Microsoft 365 Export

To be able to export emails to a Microsoft 365 mailbox, MailStore Server requires specific permissions on the target mailbox for an export. This article describes how to set up these permissions. General information about setting up the export process can be found in the article Exporting Email.

Steps for setting up needed permissions

Prerequisites in Azure Portal

A registered App is needed with proper settings to be allowed to use IMAP

  • Go to App Registrations or navigate from the Azure Portal home to the App registrations service
  • Select your Application. If you're already using directory service synchronization or archiving from Microsoft 365, you already have such an app registration. If not creating such an app registration is described in Synchronizing User Accounts with Microsoft 365.
  • Navigate to Manage/API permissions and make sure you have enabled or activated the IMAP.AccessAsApp permission when configuring the API permissions in the Office 365 Exchange Online area.

Prerequisites for Powershell

The PowerShell module ExchangeOnlineManagement is required to set the permission.

  • The presence of the module can be checked with the following command. 
    Get-Module ExchangeOnlineManagement -ListAvailable
  • If the output is empty, the module can be installed with the following command: 
    Install-Module -Name ExchangeOnlineManagement
  • If the output is not empty but the version is older than 3.8.0, the module can be updated with the following command: 
    Update-Module -Name ExchangeOnlineManagement
  • Then the module can be loaded: 
    Import-module ExchangeOnlineManagement

Add permission on target mailbox

  • Connect with your client, use a user who has Role Management permissions: 
    Connect-ExchangeOnline -Organization <tenantID>
  • Creating an app registration also resulted in the creation of an Enterprise App with its own ObjectID in your tenant. The next step requires the Enterprise App's ObjectID (not from the original app registration) and ApplicationID. Both can be found in the Entra ID Portal at this page.
  • If you haven't before create a service principal for this Enterprise App: 
    New-ServicePrincipal -AppId <appID> -ObjectId <enterpriseAppObjectID> -DisplayName "MailStore Service Principal"
  • The service principal must now be granted full access on the target mailbox. This email address must later be specified as the export mailbox in the MailStore Export profile: 
    Add-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID> -AccessRights FullAccess

Troubleshooting

  • If you receive a Command Error. 12 (BAD). when executing or testing the export profile the permission is either missing or may not yet have been distributed withing the Exchange Online Infrastructure. You can check the permission with 
    Get-MailboxPermission -Identity "[email protected]" -User <enterpriseAppObjectID>
Retrieved from "https://help.mailstore.com/en/server/index.php?title=Microsoft_365_Export&oldid=8006"