MyEmailVault Docs

Appearance

Microsoft 365

This guide walks you through connecting a Microsoft 365 tenant to MyEmailVault using the Microsoft Graph API. This allows MyEmailVault to archive emails for all users in your organization.

The setup consists of four parts:

  1. Register an application in Microsoft Entra ID.
  2. Grant the required API permissions.
  3. Create a client secret.
  4. Connect the application in MyEmailVault.

Part 1: Register an App in Microsoft Entra ID

  1. Go to the Microsoft Entra admin center.
  2. Navigate to Identity > Applications > App registrations.
  3. Click New registration.
  4. Enter a name (e.g., "MyEmailVault").
  5. Under Supported account types, select Accounts in this organizational directory only (single tenant).
  6. Leave Redirect URI blank.
  7. Click Register.

After registration, note the following values from the Overview page -- you will need them later:

  • Application (client) ID
  • Directory (tenant) ID

Part 2: Grant API Permissions

  1. In your app registration, navigate to API permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph.
  4. Select Application permissions (not delegated).
  5. Add the following permissions:
PermissionPurpose
Mail.ReadRead email messages from all mailboxes in the tenant.
User.Read.AllList all users in the tenant to discover mailboxes.
  1. Click Add permissions.
  2. Click Grant admin consent for [your organization] and confirm. This step requires Global Administrator or Privileged Role Administrator rights.

After granting consent, the status for both permissions should show a green checkmark with "Granted for [your organization]".

Part 3: Create a Client Secret

  1. In your app registration, navigate to Certificates & secrets.
  2. Click New client secret.
  3. Enter a description (e.g., "MyEmailVault") and select an expiration period.
  4. Click Add.
  5. Copy the Value of the secret immediately. It will not be shown again after you leave this page.

Note: When the client secret expires, MyEmailVault will no longer be able to sync emails. Set a reminder to rotate the secret before it expires and update the credentials in MyEmailVault.

Part 4: Connect in MyEmailVault

4.1 Create an Ingestion Source

  1. In MyEmailVault, navigate to Ingestions and click Create New.
  2. Select Microsoft 365 as the provider.
  3. Enter a descriptive Name for this source (e.g., "Company Microsoft 365").

4.2 Enter the Credentials

Fill in the following fields using the values from the previous steps:

FieldValue
Tenant IDThe Directory (tenant) ID from Part 1.
Client IDThe Application (client) ID from Part 1.
Client SecretThe secret value from Part 3.

4.3 Save

Click Save to create the ingestion source.

What Happens Next

After saving, MyEmailVault will:

  1. Authenticate with the Microsoft Graph API using the provided credentials.
  2. List all licensed users in your Microsoft 365 tenant.
  3. Begin importing emails from each user's mailbox.

The source status will show Importing during the initial bulk import. Once complete, it will transition to Active and MyEmailVault will continuously sync new emails as they arrive.

You can monitor import progress on the Ingestions page. Individual user mailboxes within the source will each show their own sync status.