Mailprotector supports Directory Sync with Office 365 (O365) tenant domains to manage users in the Console. The main benefit to the synchronization feature is knowing that the Office 365 mailboxes are present in the Console and ready to protect the inbox. The synchronization will also remove users from the Console if the mailbox is removed from O365.
Office 365 (O365), Exchange Online, Directory Sync
The Office 365 tenant domain must be configured and contain at least one mailbox user. Enabling Directory Synchronization requires an administrator account for the O365 domain. A 'normal' mailbox user will not have the permission to communicate with the O365 API for synchronization.
NOTE: Configuring the Office 365 Directory Synchronization must be done from https://console.emailservice.io. If you have a co-branded URL or see https://console.mailprotector.com as part of the URL in the browser, you will receive an error when attempting to connect to O365. Microsoft allows one domain to be assigned to an API. The Directory Sync API domain for Mailprotector is emailservice.io. Using the specific URL is only required during the configuration of Directory Sync. Once configured, you may access the Console using your preferred URL.
Configuring Directory Sync
Preparing the Domain in the Mailprotector Console
- Log in to the Console using https://console.emailservice.io/signin
- Navigate to the user groups for the domain you are configuring for Directory Sync by clicking the 'User Groups' link in the right-hand navigation as shown in Figure 1.
- The user groups for the domain will be listed as shown in Figure 2. If this is a new domain in the Mailprotector Console, only the default user group called 'Main' will be present.
BEST PRACTICE: Directory synchronization is best applied to a user group. If Directory Sync is used at the domain level in the Console, new users may appear in a user group you do not expect. Directory Sync can read other user groups but will only add or remove accounts from the user group it is configured for which provides more predictable results.
Click on the user group you intend to configure with Directory Sync. We will use the 'Main' user group in this example.
- Viewing the Main user group, click the 'Settings' link in the right-hand navigation as shown in Figure 3.
- Looking at the 'General' tab for the user group's settings, click on the 'Directory Sync' tab as shown in Figure 4.
- If this is a new domain in the Console, the Directory Sync settings will be blank, and the server type will be 'Exchange.' If this is an existing domain that had directory synchronization configured in the past, you may see some settings.
In either case, select 'Office 365' from the Server Type drop-down list. The setting fields will change, and a 'Connect to Office 365' button will appear to the right of the Server Type setting.
- Click the 'Connect to Office 365' button, and you will be asked to log in to the Office 365 tenant domain you are configuring. Be sure to use an administrator account for the domain you are configuring. The Office 365 log in dialog will look similar to Figure 5.
- After successfully logging into Office 365, you will be presented with a permission request to allow Mailprotector to read user profiles, directory data, and other requirements for Directory Sync to function correctly. Be sure the account you signed in as has admin permissions. Verify this by looking for the '(admin)' to the right of the signed in user as shown in Figure 6. Click the 'Accept' button to continue.
- You will return to the Directory Sync settings in the Console. A successful connection will result in a Tenant ID displayed in the field, just below the Server Type, as shown in Figure 7.
ERROR NOTE: If you received an error attempting to connect to Office 365, first check the URL in your browser when looking at the Console. If it does not begin with https://console.emailservice.io then the connection process will fail. If the URL is correct, check the O365 account you are using by logging into the Office 365 Portal.
- You are now ready to enable and sync Office 365 users to the Console. Click the checkboxes to enable 'User sync' and 'Filter by domain.' Your settings should look similar to Figure 8. Click the 'Save' button at the bottom of the Directory Sync settings to complete the configuration.
- It may take a few minutes for directory synchronization to complete. Once finished, go to the user list for the user group you configured with Directory Sync and verify the accounts listed are as expected.
NOTE: Directory Sync will not pull in addresses or users with the *.onmicrosoft.com address. Directory Sync is requesting addresses that match the domain in the Mailprotector Console and users' email accounts will need to be fully configured in Office 365 before Directory Sync can obtain the data.
IMPORTANT: A limitation of the information provided from Office 365 prevents Directory Sync from discerning between a resource and a shared mailbox.
The Directory Sync tool will create a user for each shared mailbox, room or equipment resource mailbox, and any unlicensed addresses in the Mailprotector Console. However, the User Type of these users will be 'Unlicensed User' and will not be billed.
Assuming the best practice in Step 3 was followed, another option is to create a new User Group with the same services and move the shared mailboxes to this new User Group. You may change the User Type in the settings of a user to 'Shared' for shared mailboxes, or 'Equipment' if the mailbox is a room or equipment resource mailbox. Directory Sync will only make changes to the User Group on which it is enabled and not change the User Type in the new User Group.
If you have more questions regarding Office 365 Directory Sync, experience problems, or an interest in other best practices, please visit the Support Portal to open a ticket.