from_Microsoft_Exchange_2003|Exchange 2003]]
* implexch_2007 - [[Archiving_Emails_from_Microsoft_Exchange_2007|Exchange 2007]]
* implexch_2010 - [[Archiving_Emails_from_Microsoft_Exchange_2010|Exchange 2010]]
* implexch_2013 - [[Archiving_Emails_from_Microsoft_Exchange_2013|Exchange 2013]]
* implexch_2016 - [[Archiving_Emails_from_Microsoft_Exchange_2016|Exchange 2016]]
* implexch_2019 - [[Archiving_Emails_from_Microsoft_Exchange_2019|Exchange 2019]]
* implexch_se - [[Archiving_Emails_from_Microsoft_Exchange_SE|Exchange SE]]
* implexch_o365 - [[Archiving_Emails_from_Microsoft_Office_365|Office 365]]
* welc_licensing - [[License_Management]]
* arch_microsoft365 - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)]]
* arch_microsoft365_single - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Individual_Microsoft.C2.A0365_Mailboxes]]
* arch_microsoft365_multiple - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Multiple_Microsoft.C2.A0365_Mailboxes_Centrally]]
* arch_microsoft365_single_archive_mailbox - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Individual_Microsoft.C2.A0365_Archive_Mailboxes]]
* arch_microsoft365_multiple_archive_mailboxes - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Archiving_Multiple_Microsoft.C2.A0365_Archive_Mailboxes_Centrally]]
* arch_microsoft365_public - [[Archiving_Emails_from_Microsoft_365_(Modern_Authentication)#Public_Folders]]
* expo_microsoft365 - [[Exporting_Email]]
* arch_m365_ews_migration - [[EWS_Migration]]
* cred_microsoft365 - [[Synchronizing_User_Accounts_with_Microsoft_365_(Modern_Authentication)#Creating_Credentials_in_MailStore_Server]]
* expo_mailstorecloudbulk - [[MailStore_Cloud_Help#Migration_from_MailStore_Server_to_MailStore_Cloud]]

[[de:HelpTopicIds]]
[[en:helpTopicIds]]

EWS Migration

2026-01-12T13:31:46Z

Ltalaschus:

== Microsoft Is Discontinuing Its Exchange Web Services (EWS) for Microsoft 365 ==
Microsoft [https://techcommunity.microsoft.com/blog/exchange/retirement-of-exchange-web-services-in-exchange-online/3924440 has announced] that it will no longer support Exchange Web Services (EWS) for Exchange Online as of October 1, 2026. This decision affects all companies that use EWS in combination with Exchange Online (Microsoft 365).

EWS is a technology that was developed specifically for accessing Exchange data. The API enables access to data from Microsoft Exchange Server and Exchange Online, including emails and mailboxes. EWS has been a central interface for third-party solutions such as archiving systems.

What Will Happen in October?
Microsoft plans to disable EWS for Exchange Online starting October 1. This decision will force manufacturers to switch to the Microsoft Graph API.

Please note: If you use Exchange Online Kiosk, Microsoft Office 365, and Office 365 F1/F3, you should make the change by June. Further information can be found [https://techcommunity.microsoft.com/blog/exchange/update-to-ews-access-for-kiosk--frontline-worker-licensed-users/4474299 here].

== What Will Change for MailStore Server and the MailStore SPE? ==
The shutdown of EWS initiated by Microsoft will require adjustments to MailStore Server and the MailStore SPE, depending on your archiving strategy.
This is because archiving methods within MailStore Server and MailStore SPE that were accessing EWS will no longer be available from October 1 and will then run into errors.

The following profiles are expected to be affected in detail from October onwards:

* Importing Exchange Online mailboxes
* Importing Exchange Online archive mailboxes
* Importing Exchange Online public folders
* Exporting emails to Microsoft 365 (bulk export)

New [[Archiving_Emails_from_Microsoft_365_-_Modern_Authentication|mailbox archiving profiles]] will use Graph API starting with version 26.1.
The [[Email_Archiving_with_MailStore_Basics|summary panel]] of the archiving or export profile tells which protocol is used.

[[de:EWS Migration]]
[[en:EWS Migration]]