Microsoft 365 (i.e. Office 365)
MailArchiva provides advanced e-Discovery capabilities to Microsoft 365. Full email journaling, calendar, contact, and folder synchronization are available.
MailArchiva Cloud setup - Easy setup instructions for the MailArchiva Cloud
MailArchiva On-Premise setup - Microsoft 365 integration for MailArchiva On-Premise
MailArchiva Cloud setup
Visit https://office365.archiva.com (USA) or https://office365.mailarchiva.eu (EU) and sign up for the MailArchiva Cloud.
After sign-up, create a journal rule as described below.
A. Create a journal rule
Configure Microsoft 365 to forward journal traffic to the MailArchiva Cloud SMTP server.
From within the Exchange Admin Center:
- Visit Microsoft Purview
- In Settings → Data Lifecycle Management → Exchange (legacy), replace the 'Send undeliverable journal reports to' field with your monitored admin mailbox. This controls where Non-Delivery Reports (NDRs) go if journaling fails.
- Under Solutions → Data Lifecycle Management → Exchange (legacy) → Journal Rules, click New Rule.
- In the Send Journal Reports To field,
If registered on the USA (archiva.com) site: [value of journal recipient field in MailArchiva Web Console → System Status]@archive.archiva.com (for example: journal-000000T0R2KQuOyRvlZ18qxiAekc6RRHkQb4i0GjkJ3t4Ns150SfrknkuLMbGAr@archive.archiva.com)
If registered on the EU (mailarchiva.eu) site: [value of journal recipient field in MailArchiva Web Console→System Status]@archive.mailarchiva.eu (for example: journal-000000T0R2KQuOyRvlZ18qxiAekc6RRHkQb4i0GjkJ3t4Ns150SfrknkuLMbGAr@archive.mailarchiva.eu) - In the 'Journal rule name' field, enter 'archiva'
- In 'Journal messages sent or received from…' field, select 'Everyone'
- In 'Type of message to journal' select 'All messages'
- Click 'Save'.
B. Create a dedicated send connector
To ensure that your mail security solution doesn't inadvertently block journal emails sent to MailArchiva, it is recommended to create a dedicated send connector as per the instructions below.
- Visit the modern Exchange Admin Center (EAC) using a web browser.
- In Mail flow → Connectors, click '+' to add a connector.
- In 'Connection from', select Microsoft 365. In 'Connection to', select 'Partner organization'. Click 'Next'.
- In 'Name', enter MailArchiva. Ensure ‘Turn It On’ remains checked.
- Select 'Only when messages are sent to these domains'. Enter 'archive.archiva.com', then click '+'. Enter 'archive.mailarchiva.eu', then click '+'. Click 'Next'.
- Select 'Use the MX record associated with the partner's domain' and click 'Next'. This allows Microsoft to determine the delivery server using DNS.
- Select 'Always use Transport Layer Security (TLS) to secure the connection'.
- Select 'Issued by a trusted certificate authority (CA)'. Click 'Next'.
- For the validation email, enter an address such as 'archive@archive.archiva.com' (for the USA site) or 'archive@archive.mailarchiva.eu' (for the EU site), click '+', then click 'Validate'.
- Log in to the MailArchiva search interface. Verify that the test email has arrived. Click 'Next'.
- Click 'Create Connector'.
- Click 'Done'.
MailArchiva On-Premise setup
Configure Exchange Online to forward journal traffic to MailArchiva directly on port 25. Requires port 25 to be port-forwarded on your firewall.
A. Install a digital certificate
Microsoft 365 journaling requires a secure SMTP connection using TLS. If using Azure authentication, the MailArchiva console must also be secured with HTTPS. In both cases, install a TLS certificate whose Common Name (CN) matches the console’s access URL (e.g., https://mailarchiva.company.com). Refer to Secure Access for detailed instructions on how to install a digital certificate.
B. Port forward
Set up a firewall rule to forward incoming SMTP traffic on port 25 from a public IP to port 25 on the MailArchiva server inside your network.
C. Create DNS A record (optional)
Defining a DNS A record is optional. It allows Microsoft 365 to verify the MailArchiva server’s identity by matching the hostname to the TLS certificate during the handshake. Without a DNS record, journal traffic can still be routed to a raw IP address using a Send Connector (see Step F). Encryption will still occur, but Microsoft 365 will skip hostname validation, reducing identity assurance.
If you choose to proceed, create a DNS A record (e.g. mailarchiva.company.com) in the organization’s external DNS settings (for example, using Azure DNS, AWS Route 53, or another provider), pointing it to the public IP address configured in Step B. For example, set the domain name to mailarchiva.company.com if MailArchiva will be accessed at https://mailarchiva.company.com.
D. Create an SMTP listener
- In the MailArchiva Console, click Configuration → Listeners.
- Select SMTP Listener in the dropdown and click 'New Listener'.
- Check 'Enabled'
- Set the SMTP port to '25'
- Ensure the Bind IP address is set to 0.0.0.0 (all interfaces)
- Set certificate authentication to MailArchiva certificate store. Click 'Save'.
E. Create a journal rule
Configure Microsoft 365 to forward journaling traffic to MailArchiva On Premise.
In the Exchange Admin Center:
- Visit Microsoft Purview
- In Settings → Data Lifecycle Management → Exchange (legacy) (if available), replace the 'Send undeliverable journal reports to' field with your monitored admin mailbox. This controls where NDRs go if journaling fails.
- Under Solutions → Data Lifecycle Management → Exchange (legacy) → 'Journal Rules', click 'New Rule'.
- In the Send Journal Reports To field, enter archive@mailarchiva.company.com (replace with your server's FQDN; where mailarchiva.company.com is the Fully Qualified Domain Name (FQDN) of the MailArchiva server [not an email address] created in Step 2 above.)
- In the 'Journal rule name' field, enter 'archiva'
- In 'Journal messages sent or received from…' field, select 'Everyone'
- In 'Type of message to journal' select 'All messages'
- Click 'Save'.
F. Create a dedicated send connector
To ensure that your mail security solution doesn't inadvertently block journal emails sent to MailArchiva, it is recommended to create a dedicated send connector as per the instructions below.
- Visit the modern Exchange Admin Center (EAC) using a web browser.
- Go to Mail flow → Connectors, click '+' to add a connector.
- In 'Connection from', select Office 365. In 'Connection to', select 'Partner organization'. Click 'Next'.
- In 'Name', enter MailArchiva. Ensure ‘Turn It On’ remains checked.
- Select 'Only when messages are sent to these domains'. Enter your MailArchiva server's FQDN (e.g. mailarchiva.company.com -- must be resolvable from outside your network), then click '+'. Enter. Click 'Next'.
- Choose 'Route email through these smart hosts':
- If a DNS A record was created in Step C above, enter the MailArchiva server’s FQDN (e.g. mailarchiva.company.com).
- Otherwise, enter the server’s external IP address.
- Select 'Always use Transport Layer Security (TLS) to secure the connection'.
- Select 'Issued by a trusted certificate authority (CA)'. Click 'Next'.
- For the validation email, enter an address such as 'archive@[MailArchiva server's FQDN]' (for example, archive@mailarchiva.company.com), and click 'Validate'.
- Log in to the MailArchiva search interface. Verify that the test email has arrived. Click 'Next'.
- Click 'Create Connector'.
- Click 'Done'.
After completing steps E and F above, MailArchiva should start receiving journal traffic. Send an internal test message, and examine the charts in Status → Charts to see incoming traffic appearing.
G. Create MailArchiva application (optional)
This optional step involves creating and configuring a MailArchiva application in Azure. This application is needed to set up Azure authentication as it authorizes MailArchiva to access Azure's API.
- Access the Azure Portal. In the search box, type 'App Registrations'.
-
Click '+ New registration'.
-
Enter the name of the application (e.g. MailArchiva)
- Select 'Accounts in this organizational directory only' (… Single tenant)
-
In the Redirect URL section, select 'Web' as Application Type.
-
Type the equivalent of 'http://localhost:8090/authorize.do' in the Reply URI (e.g. replace localhost with the desired FQDN. e.g. https://mailarchiva.company.com/authorize.do)
-
Click Register
-
Select the newly created app
-
Click Manage → API Permissions.
-
Click 'Add Permission', and select Microsoft Graph. Click 'Delegated permissions'.
-
Check the following delegated permissions: Directory.Read.All, email, Mail.Send, Mail.Send.Shared, openid, profile, offline_access, User.Read and User.Read.All. Click 'Add permissions' to add them.
-
Click 'Add Permission', and select Microsoft Graph, then 'Application permissions'.
-
Check the following application permissions: Calendars.Read, Channel.ReadBasic.All, ChannelMessage.Read.All, Chat.Read.All, ChatMessage.Read.All, Contacts.Read, Directory.Read.All, Domain.Read.All, Group.Read.All, Mail.Read, Notes.Read.All and User.Read.All. Click 'Add permissions' to add them.
-
Click 'Add Permission', select 'APIs my organization uses', type 'office 365' in the search, and select 'Office 365 Exchange Online'. Select 'Application' permission. Add the permission IMAP.AccessAsApp.
- Click the 'Grant Admin consent', then click 'Yes'.
- Click the 'Enterprise applications' hyperlink at the bottom. Click 'Grant Admin Consent'. You will be prompted for permission to consent. Click Accept.
G. Set up Microsoft 365 connection (optional)
From within the Azure Portal:
- Log in to Azure Portal.
- Click Azure Active Directory, then 'App Registrations'.
- Select the MailArchiva application created in Step A above. Do not close the Azure page yet.
From within the MailArchiva Console:
- Click Configuration → Connections
- Select 'Microsoft 365', then click 'New Connection'.
- In the 'Tenant ID' field, copy and paste the Directory (tenant) ID displayed in the Application Overview in Azure.
- In 'Client ID', copy and paste the Application (client) ID displayed in the Application Overview in Azure. Click 'Save'.
- Click 'New Server Cert'.
- In storage alias, enter 'ms365'.
- In Common Name, enter 'mailarchiva.company.com'.
- In Org Unit, Org, City, State and Country enter your company details.
- Click 'New Server Cert' to create an X.509 certificate.
- The X.509 certificate will be downloaded to your computer’s Downloads folder.
- In 'Private Key', select the storage alias specified in step 10 above.
- In the 'Mail from' field, enter the email address of the admin user.
- If folder synchronization is desirable, refer to the Folder synchronization steps described further below.
- Click 'Save'.
From the newly created MailArchiva application in the Azure Portal:
- Click Manage → Certificates & secrets on the left menu.
- Click Upload certificates in the Certificates tab.
- Select the Certificate downloaded earlier, and enter MailArchiva as the description of the certificate. Click 'Add'.
From within the MailArchiva Console:
H. Set up Azure authentication (optional)
This optional step configures MailArchiva to authenticate Microsoft 365 users residing in Azure. Once set up correctly, it is possible for users to log in to MailArchiva using their Azure credentials.
From within the MailArchiva Console:
- Select Configuration → Login, Select Console Method 'Azure'
- In the 'Tenant ID' field, copy and paste the Directory (tenant) ID displayed in the Application Overview in Azure application created in Step A above.
- In 'Client ID', copy and paste the Application (client) ID displayed in the application Overview in the Azure application created in Step A above.
- In the 'Private Key' field, select the 'ms365' certificate created in Step G above.
- In the 'Issuer URL' field, enter 'https://login.microsoftonline.com/[tenant ID]/v2.0' (replacing tenant ID)
- In the 'Authentication Callback URL', enter 'http://localhost:8090/authorize.do' (this URL must be equivalent to the 'Reply URL' added in Step F7 above).
- Leave the ‘Auto Discovery’ checkbox selected.
- Click 'Save'.
- Click 'Request Admin Consent' (this process starts the Microsoft 365 consent process).
- You will be redirected to the Microsoft 365 login page.
- Log in using Microsoft 365 admin credentials
- Accept permissions
- Access http://localhost:8090/signonform.do to access MailArchiva login
- Log back in to MailArchiva as the admin user
- Click Configuration → Logins
- Next, assign Microsoft 365 Admin to the MailArchiva Admin Role
- Click 'New Role Assignment'.
- Select Administrator in Role.
- Click 'Lookup' next to the 'Attribute Field'.
- In the lookup dialog, enter the email address of the Microsoft 365 Administrator. Click Lookup
- A list of Azure attributes will be shown. Select memberOf 'Company Administrator'
- Click 'Save'.
- To test the login, logout, and hit 'http://localhost:8090'
- You should be directed to the Windows Azure Login page.
- If you are unable to login, enter 'http://localhost:8090/signonform.do' to login using a superuser admin account.
I. Synchronize folder structures (optional)
MailArchiva has the ability to synchronize folder structures with Microsoft 365. Microsoft 365 transmits folder synchronization data to a web hook URL (.e.g. https://mailarchiva.company.com/o365) accessible from outside your network.
In Configuration → Connections → Microsoft 365 connection...
- Specify the webhook URL as the equivalent of https://mailarchiva.company.com/o365 (replace FQDN with your local domain while preserving the o365 prefix). This is the public URL Microsoft will call to send folder updates.
- Leave the server port as 8888 since MailArchiva will automatically proxy HTTPS requests targeting the webhook URL to port 8888 on localhost.
- Check the 'synchronize' checkbox. Save the config. After saving, Microsoft 365 will attempt to send synchronization traffic to the webhook address on port 443.
Ensure that Microsoft 365 is able to access the webhook URL (specified above) via HTTPS from outside your network. This can be achieved as follows..
- If necessary, create an A Record using your DNS provider's editor, with the name 'mailarchiva' pointing to an IP address assigned to the edge of your network.
- From an external network, open 'https://mailarchiva.company.com/o365' from outside your network to verify that the A record is defined correctly and the port forward rule is working as expected. If the port forwarding is set up right, the browser should output the response: Failure: 405 Method Not Allowed
- If successful, in the Status → Charts section, you should begin to see sync bars. In the Search interface, user folder structures should begin to appear.
- If no bars appear, double-check the configuration, uncheck the enable button, click 'Save', then recheck the enable button, click 'Save' again. Recheck the charts.
Putting it all together
Always ensure that MailArchiva is being accessed using the same domain as specified in the Authentication Callback URL (defined in MailArchiva) / Reply URL (defined in Azure).
From MailArchiva Console:
- Click Status → Charts to verify whether archiving traffic is being received and archived. If not, refer to Archiving Stopped for possible solutions.
- By default, MailArchiva will only archive new messages from the point at which archiving is enabled.
- To import historical mail, from Configuration→Volumes, click 'Import', select the desired Exchange Client Connection, and click 'Import'.
IMAP journaling (deprecated)
There are two different approaches to archiving emails from MS Exchange:
Option 1) IMAP journaling - Create a journal mailbox in Exchange Online, and then poll the journal mailbox continuously using IMAP. The advantage is there is no need to open a port on the firewall. The disadvantage is that polling is less efficient.
Option 2) SMTP journaling - Configure Exchange Online to forward journaling traffic to MailArchiva directly on port 25. Requires port 25 forwarded on the firewall.
Choose between either of these approaches. The SMTP approach is most recommended as it is less resource intensive, but does require that an incoming port is forwarded on the company firewall. The advantage of the IMAP journal method is that there is no need to open an outside port on the company firewall. The disadvantage is that a journal mailbox must be created and assigned.
Option 1) IMAP journaling
J1. Create IMAP journaling rule
- Visit Microsoft Admin Center
- In Active users on the left menu, click Add a user.
- In First name, Display name and username fields, enter 'journal'.
- Uncheck 'Require this user to change their password when they first login'.
- Click 'Next' to complete the journal mailbox creation.
- Click on the newly created journal rule to open its properties. In the General tab, click 'Manage email apps settings' and ensure that IMAP access is enabled.
- Visit Microsoft Purview in a web browser
- Select 'Data lifecycle management' from the left menu, then 'Exchange (legacy)'.
- Select Journal Rules from the sub-menu at the top right.
- Create the New Rule
- In 'Send journal reports to', select journal mailbox. In the name field, enter journal.
- In 'if the message is sent to or received from...' select Apply to all messages.
- In 'journal the following messages', select all messages. Click Create.
D1. Grant journal mailbox access permission
- Log in to the Azure Portal. Open Enterprise Applications (not App registration!).
- Select the MailArchiva application created earlier. Leave the page open as a reference.
- Open Windows Powershell on any computer running Windows 11.
- Type the command 'Import-Module ExchangeOnlineManagement'
- Connect to Exchange Online, by typing the equivalent of:
Connect-ExchangeOnline -UserPrincipalName admin@company.com (i.e. replaced with Microsoft 365 admin UPN) - Type the command below to create a service principal:
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> (both values taken from Azure Enterprise Application → Properties) - Type 'Get-ServicePrincipal | fl'. Take note of the Service ID listed in the output.
- Input the command below to create a mailbox:
Add-MailboxPermission -Identity "journal@company.com" -User <SERVICE_ID> -AccessRights FullAccess
J2 Create IMAP connection
- Log in to MailArchiva, click Configuration → Client Connections→Select IMAP Connection → Click New Connection.
- Enter outlook.office365.com in the server address field.
- Select Auth Method as OAUTH2.
- In Username, enter the journal account email (e.g. journal@company.com)
- In Token, select Microsoft 365.
- Save the connection. Click Test Connection to verify that the authentication parameters are correct.
- If the test is successful, check 'Enabled' and click 'Save'.
If the IMAP test fails, please retrace the steps above or follow these troubleshooting steps.
Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.