Difference between revisions of "Microsoft 365 Export"

[unchecked revision]

Latest revision as of 16:48, 23 March 2026

To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. This article describes how to set up these permissions. General information about setting up the export process can be found in the article Exporting Email.

Steps for setting up needed permissions

Prerequisites in Azure Portal

A registered App is needed with proper settings to be allowed to use IMAP

Go to App Registrations or navigate from the Azure Portal home to the App registrations service
Select your Application. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration. If not creating such an app registration is described in Synchronizing User Accounts with Microsoft 365.
Navigate to Manage/API permissions and make sure you have enabled or activated the IMAP.AccessAsApp permission when configuring the API permissions in the Office 365 Exchange Online area.

Prerequisites for Powershell

The PowerShell module ExchangeOnlineManagement is required to set the permission.

The presence of the module can be checked with the following command.
```
Get-Module ExchangeOnlineManagement -ListAvailable
```
If the output is empty, the module can be installed with the following command:
```
Install-Module -Name ExchangeOnlineManagement
```
If the output is not empty but the version is older than 3.8.0, the module can be updated with the following command:
```
Update-Module -Name ExchangeOnlineManagement
```
Then the module can be loaded:
```
Import-module ExchangeOnlineManagement
```

Add permission on target mailbox

Connect with your client, use a user who has Role Management permissions:
```
Connect-ExchangeOnline -Organization <tenantID>
```
Creating an app registration also resulted in the creation of an Enterprise App with its own ObjectID in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at this page.

If you haven't before create a service principal for this Enterprise App:

New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"

The service principal must now be granted full access on the target mailbox. This email address must later be specified as the export mailbox in the MailStore Export profile:
```
Add-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID> -AccessRights FullAccess
```

Troubleshooting

If you receive a Command Error. 12 (BAD). when executing or testing the export profile the permission is either missing or may not yet have been distributed withing the Exchange Online Infrastructure. You can check the permission with
```
Get-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID>
```

@@ Line 1: / Line 1: @@
-To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. The more common help for exporting can be found in the article [[Exporting Email]].
+__NOTOC__
+To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. This article describes how to set up these permissions. General information about setting up the export process can be found in the article [[Exporting Email]].
-'''Please note:''' Backup strategies (a backup of the entire archive) are discussed separately in the article [[Backup and Restore]].
+== Steps for setting up needed permissions ==
+=== Prerequisites in Azure Portal===
-== Steps for setting up permissions ==
+A registered App is needed with proper settings to be allowed to use IMAP
-The PowerShell module ''ExchangeOnlineManagement'' is required to set the permission. The presence of the module can be checked with the following command.
+* Go to [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps| App Registrations] or navigate from the Azure Portal home to the <b>App registrations</b> service
+* Select your Application. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration. If not creating such an app registration is described in [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication|Synchronizing User Accounts with Microsoft 365]].
+* Navigate to <b>Manage/API permissions</b> and make sure you have enabled or activated the <b>IMAP.AccessAsApp</b> permission when configuring the API permissions in the Office 365 Exchange Online area.
+=== Prerequisites for Powershell===
+The PowerShell module ''ExchangeOnlineManagement'' is required to set the permission.
+* The presence of the module can be checked with the following command.
 *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-Module ExchangeOnlineManagement -ListAvailable</source>
 * If the output is empty, the module can be installed with the following command:
@@ Line 12: / Line 17: @@
 * Then the module can be loaded:
 *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Import-module ExchangeOnlineManagement</source>
+=== Add permission on target mailbox ===
 * Connect with your client, use a user who has ''Role Management'' permissions:
 *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Connect-ExchangeOnline -Organization <tenantID></source>
+* Creating an app registration also resulted in the creation of an Enterprise App with its ''own ObjectID'' in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at [https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview this page].
+* If you haven't before create a service principal for this Enterprise App:
+*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"</source>
+* The service principal must now be granted full access on the target mailbox. This email address must later be specified as the export mailbox in the MailStore Export profile:
+*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Add-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID> -AccessRights FullAccess</source>
-* Creating the app registration also resulted in the creation of an Enterprise App with its ''own ObjectID'' in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at [https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview this page].
+== Troubleshooting ==
-* Now create a service principal for this Enterprise App:
+* If you receive a <b>Command Error. 12 (BAD).</b> when executing or testing the export profile the permission is either missing or may not yet have been distributed withing the Exchange Online Infrastructure. You can check the permission with
-*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"</source>
+*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID></source>
-* The service principal must now be granted permission to send emails on behalf of a user. This user's email address must later be specified as the sender in the MailStore SMTP settings:
-*;<p class=msnote>'''Important Note:''' All emails restored using this mailbox will also be saved as a copy in the mailbox's ''Sent Items'' folder. Therefore, we recommend using a dedicated shared mailbox that only authorized employees have access to.</p>
-*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Add-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID> -AccessRights FullAccess</source>
+[[de:Microsoft 365 Export]]
-* Additionally, make sure that SMTP is allowed for this user:
+[[en:Microsoft 365 Export]]
-*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Set-CASMailbox -Identity "[email protected]" -SmtpClientAuthenticationDisabled $false</source>
-* Click the &hellip; in the ''Credentials'' section and select your ''Credentials''.