I am a Zivver admin
Configure and manage Zivver
07b. Synctool Exchange sources
Exchange sources are commonly used to create Zivver functional accounts based on Exchange shared mailboxes.
The synchronization is executed in one way: from Exchange to Zivver, not the other way around. You can determine which shared mailboxes are synchronized from Exchange to Zivver with filters. Filters can currently only be email addresses.
It is not possible to create Zivver user accounts for Exchange user mailboxes. Please see configure LDAP sources to learn how to synchronize Exchange user accounts to Zivver.
- Enter a Source name.
For example “Microsoft Exchange Online” or “Microsoft Exchange on-premise 2019”.
- Enter a Source description.
For example the name of administrator who configured this Exchange source.
These settings allow the Synctool to connect to your Exchange server.
Choose the Exchange type you want to use as a source to synchronize functional accounts to Zivver.
- Only use Office 365 - MFA for manual synchronizations
It is not possible to use Office 365 - MFA for automatic synchronizations, because entering a Multi-Factor Authentication requires a manual action from the administrator.
Set up a connection to Exchange Online manually
Select Exchange Online with MFA login.
Admin user name
Fill in the username for the account that can be used to log into Exchange Online. The account must meet the criteria in the Synctool prerequisites. The username for Exchange Online is always an email address.
Set up a connection to Exchange Online automatically with certificate
Make sure app-only authentication for unattended scripts is already configured before attempting to connect the Zivver Synctool to Exchange Online.
Select Exchange Online with Certificate login.
Fill in the location of the
.pfxfile created at step 3: Generate a self-signed certificate including the name. For example
Pay attention to the run path in PowerShell
The directory from which you run the PowerShell cmdlet needed to create a certificate is also where the
.pfxfile will be stored. For example if you run the cmdlet from
C:\Windows\System32, then the file location will be
Fill in the password that you used to secure the
.pfxfile at step 3: Generate a self-signed certificate. Make sure the password is at least 12 characters long and store the password somewhere safe.
Fill in the application ID of the App registration created at step 1: Application registration in Azure AD.
- Go to portal.azure.com.
- Select Azure Active Directory.
- Select the tab App registrations.
- Select the App registration created for the Synctool from the list.
- Copy the Application (client) ID.
Exchange Organization name
Fill in the Microsoft domain of you Azure AD tenant. It usually looks like
- Go to portal.azure.com.
- Select Azure Active Directory.
- Select the tab Overview.
- Look for the primary
.onmicrosoft.comdomain on the tenant information tile.
Set up a connection to Exchange on-premise
Select Exchange on premise.
Fill in the Exchange address. The Synctool will use this address to set up a remote connection.
What should the Exchange address look like?
The address should look like
ServerFQDNwith the fully qualified domain name of your Exchange server.
For example exchange01.example.com.
Select Yes. Using Kerberos is the default way to authenticate for Exchange on-premise.
Admin user Name
Fill in the username for the account that can be used to log into Exchange. The account must meet the criteria in the Synctool prerequisites. The username often is preceded by the domain.
Enter the password for the Exchange on-premise account.
Use Get-EXOMailbox command
To improve the performance speed from the Synctool while fetching data from Exchange, we recommend to select the option Use Get-EXOMailbox command. If you are using Exchange properties that are not in the minimum set retrieved by this command, you can specify additional Properties or Property Sets. Read more about this in the Microsoft documentation.
Select extra PowerShell commands to get more member/delegation data
You can select extra PowerShell commands to get more members or delegations for your mailboxes.
- Use Get-ADGroupMember if you delegate access to mailboxes in Exchange Server via Active Directory Security Groups.
- Use Get-ADPermissionSendAs to retrieve Active Directory access control lists (ACLs) in Exchange Server. This is a legacy feature and usage is not recommended.
- Use Get-DistributionGroupMember (recommended) if you delegate access to mailboxes in Exchange Server/Online via mail-enabled security groups or distribution groups
- Use Get-Recipient if mail-enabled objects from Exchange Server/online are missing in the synchronization that should be present based on filtering options. This is a legacy feature and usage is not recommended.
User Field Mapping (Exchange) allows you to synchronize different types of Exchange mailboxes to Zivver as user accounts. By default only the UserMailbox type is enabled, as this usually reflects the users that need to login to Zivver to send or receive sensitive data.
If you are using Microsoft ADFS as Identity Provider, you need to select the option to Base64 encode the ZivverAccountKey value. ADFS will provide Zivver with the Base64 encoded version of this value when the user logs in with Single Sign-On.
The following fields are mapped to the values that are standard in Exchange sources:
Mapped to the property AccountDisabled.
Mapped to the property EmailAddresses(smtp).
Mapped to the mailbox permissions (retrieved with the Get-MailboxPermissions command).
Group Field Mapping (Exchange) allows you to synchronize different types of Exchange mailboxes to Zivver as functional accounts.
By default only SharedMailbox type is enabled. Other mailbox types are often not used to send or receive sensitive data, and therefore a Zivver functional account is not required.
Tick the box Replace nested shared mailboxes and nested security groups with their members when your organization assigns mailbox permissions to nested security groups (groups in groups) or nested shared mailboxes.
Organizational Units Mapping maps functional accounts from your Exchange source to an organizational units (OU) in Zivver.
If your organization does not use organizational units in Zivver, leave the default None or Excel selected.
If your organization uses organizational units in Zivver, you should have access to the Organization Units tab in Zivver. If you don’t have access, either your organization doesn’t use organizational units in Zivver, or you don’t have administrator rights.
If your organization uses organizational units in Zivver, then select an option based on your configuration of OUs in the Zivver admin panel.
You can check the Organizational Unit Identifier by browsing to the Organization Units tab in Zivver, clicking on one of the OUs present and edit edit the Organizational Unit. You will see the identifier in a popup under Organization Unit Identifier.
Object Filter (Exchange) allows you to filter on email addresses.
Add all email addresses to be filtered on in a list, with each email address on a separate row. Add this list to the Filter Text to filter all email addresses in the list.
- Check Enable Exchange Source filtering.
- Enter the filter value(s) at Filter Text.
If you want to enter more than one filter value, add each value on a separate line.
- Choose between a positive filter (include) or negative filter (exclude).
You can’t include and exclude in the same filter.
View the results at Data Preview.
Use Source Merge Settings to choose what Synctool should do if distinct sources (e.g. an Exchange source and Excel source) contain identical entries.
If this is the first source in the Source Overview then no merge settings are available.
Objects found in the currently selected source overwrite duplicate objects from previous sources.
Objects found in the currently selected source are overwritten by duplicate objects from previous sources.
Prompt the admin to resolve duplicates before synchronizing.
Source Data Preview (Exchange) allows you to preview all functional accounts found in your Exchange source.
Click Load the data now to get a preview of all functional accounts found in your Exchange source.