Configure User Sync with O365


Mailprotector supports User Sync with Office 365 (O365) tenant domains to manage users in the Console. The main benefit to the synchronization feature is knowing that the Office 365 mailboxes are present in the Console and ready to protect the inbox. The synchronization will also remove users from the Console if the mailbox is removed from O365.

Applies to:

Office 365 (O365), Exchange Online, User Sync, User Source


The Office 365 tenant domain must be configured and contain at least one mailbox user. Enabling Directory Synchronization requires a global administrator account for the O365 domain. A 'normal' mailbox user will not have permission to communicate with the Microsoft Graph API for synchronization.

NOTE: Configuring Office 365 User Synchronization must be done from If you have a co-branded URL, see, or see as part of the URL in the browser, you will receive an error when attempting to connect to O365. Microsoft allows one domain to be assigned to an API. The User Sync API domain for Mailprotector is Using the specific URL is only required during the configuration of User Sync. Once configured, you may access the Console using your preferred URL.

DYNAMIC DISTRIBUTION LISTS: If the domain in use has Dynamic Distribution Lists, you must configure a workaround for the email address(es) to sync to the Mailprotector Console. Microsoft does not push the Dynamic Distribution List address to the Graph API for Mailprotector to add as a valid address. Please read Microsoft 365 Dynamic Group handling with User Sync for complete details.

Configuring User Sync

Preparing the Domain in the Mailprotector Console

  1. Log in to the Console using 
  2. Navigate to the domain you wish to add User Sync to
  3. Select the User Sync tab located

Fig. 1



     4. Scroll down to the second section labeled User Sources and select "Add"

Fig. 2


BEST PRACTICE: Do not enable the User Sync until you have confirmed the source is editing users correctly with a manual preview.

     5. Select the Add option and click Choose under the Office 365 logo.

Fig. 3


     6. Under the Source tab, click the 'Connect Office 365' button, and you will be asked to log in to the Office 365 tenant domain you are configuring. Be sure to use a global administrator account for the domain you are configuring. The Office 365 login dialog will look similar to Figure 5.

Fig. 4


Fig. 5

     7. After successfully logging into Office 365, you will be presented with a permission request to allow Mailprotector to read user profiles, directory data, and other requirements for User Sync to function correctly. Be sure the account you signed in as has admin permissions. Verify this by looking for the '(admin)' to the right of the signed-in user, as shown in Figure 6. Click the 'Accept' button to continue.

Fig. 6

     8. You will return to the User Sync sources in the Console. A successful connection will result in a "Connected to Office 365," appearing in the Sources tab, as shown in Figure 7.

ERROR NOTE: If you received an error attempting to connect to Office 365, first check the URL in your browser when looking at the Console. If it does not begin with, then the connection process will fail. If the URL is correct, check the O365 account you are using by logging into the Office 365 Portalicon-ext-url.png.

Fig. 7


      9. You can now select the blue back arrow to navigate back to the User Sync Tab. Once you are in this section, you can select "Preview," as displayed in figure 8. This is to ensure that the sync is pulling users properly. It should display a list of users that will be added to the Console.

Fig. 8


     10. You are now ready to enable and sync Office 365 users to the Console. Click the slider at the top of the page to turn on 'Enable Automatic User sync.' 

Fig. 9

     11. It may take some time for user synchronization to complete automatically,  so if you would like to run the sync now, instead of waiting for the next interval, you can select "Sync & Save" in the "Manual Sync" section. 

Fig. 10



NOTE: User Sync will not pull in addresses or users with the * address. User Sync is requesting addresses that match the domain in the Mailprotector Console, and users' email accounts will need to be fully configured in Office 365 before Directory Sync can obtain the data.

IMPORTANT: A limitation of the information provided from Office 365 prevents User Sync from discerning between a resource and a shared mailbox.

The User Sync tool will create a user for each shared mailbox, room, or equipment resource mailbox, and any unlicensed addresses in the Mailprotector Console. These users will be marked accordingly and are non-billable users. 

(Optional) Adding Filters and Destination groups

User Sync will direct addresses to the "Main" Group by default.  If you want to direct certain users to different groups, you may change which users are targeted in the "Filters" section of the User Source created in step 5. You can then change which group those users are placed into by changing the "Destination" group.

Fig. 11


IMPORTANT:  The filter section fields may auto-populate with available Graph API fields as you being typing. Some of the available API fields are:

  • memberOf
  • accountEnabled
  • assignedLicenses
  • companyName
  • displayName
  • givenName
  • mail
  • mailEnabled
  • userType
  • surname
  • proxyAddress
  • userPrincipalName
  • id
  • jobTitle

Additional Help

If you have any additional questions regarding Office 365 User Sync, experience problems, or an interest in other best practices, please visit the Help Centericon-ext-url.png to open a ticket.

Have more questions? Submit a request