Synchronizing User Accounts with Microsoft 365 - Modern Authentication

In addition to adding users manually as described in chapter User Management, MailStore Server can synchronize its internal user database with the Microsoft 365 tenant of your organization.

During synchronization, user information, such as user names and email addresses, is copied from the Microsoft 365 tenant into MailStore Server's user database. That way, users can use their Microsoft 365 credentials to also log on to MailStore Server and emails can be assigned to their corresponding user archives automatically, for example. No changes are made to the Microsoft 365 tenant itself by MailStore Server. The scope of the synchronization can be limited through filters.

Prerequisites, Recommendations and Limitations

For best user experience, the certificate used by MailStore Server should be trusted by all clients and the used web browsers. Using a certificate that is signed by an trusted certificate authority or using Let's Encrypt certificates is highly recommended.
If users are supposed to log in to MailStore Server from outside the organization's network without a VPN using MailStore Client, MailStore Outlook Add-in or the Web Access, the URIs mentioned in this article must be resolvable via DNS on the Internet and port-forwardings to the MailStore Server computer must be set up on the firewall or router if necessary.
When using Microsoft 365 to authenticate users at login, accessing the archive via IMAP is not possible for technical reasons.

Connecting MailStore Server and Microsoft 365

In order to synchronize user information from Microsoft 365, MailStore Server has to be connected to your Microsoft 365 tenant and been granted the required permissions. Microsoft 365 relies on Azure Active Directory as directory service. Each Microsoft 365 tenant corresponds to an Azure AD tenant that stores its user information.

Registering of MailStore Server as App in Azure AD

Through registration, MailStore Server gets an identity in Azure AD that makes it possible to authenticate to the tenant's services and use their resources.

Sign in to the Azure Portal as a Global Administrator for your Microsoft 365 tenant.
In the navigation menu (☰), select the option Azure Active Directory.
On the next page, select App registrations in the Manage section of the left navigation menu.
Select New Registration. The Register an application page appears.
In the Name field, enter a meaningful display name, e.g. MailStore Server. This name will be shown to users on logon later on, for example.
Leave all other settings on this page to their defaults.
Click on Register. If the registration has been successful, you are shown the overview page of the newly registered app.

The Application (client) ID shown on this page identifies MailStore Server in your Azure AD tenant and has to be copied into MailStore Server next, together with the Directory (tenant) ID. Therefore, for the following steps, leave the overview page open in your web browser.

Creating Credentials in MailStore Server

Credentials for Microsoft 365 consist of the aforementioned IDs and a secret that MailStore Server uses to proof its identity to Azure AD. Microsoft recommends using certificates as secrets to identify apps in Azure AD. When creating credentials, such a certificate is generated automatically by MailStore Server but can also be recreated later on.

Log on to MailStore Client as a MailStore Server administrator.
Click on Administrative Tools > Users and Archives > Directory Services.
In the Integration section, change the directory service type to Microsoft 365 (Modern Authentication).

In the Connection section, click on the button (…) next to the Credentials drop-down list.
In the Credential Manager that appears, click on Create…
In the Azure AD App Credentials dialog, enter the following information in the Settings section:
- Name
  A meaningful display name for the credentials, e.g. the name of your Microsoft 365 tenant.
- Application (client) ID
  The value of the corresponding field that you can copy from the Azure AD app overview page in your web browser.
- Directory (tenant) ID
  The value of the corresponding field that you can copy from the Azure AD app overview page in your web browser.

In the Authentication section, click on the drop-down button next to the Certificate text box und select Download Certificate. Save the certificate on your hard drive.
Confirm your entries by clicking OK.
The newly created credentials are listed in the Credential Manager under the name you have entered with the type Microsoft 365. Here you can also edit or delete existing credentials if necessary.
Leave the Credential Manager by clicking Close.
The newly created credentials are selected in the corresponding drop-down list by default.

Publishing the Credentials in Azure AD

For Azure AD to validate the identity of MailStore Server, the created certificate needs to be published in Azure AD.

Switch to the Azure AD app overview page in your web browser.
Select Certificates & secrets in the Manage section of the left navigation menu.
Click on Upload certificate in the Certificates section. Select the certificate file that you have saved previously and upload it to Azure AD by clicking Add.
If uploading has been successful, the certificate's thumbprint as well as its start and expiry dates appear in the certificates list. You can compare the thumbprint and expiry date with those listed in the MailStore Credential Manager to check that you've uploaded the correct certificate.