Microsoft 365  (i.e. Office 365)
 

MailArchiva brings advanced e-Discovery capabilities to Microsoft Office 365. Full email journaling, calendar, contact, and folder synchronization are available.

 

MailArchiva Cloud setup - Easy setup instructions for the MailArchiva Cloud
MailArchiva On-Premise setup - Office 365 integration for MailArchiva On-Premise (advanced)

 

 

MailArchiva Cloud setup

 

Visit https://office365.archiva.com (USA) or https://office365.mailarchiva.eu (EU) and signup to the MailArchiva Cloud.

 

After sign-up, create a journal rule as described below.

 

Create a journal rule

 

This step involves configuring Office 365 to forward journaling traffic to the MailArchiva Cloud SMTP server.
 

From within the Exchange Admin Center:
 

  1. Visit Microsoft Purview
  2. In the Admin section on the left, click Exchange
  3. Select Data lifecycle management from the left menu, then Exchange.
  4. Select Journal Rules from the sub-menu at the top right.
  5. If you haven't already, choose a local mailbox where undeliverable journal reports are to be sent.
  6. Press "+" to create a new journal rule.
  7. In Send Journal Reports To field, enter:
     if registered on USA (archiva.com) site:  [value of journal recipient field in MailArchiva Web Console->System Status]@archive.archiva.com (for example: journal-000000T0R2KQuOyRvlZ18qxiAekc6RRHkQb4i0GjkJ3t4Ns150SfrknkuLMbGAr@archive.archiva.com)
     if registered on EU (mailarchiva.eu) site:  [value of journal recipient field in MailArchiva Web Console->System Status]@archive.mailarchiva.eu (for example: journal-000000T0R2KQuOyRvlZ18qxiAekc6RRHkQb4i0GjkJ3t4Ns150SfrknkuLMbGAr@archive.mailarchiva.eu)
  8. In Name field, enter "archiva"
  9. In the "If the message is sent to or received from.." field, select "Apply to All Messages"
  10. In "Journal the following messages.." select "All messages"
  11. Click Save.


Create a dedicated send connector

 


To ensure that your mail security solution doesn't inadvertently block journal emails sent to MailArchiva, it is prudent to create a dedicated send connector as per the instructions below.

 

  1. Visit https://admin.exchange.microsoft.com using a web browser. Login to Microsoft 365 (as necessary).
  2. Click Mail flow on the left menu, then Connectors in the sub-menu.
  3. Click + to add a connector.
  4. In 'Connection from', select Office 365. In 'Connection to', select 'Partner organization'. Click Next.
  5. In Name, enter MailArchiva. Leave Turn It On checked
  6. Select 'Only when messages are sent to these domains'. Enter archive.archiva.com, then click +. Enter archive.mailarchiva.eu, then click +. Click Next.
  7. Select 'Use the MX record associated with partner's domain', click Next.
  8. Select 'Always use Transport Layer Security (TLS) to secure the connection'.
  9. Select 'Issued by a trusted certificate authority (CA)', Click Next
  10.  In validation email, enter either archive@archive.archiva.com (for USA site) or archive@archive.mailarchiva.eu (for EU site), click +, then click Validate button.
  11. Login to MailArchiva's search interface and verify that the test email has arrived. Click Next.
  12. Click Create connector.
  13. Click Done.

 

After the above steps are completed, MailArchiva should begin receiving journaling traffic. Click Search to see the email appearing in the search results.

 

MailArchiva Cloud offers a 30-day free trial, after which, if you wish to continue your use of the service, it is necessary to purchase a subscription.

 

 

MailArchiva On-Premise setup
 

Configure Exchange Online to forward journaling traffic to MailArchiva directly on port 25. Requires port 25 is port-forwarded on the firewall.

 

Step A. Install a digital certificate

 

Office 365 journaling may not work over an insecure connection; the use of SMTP/TLS may be required.

 

Furthermore, if using Azure authentication (not journaling), the console may need to be secured using HTTP/S. In this case, follow the Secure Access steps to install a certificate and enable HTTP/S.

 

Step B. Port forward

 

Create a rule on the organization's firewall to forward incoming SMTP traffic from port 25 on any available public IP address owned by the organization to port 25 on the local IP address of the MailArchiva server running within the organization's network. 

 

Note: Any dedicated or shared external IP address can be used as long as port 25 is not already being used.

 

Step C. Create DNS record
 

Edit the organization's DNS settings. Create an A record for MailArchiva on your company domain, so that, for example, mailarchiva.company.com points to the external IP address referenced in Step B above.

 

Step D. Create an SMTP listener
 

  1. In the MailArchiva Console, Click Configuration->Listeners
  2. Select SMTP Listener in the dropdown and then click the New Listener button.
  3. Check "Enabled"
  4. Set the SMTP port as 25
  5. Ensure Bind IP address is for all interfaces
  6. Set certificate authentication to MailArchiva certificate store. Click Save
     

Step E. Create a journal rule
 

This step involves configuring Office 365 to forward journaling traffic to MailArchiva On Premise.

 

From within the Exchange Admin Center:

 

  1. Visit Office 365 Portal and click Admin.
  2. In the Admin section on the left, click Exchange
  3. Select Compliance Management from the left menu.
  4. Select Journal Rules from the sub-menu at the top right.
  5. If you haven't already, choose a local mailbox where undeliverable journal reports are to be sent.
  6. Press "+" to create a new journal rule.
  7. In "Send Journal Reports To" field, enter archive@mailarchiva.company.com (where mailarchiva.company.com is the fully qualified domain name of the MailArchiva server [not an email address] created in Step 2 above.)
  8. In "Name" field, enter "archiva".
  9. In "If the message is sent to or received from.." field, select "Apply to All Messages"
  10. In "Journal the following messages.." select "All messages". Click Save

At this stage, MailArchiva should receive journaling traffic.  Send an internal test message, and examine the charts in Status->Charts to see incoming traffic appearing.

 

To prevent the SMTP listener created in Step D. Create An SMTP Listener above from being abused by spam bots, it is a good idea to configure the listener such that it will only respond to recipients addressed in Step 7 above. In the Listener config above, click Advanced. In RCPT TO Filter Address, enter the email address specified in step 7 above (e.g.  archive@mailarchiva.company.com).

 

Step F. Create MailArchiva application (optional)

 

 

This optional step involves creating and configuring a MailArchiva application in Azure. This application is needed to setup Azure authentication as it authorizes MailArchiva to access Azure's API.

 

  1. Log in to your Office 365 Admin Center as an administrator.
  2. Access the Azure Portal, then Azure Active Directory.

  3. Click App Registrations, then "+" to create a New Application registration

  4. Enter the name of the application (e.g. MailArchiva)

  5. Select Accounts in this organizational directory only (.. Single tenant)

  6. Select Web as application type

  7. Type the equivalent of "http://localhost:8090/authorize.do" in the Reply URI (e.g. Replace localhost with the desired FQDN. e.g. https://mailarchiva.company.com/authorize.do)

Note: The Microsoft Azure Portal will not accept if the above URL is pasted from the clipboard. It is necessary to manually type the URL.

  1. Click Register

  2. Select the newly created app

  3. Click Manage→Api Permissions on the left-menu

  4. Click Add Permission button, and select Microsoft Graph, then Delegated permissions.

  5. Check the following delegated permissions: Directory.Read.All, email, Mail.Send, Mail.Send.Shared, openid, profile, offline_access, User.Read and User.Read.All then click Add permissions button to add them.

  6. Click Add Permission button, and select Microsoft Graph, then Application permissions.

  7. Check the following application permissions: Calendars.Read, Channel.ReadBasic.All, ChannelMessage.Read.All, Chat.Read.All, ChatMessage.Read.All, Contacts.Read, Directory.Read.All, Domain.Read.All, Group.Read.All, Mail.Read, Notes.Read.All and User.Read.All then click Add permissions button to add them.

  8. Click Add Permission button, select "APIs my organization uses", type "office 365" in the search, select "Office 365 Exchange Online". Select Application permission. Add the permission IMAP.AccessAsApp.

  9. Click "Grant Admin consent" button, then click Yes button.
  10. Click "Enterprise applications" hyperlink at the bottom. Click "Grant Admin Consent" button. You will be prompted for permission to consent. Click Accept.
Note: The Reply URL must match exactly the Authentication Callback URL defined in Step 7 below. For more information on Reply URL definition, refer to Azure Troubleshooting.


 

Step G. Setup Office 365 connection (optional)

 

This optional step involves setting up an Office 365 Connection in MailArchiva, such that it can synchronize folder structures and import data.

 

From within the Azure Portal:

 

  1. Login to Azure Portal.
  2. Click Azure Active Directory, then App Registrations
  3. Select the MailArchiva application created in Step A above. Don't close the Azure page yet.

From within the MailArchiva Console:
 

  1. Click Configuration→Connections
  2. Select Office 365, then click New Connection
  3. In the Tenant ID field, copy and paste the Directory (tenant) ID displayed in the Application Overview in Azure.
  4. In Client ID, copy and paste the Application (client) ID displayed in the Application Overview in Azure. Click Save
  5. Click the New Server Cert button
  6. In storage alias, enter "office365".
  7. In Common Name, enter "office365.mailarchiva.com"
  8. In Org Unit, Org, City, State and Country enter your company details.
  9. Click the New Server Cert button to create an X.509 certificate.
  10. The X.509 certificate will be downloaded to your local machine.
  11. In Private Key, select the storage alias specified in step 10 above.
  12. In the "Mail from" field, enter the email address of the admin user.
  13. If folder synchronization is desirable, refer to the Folder synchronization steps described further below.
  14. Click Save to save the configuration.

 

From the newly created MailArchiva application in the Azure Portal:

 

  1. Click Manage→Certificates & secrets on the left menu.
  2. Click Upload certificates in the Certificates tab.
  3. Select the Certificate downloaded earlier, and enter MailArchiva as the description for the certificate. Click the Add button.

 

From within the MailArchiva Console:

    On the Office 365 connection, click Test Connection to verify that MailArchiva is able to sync with O365. If the test is successful, enable the connection and click Save.
Note: Any time the MailArchiva Application permissions are modified in Azure, the consent process must be re-initiated by clicking either on "Request Admin Consent" in Configuration->Logins or "Get Admin Consent" in Configuration->Connection-Exchange Connection.

 

 

Step H. Setup Azure authentication (optional)

 

This optional step configures MailArchiva to authenticate Office 365 users residing in Azure. Once setup correctly, it is possible for users to login to MailArchiva using their Azure credentials. 


From within the MailArchiva Console:

 

  1. Select Configuration->Login, Select Console Method "Azure"
  2. In the Tenant ID field, copy and paste the Directory (tenant) ID displayed in the Application Overview in Azure application created in Step A above.
  3. In Client ID, copy and paste the Application (client) ID displayed in the application Overview in Azure application created in Step A above.
  4. In the Private Key field, select the certificate created in Step G above.
  5. In the Issuer URL field, enter "https://login.microsoftonline.com/[tenant ID]/v2.0" (replacing tenant ID)
  6. In Authentication Callback URL, enter "http://localhost:8090/authorize.do" (this URL must be equivalent to Reply URL added in Step F7 above)
  7. Leave Auto Discovery checked.
  8. Click Save
  9. Click "Request Admin Consent" button (this process starts the Office 365 consent process)
  10. You will be redirected to Office 365 login
  11. Login using Office 365, login using Office 365 admin credentials
  12. Accept permissions
  13. Access http://localhost:8090/signonform.do to access MailArchiva login
  14. Log back into MailArchiva as the admin user
  15. Click Configuration→Logins
  16. Next, assign Office 365 Admin to the MailArchiva Admin Role
  17. Click the New Role Assignment button.
  18. Select Administrator in Role
  19. Click the Lookup button next to the Attribute Field
  20. In the lookup dialog, enter the email address of the Office 365 Administrator. Click Lookup
  21. A list of Azure attributes will be shown. Select memberOf "Company Administrator"
  22. Click Save
  23. To test the login, logout, and hit "http://localhost:8090"
  24. You should be directed to the Windows Azure Login page.
  25. If you are unable to login, enter "http://localhost:8090/signonform.do" to login using a superuser admin account.

 

Upgrade Note: The only authorization URL is no longer valid.  The Issuer URL field should be set to "https://login.microsoftonline.com/[tenant ID]/v2.0" with auto discovery enabled.

 

Note: For the authentication process to work, the MailArchiva web console must be accessed from a web browser using the same domain as specified in the Authentication Callback / Reply URL. In the example above, the MailArchiva console would be accessed using the URL: "http://localhost:8090".

 

Note: If locked out of the console, access the fallback login page at "http:localhost:8090/signonform.do" to login as admin.

 

Note: See Azure Authentication Troubleshooting if you have difficulties getting Azure authentication to work.

 

Step I. Synchronize folder structures (optional)

 

Note: This feature requires MailArchiva 8.10.0 or higher. 

MailArchiva has the ability to synchronize folder structures with Office 365. Microsoft Office 365 transmits folder synchronization data to a web hook URL (.e.g. https://mailarchiva.company.com/o365) accessible from outside your network. 
 
Before proceeding with configuration, ensure that MailArchiva's web console is secured using TLS.
 
Note: Microsoft Office 365 doesn't yet appear to support elliptic curve certificates. Thus, ensure the certificate securing the web console is RSA-based.
 
To enable folder synchronization, setup an Office 365 Connection such that MailArchiva is able to establish a connection to the Office 365 Graph API.
 

In Configuration→Connections→Office 365 connection...
 

  1. Specify the webhook URL as the equivalent of https://mailarchiva.company.com/o365 (replace FQDN with your local domain while preserving the o365 prefix).
  2. Leave the server port as 8888 since MailArchiva will automatically proxy HTTPS requests targeting the webhook URL to port 8888 on localhost.
  3. Check the "synchronize" checkbox. Save the config. Henceforth, Office 365 will attempt to send synchronization traffic to the webhook address on port 443.
     

 Ensure that Office 365 is able to access the webhook URL (specified above) via HTTPS from outside your network. This can be achieved as follows..

 

  1. If necessary, create an A Record using your DNS provider's editor, with the name "mailarchiva" pointing to an IP address assigned to the edge of your network.
  2. Use a browser to access https://mailarchiva.company.com/o365 from outside your network to verify that the A record is defined correctly and the port forward rule is working as expected. If the port forwarding is setup right, the browser should output the response: Failure: 405 Method Not Allowed
  3. If everything is defined correctly in the Status→Charts section, you should begin to see sync bars. In the Search interface, user folder structures should begin to appear.
  4. If no bars appear, double-check the configuration, uncheck the enable button, click Save, then recheck the enable button, click Save again. Recheck the charts.


Putting it all together

 

Always ensure that MailArchiva is being accessed using the same domain as specified in the Authentication Callback URL (defined in MailArchiva) / Reply URL (defined in Azure).

 

From MailArchiva Console:

 

  1. Click Status→Charts to verify whether archiving traffic is being received and archived. If not, refer to Archiving Stopped for possible solutions.
  2. By default, MailArchiva will only archive new messages from the point at which archiving is enabled.
  3. To import historical mail, from Configuration→Volumes, then click Import, select the desired Exchange Client Connection, and click Import.

 

 

 

 

 

 

 

 

IMAP journaling (deprecated)

 

Deprecation Note: Using IMAP to retrieve journaling data from Office 365 is no longer feasible, since Microsoft now prevents new journal rules from forwarding traffic to local mailbox hosted in Office 365.

 

There are two different approaches to archiving emails from MS Exchange:

 

Option 1) IMAP journaling - Create a journal mailbox in Exchange Online, and then poll the journal mailbox continuously using IMAP. The advantage is there is no need to open a port on the firewall. The disadvantage is that polling is less efficient.
Option 2) SMTP journaling - Configure Exchange Online to forward journaling traffic to MailArchiva directly on port 25. Requires port 25 is port-forwarded on the firewall.

 

Choose between either of these approaches. The SMTP approach comes most recommended as it is less resource intensive, but does require that an incoming port is forwarded on the company firewall. The advantage of the IMAP journaling method is that there is no need to open an outside port on the company firewall. The disadvantage is that a journal mailbox must be created and assigned.

 

Option 1) IMAP journaling

 

IMAP Note: Journaling using the IMAP protocol with OAUTH authentication requires a minimum of steps A, B, C1, D1 and E1 to be completed. 

 

Step J1. Create IMAP journaling rule

 

  1. Visit Microsoft Admin Center
  2. In Active users on the left menu, click Add a user. 
  3. In First name, Display name and username fields, enter "journal".
  4. Uncheck "Require this user to change their password when they first login"
  5. Click Next to complete the journal mailbox creation.
  6. Click on the newly created journal rule to open its properties. In the General tab, click "Manage email apps settings" and ensure that IMAP access is enabled.
  7. Visit Microsoft Purview in a web browser
  8. Select Data lifecycle management from the left menu, then Exchange (legacy)
  9. Select Journal Rules from the sub-menu at the top right.
  10. Create the New Rule
  11. In "Send journal reports to", select journal mailbox. In the name field, enter journal.
  12. In "if the message is sent to or received from..." select Apply to all messages.
  13. In "journal the following messages" select all messages. Click Create.
     

Step D1. Grant journal mailbox access permission

 

Avoid the gotcha:  Please do not make the common mistake of copying the Object ID in the first step below from the app's Azure registration page as defined in Step A above. The Object ID must be taken from the Enterprise Applications section in the Azure portal. (it is different from App Registration page in Azure!)

 

  1. Login to the Azure Portal. Open Enterprise Applications (not App registration!). 
  2. Select the MailArchiva application created earlier. Leave the page open as a reference.
  3. Open Windows Powershell on any computer running Windows 11.
  4. Type the command "Import-Module ExchangeOnlineManagement"
  5. Connect to Exchange Online, by typing the equivalent of:
    Connect-ExchangeOnline -UserPrincipalName admin@company.com ( i.e. replaced with user principal name of Office 365 admin user )imap connection
  6. Type the command below to create a service principal:
    New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> ( both values taken from Azure Enterprise Application → Properties )
  7. Type "Get-ServicePrincipal | fl". Take note of the Service ID listed in the output.
  8. Input the command below to create a mailbox:
    Add-MailboxPermission -Identity "journal@company.com" -User <SERVICE_ID> -AccessRights FullAccess


Step J1. Create IMAP connection

 

  1. Login to MailArchiva, click Configuration→Client Connections→Select IMAP Connection→Click New Connection.
  2. Enter outlook.office365.com in the server address field.
  3. Select Auth Method as OAUTH2.
  4. In Username, enter the journal account email (e.g. journal@company.com)
  5. In Token, select Office 365.
  6. Save the connection. Click Test Connection to verify. 
  7. If all is well, check Enabled and click Save.

 

If the IMAP test connect fails, please retrace the steps above or follow these troubleshooting steps.

Was this helpful?
© 2005 - 2025 ProProfs

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.
light-box Image