Synchronizing User Accounts with Office 365
In addition to adding users manually as described in chapter User Management, MailStore Server can synchronize its internal user database with the Office 365 tenant of your company.
During synchronization user information such as user names and email addresses are read from the Office 365 tenant and recorded in MailStore Server's user database. No changes are made to the Office 365 tenant itself by MailStore Server. The scope of the synchronization can be limited through filters.
Preparing the Office 365 tenant
In order to synchronize user account information from Office 365, MailStore Server requires a service principal which has been granted permission to access the Office 365 tenant. The service principal represents MailStore Server in the Office 365 tenant and makes it possible to authenticate to the tenant's services and use their resources.
Installing the Azure Active Directory Module
Office 365 relies on Azure Active Directory as directory service. Each Office 365 tenant corresponds to an Azure AD tenant where its user information of is being stored. In order to create a service principal, the necessary PowerShell cmdlets have to be installed first as described in this article:
Creating a service principal
Once the PowerShell module has been installed, a service principal can be created in the Azure AD by following these steps:
- Open a PowerShell Session and enter the following command to connect to the Office 365 Azure AD tenant:
- A login dialog opens. Enter admin credentials of your Office 365 plan.
- Optional: To get a list of all service principals that currently exist in the AD tenant, enter
- Create a new service principal by entering
New-MsolServicePrincipal -DisplayName 'MailStoreSP' -ServicePrincipalNames 'MailStoreSP/<tenant domain>' -Type Password -Value '<Password>'
service principal objectis returned. Its ObjectId is needed for role assignment in the next step. The service principal's password is valid for one year from its creation date by default. Additional information can be found on MSDN.
- Note: In rare cases creating the service principal fails. Replace the slash with a hyphen in the ServicePrincipalNames argument in that case.
- For the service principal to be able to read information from the Azure AD tenant, assign the Directory Readers role by entering
Add-MsolRoleMember -RoleName "Directory Readers" -RoleMemberType ServicePrincipal -RoleMemberObjectId "<Service Principal's ObjectId>"
Accessing Directoy Service Integration
- Log on to MailStore Client as a MailStore Server administrator.
- Click on Administrative Tools > Users and Archives > Directory Services.
- The directory service type depends on the Azure Cloud of your Office 365 Azure AD tenant:
- Globale Azure Cloud
- If your Office 365 Azure AD tenant resides in the global Azure Cloud, chose the directory service type Office 365.
- Azure Germany Cloud
- If your Office 365 Azure AD tenant resides in the Azure Germany Cloud, chose the directory service type Office 365 Germany.
- Azure China Cloud
- If your Office 365 Azure AD tenant resides in the Azure China Cloud, chose the directory service type Office 365 operated by 21 Vianet.
Connecting to Office 365
For synchronization MailStore Server requires information on how to connect to Office 365.
- Service Principal
The service principal name of the service principal (e.g. MailStoreSP/<tenant domain>).
The password of the service principal.
- Domain Name
An email domain in the Office 365 tenant.
User Database Synchronization
After configuring the connection settings as described above, you can specify filter criteria for the Office 365 synchronization in this section.
- Synchronize licensed Microsoft Exchange Online users only
Only Office 365 user accounts with a Microsoft Exchange Online license assigned to them will be taken into account by the synchronization.
- Synchronize enabled users only
Only Office 365 user accounts that do not have their login to Office 365 blocked will be taken into account by the synchronization.
- Sync only these groups
Choose one or several Office 365 groups if you only want their members to be created as MailStore Server users. That way it's possible to exclude certain users from being synchronized to MailStore Server.
- User Name Format
Choose which naming scheme MailStore user names should follow:
- User Principal Name (UPN)
The full Office 365 login name e.g. [email protected]
- User Principal Name (UPN) Local Part
The Office 365 login name without domain, e.g. jane.doe
- User Principal Name (UPN)
- Automatically delete users in MailStore Server
Here you can choose whether users that have been deleted in the Office 365 tenant will also be deleted in the MailStore Server user database by the synchronization. Users will also be deleted if they fall out of scope of the configured settings.
Only MailStore Server users that have their authentication method set to Directory Services will be deleted.
If the archive folder of such a user already contains archived emails, only the user entry but not its archive folder will be deleted in MailStore Server.
Assigning Default Privileges
By default, users that have been synchronized to MailStore Server from Office 365 have the privilege to log on to MailStore Server as well as read access to their own user archive.
You can configure those default privileges before synchronization, for example, to assign the privilege Archive E-mail to all new users. To do this, click on Default Privileges...
More information on managing user privileges and their effects is available in the chapter Users, Folders and Settings which also has details on editing existing privileges.
Running Directory Services Synchronization
Click on Test Settings to check synchronization configuration and the results returned by the Office 365 tenant without any changes to the MailStore Server user database being actually committed.
To finally run the synchronization, click on Synchronize now. The results are shown with any changes committed to the MailStore Server user database.