Difference between revisions of "Microsoft 365 Export"

[unchecked revision]

Revision as of 10:15, 23 March 2026

To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. The more common help for exporting can be found in the article Exporting Email.

Steps for setting up needed permissions

Prerequisites in Azure Portal

A registered App is needed with proper settings to be allowed to use IMAP

Go to App Registrations or navigate from the Azure Portal home to the App registrations service
Select your or create a Application. Creating the app registration is described in this article. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration.
Navigate to Manage/API permissions and make sure you have enabled or activated the IMAP.AccessAsApp permission when configuring the API permissions in the Office 365 Exchange Online area.

Prerequisites for Powershell

The PowerShell module ExchangeOnlineManagement is required to set the permission. The presence of the module can be checked with the following command.

Get-Module ExchangeOnlineManagement -ListAvailable

If the output is empty, the module can be installed with the following command:
```
Install-Module -Name ExchangeOnlineManagement
```
If the output is not empty but the version is older than 3.8.0, the module can be updated with the following command:
```
Update-Module -Name ExchangeOnlineManagement
```
Then the module can be loaded:
```
Import-module ExchangeOnlineManagement
```

Connect to your tenant and add permission on target mailbox

Connect with your client, use a user who has Role Management permissions:
```
Connect-ExchangeOnline -Organization <tenantID>
```
Creating an app registration also resulted in the creation of an Enterprise App with its own ObjectID in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at this page.

If you haven't before create a service principal for this Enterprise App:

New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"

The service principal must now be granted full access on the target mailbox. This email address must later be specified as the export mailbox in the MailStore Export profile:
```
Add-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID> -AccessRights FullAccess
```

Troubleshooting

If you receive a Command Error. 12 (BAD). when executing or testing the export profile the permission is either missing or may not yet have been distributed withing the Exchange Online Infrastructure. You can check the permission with

Get-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID>

@@ Line 1: / Line 1: @@
 To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. The more common help for exporting can be found in the article [[Exporting Email]].
+== Steps for setting up needed permissions ==
-'''Please note:''' Backup strategies (a backup of the entire archive) are discussed separately in the article [[Backup and Restore]].
+=== Prerequisites in Azure Portal===
+A registered App is needed with proper settings to be allowed to use IMAP
-== Steps for setting up permissions ==
+* Go to [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps| App Registrations] or navigate from the Azure Portal home to the <b>App registrations</b> service
+* Select your or create a Application. Creating the app registration is described in [[Synchronizing_User_Accounts_with_Microsoft_365_-_Modern_Authentication|this article]]. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration.
+* Navigate to <b>Manage/API permissions</b> and make sure you have enabled or activated the <b>IMAP.AccessAsApp</b> permission when configuring the API permissions in the Office 365 Exchange Online area.
+=== Prerequisites for Powershell===
 The PowerShell module ''ExchangeOnlineManagement'' is required to set the permission. The presence of the module can be checked with the following command.
 *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-Module ExchangeOnlineManagement -ListAvailable</source>
@@ Line 12: / Line 15: @@
 * Then the module can be loaded:
 *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Import-module ExchangeOnlineManagement</source>
+=== Connect to your tenant and add permission on target mailbox ===
 * Connect with your client, use a user who has ''Role Management'' permissions:
 *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Connect-ExchangeOnline -Organization <tenantID></source>
+* Creating an app registration also resulted in the creation of an Enterprise App with its ''own ObjectID'' in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at [https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview this page].
-* Creating the app registration also resulted in the creation of an Enterprise App with its ''own ObjectID'' in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at [https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview this page].
+* If you haven't before create a service principal for this Enterprise App:
-* Now create a service principal for this Enterprise App:
 *; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"</source>
-* The service principal must now be granted permission to send emails on behalf of a user. This user's email address must later be specified as the sender in the MailStore SMTP settings:
+* The service principal must now be granted full access on the target mailbox. This email address must later be specified as the export mailbox in the MailStore Export profile:
-*;<p class=msnote>'''Important Note:''' All emails restored using this mailbox will also be saved as a copy in the mailbox's ''Sent Items'' folder. Therefore, we recommend using a dedicated shared mailbox that only authorized employees have access to.</p>
+*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Add-MailboxPermission -Identity "emailAddressOf@sending.user" -User <enterpriseAppObjectID> -AccessRights FullAccess</source>
-*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Add-MailboxPermission -Identity "emailAddressOf@sending.user" -User <enterpriseAppObjectID> -AccessRights FullAccess</source>
+== Troubleshooting ==
-* Additionally, make sure that SMTP is allowed for this user:
+* If you receive a <b>Command Error. 12 (BAD).</b> when executing or testing the export profile the permission is either missing or may not yet have been distributed withing the Exchange Online Infrastructure. You can check the permission with
-*; <source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Set-CASMailbox -Identity "[email protected]" -SmtpClientAuthenticationDisabled $false</source>
+<source lang="powershell" smart-tabs="true" toolbar="false" gutter="false">Get-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID></source>
-* Click the &hellip; in the ''Credentials'' section and select your ''Credentials''.