Sent Items Update
As signatures/disclaimers are added to sent mail directly on Exchange Server, they are not visible in the mailboxes' Sent Items folders. To allow users to view signatures in their email clients, we have equipped CodeTwo Exchange Rules with the Sent Items Update (SIU) feature that enables updating sent emails, processed by the program, with signatures.
By default, the Sent Items Update service is disabled after a fresh installation and needs to be configured to start updating sent emails.
The Sent Items Update feature works as a separate Windows service that is installed together with the program. It accesses user mailboxes and updates them according to your rules (for example, adds signatures). The update process usually takes a few seconds.
The Sent Items Update service accesses mailboxes of original senders to update emails they sent. Therefore, if a message is sent by a distribution group or any other object that does not have a mailbox, it cannot be updated.
The Sent Items Update service runs under the Local System account and works independently of other CodeTwo services, using the Windows Communication Foundation (WCF) to communicate with them. It can be used in an on-premises Exchange environment as well as in a hybrid environment (on-premises Exchange Server integrated with Exchange Online). The service accesses and updates user mailboxes via Exchange Web Services (EWS). In order for the software to authenticate with EWS, certain requirements need to be fulfilled.
The SIU service requires the use of user account credentials to access on-premises Exchange server mailboxes. The organization's admins can:
- provide any existing, active user account credentials (e.g. if they have a dedicated service account to be used with third-party software or they want to use the administrator's credentials for that purpose); or
- create a new account for the service; or
- allow the software to create a new, dedicated user account automatically.
The account to be used by the Sent Items Update service:
- must have a valid User Principal Name (UPN) assigned,
- must be a member of the Domain Users group,
- must be granted impersonation rights (see our Knowledge Base article on how to set impersonation rights manually),
- should be in a working condition (it cannot be disabled, needs to have a valid password, etc.).
If you choose the Sent Items Update configuration wizard to create a dedicated service account automatically, this account will fulfill all the above requirements. If you select an existing user account manually, the software will verify it and, if necessary, add the required impersonation rights to that account.
To configure the Sent Items Update service correctly, you need to be logged in to the system with an account that is a member of the Domain Admins group. This is required because the software that runs under your account will attempt to assign impersonation rights or create a new user, depending what option you choose. For either of these two actions, the Domain Admin permissions are required.
To use the SIU service in a hybrid environment, you need to fulfill the requirements for on-premises Exchange servers (listed above). In addition, the service connects to your Microsoft 365 (Office 365) tenant using a secure OAuth 2.0 authorization protocol. To allow the service to access Exchange Online mailboxes, you need to register the CodeTwo application in Azure Active Directory of the tenant configured for your hybrid Exchange deployment. The application needs to be assigned the full_access_as_app permissions so that in can use EWS with full access to all Exchange Online mailboxes.
The application can be registered:
- automatically, when configuring the SIU service for a hybrid environment;
- manually in Azure AD, by following the instructions provided in this article.
If you choose the SIU service to register our application automatically, you will be asked to log in to your tenant using global admin account credentials via a dedicated Microsoft 365 sign-in page.
To open the Sent Items Update configuration wizard, click Settings on the program's toolbar, go to the Sent Items Update tab and click Configure (Fig. 1.). If the SIU service has not been configured yet, you can also access the wizard by clicking the Click to change link in the upper-right corner of the Administration Panel (Fig. 1.).
If you want to reconfigure the SIU service (e.g. change the environment in which the service runs from on-premises Exchange to hybrid), click the Change button next to Account (see Fig. 16. below).
Once the Sent Items Update service configuration wizard opens, you are asked to choose the type of your environment (Fig. 2.).
The next steps of the wizard will differ slightly, depending on your choice. Some of the steps below will only be available when configuring the SIU service for use in a hybrid environment:
- On-premises server connection
- On-premises admin account
- Microsoft 365 cloud (hybrid environment only)
- ADD application registration (hybrid environment only)
- ADD application details (hybrid environment only, if you select manual Azure AD app registration option)
Define the method of connecting to your on-premises server. The Autodiscover Exchange Server option (Fig. 3.) will allow the SIU service to locate the server automatically, based on the admin account credentials provided in the next step of the wizard.
If, for example, you want to connect to a server from a different domain, you can only do this by selecting the Configure connection manually option (Fig. 4.) and providing the server's FQDN name (e.g. servername.my-domain.com) or IP address. The EWS URL field is filled automatically, but you can edit it as well, if necessary.
If you prefer the manual configuration, you can use the localhost (127.0.0.1) endpoint in your EWS URL, provided that the Exchange server where the software is installed is a Client Access Server (CAS). In this case, the EWS URL is:
If you still don't know what is your EWS URL, see this article.
In this step, you need to provide credentials of the account that will be used by the Sent Items Update service to authenticate with Exchange Web Services and update emails in the Sent Items folder.
Use the Choose an existing account option (Fig. 5.) to enter the credentials of an admin account that meets the requirements described in the above section.
You can type the account's UPN manually or select it via the Browse button. If you click the Browse button, you can pull the UPN from your Active Directory (Fig. 6.). By clicking Locations, you can pick the domain from which the administrator's UPN will be taken. This option is not available with untrusted domains, so if you want to select a UPN from an untrusted domain, you have to type it manually.
Make sure that the selected account has its UPN configured (learn more). Otherwise, the setup process will be unsuccessful.
You can also select the Let the program create a new account automatically option (Fig. 7.). This will create a dedicated account that will be used by the service to update the processed emails.
If you select the option to create an account automatically, the created account will have the following UPN: CodeTwoSiuAgent@[your domain] (as shown in Fig. 7.).
Select Microsoft 365 (Office 365) cloud where your Exchange Online organization is hosted: Microsoft 365 global (which is also known simply as Microsoft 365) or Microsoft 365 Germany (Fig. 8.). Keep in mind that these are two independent clouds, and it is not possible to use Microsoft 365 credentials to log in to Microsoft 365 Germany (and the other way around). If your Microsoft 365 email address ends with .de, for example firstname.lastname@example.org, your tenant is hosted in the Microsoft 365 Germany cloud.
To allow the SIU service to connect securely to your Exchange Online organization in order to access and update user mailboxes, you need to register CodeTwo Exchange Rules in your Azure Active Directory. The registration can be performed automatically by the SIU configuration wizard or you can do it manually in your AAD.
Select Automatic registration and click Log in as Microsoft 365 admin (Fig. 9.). This will open the Microsoft 365 sign-in page. Provide the credentials of a global admin account and accept the necessary permissions. This will allow the application to update emails in the Sent Items folder with signatures.
The application will be registered as CodeTwo Exchange Rules in your Azure AD. A unique certificate will be generated and applied to this application.
Follow these steps to register the CodeTwo Exchange Rules application manually in your Azure Active Directory. Once done, select the Manual registration option in the AAD application registration step of the SIU service configuration wizard (Fig. 10.) and proceed to the next step.
After you have registered the CodeTwo application in your Azure Active Directory, you need to provide the registration details in the AAD application details step (Fig. 11.).
All the necessary information can be found in the Azure Active Directory admin center of your tenant:
- Client ID – this the ID assigned to the application after it has been registered in Azure AD. Go to Azure Active Directory > App registrations and click the name of the application. The ID will be shown on the Overview page, under Application (client) ID (Fig. 12.).
- Tenant ID – this is the unique ID of your Microsoft 365 tenant. You can find it on the same Overview page as shown in Fig. 12., under Directory (tenant) ID.
- Client secret or Certificate thumbprint – you only need to provide one of these credentials. Both are found in the Azure Active Directory admin center, on the Certificates & secrets page of the registered application (Fig. 13.). Find out more about how to use a client secret or certificate thumbprint.
To use the client secret (app password) credential in the SIU service configuration wizard, select the Client secret option and enter (or paste) the value in the right field. Be sure to copy the client secret value once you generate it. You will not be able to see (or copy) this credential once you leave the Certificates & secrets page in your Azure AD admin center.
If you assigned a certificate to the CodeTwo application in your Azure AD, you can use the thumbprint of that certificate in the SIU service configuration wizard (as shown in Fig. 11. above) to authenticate the application. To be able to do so, this certificate needs to be signed with a 2048 bits key and added to the personal certificate store of the currently logged in user. The wizard will also import the certificate to the personal store of the account under which the CodeTwo Exchange Rules Sent Items Update service runs.
You can use the Import button to open the Import certificate window (Fig. 14.). Here, click Browse, select your certificate, provide the password and click OK. This will install the certificate in the correct stores.
In case you ever need to reconfigure the SIU service from another instance of the Administration Panel installed on a different machine, you need to import the same certificate to the personal certificate store of the currently logged in user on that machine as well.
In the last step, the wizard creates a dedicated service account (if you selected this option in the On-premises admin account step), assigns the impersonation rights to the selected account and tests if this works. If you configured the SIU service in a hybrid environment, the wizard will also register the CodeTwo Exchange Rules application in your Azure AD (if you selected the Automatic registration option) and verify the connection to this application as well as to the Exchange Web Services. Click Configure to begin this process. If the configuration is successful, the wizard shows green-colored check marks next to the actions performed (Fig. 15.).
Once the configuration is done, confirm it by clicking Finish. Note that the service might not work right away – it can take a few minutes before it is deployed in your environment.
Once the Sent Items Update service is configured in an Administration Panel, there is no need to set it up on any other instance of the program in your organization – the configuration is propagated automatically. You only need to restart the other Administration Panels to see the changes.
In case you encountered any errors during the configuration process, refer to the Troubleshooting section below.
After the successful configuration of the Sent Items Update service, new settings become available in the Program settings window (Fig. 16.).
The following entries provide general information about the SIU service:
- Status – shows if the service is turned on/off. Use the button on the right side of the window to enable/disable the feature at any time.
- Account – shows the account under which the service currently works. You can change that account as well as reconfigure the SIU service via the Change button.
- Environment – informs whether the SIU service is configured for an on-premises environment only or for a hybrid environment (on-premises Exchange and Exchange Online).
The other options are related to the way messages in the Sent Items folder are updated:
- Senders scope
- Create copy of the original message when updating Sent Items
- If message splitting is activated, apply changes to all split messages and save them in Sent Items
This option allows you to define the users whose sent messages (emails in the Sent Items folder) are updated by the SIU service. Click the Change button (Fig. 17.) to open the Scope of updated mailboxes window. Next, use the drop-down menu to choose all users (the Update all mailboxes option, which is selected by default) or to include/exclude individual users or groups. To do so, select Update mailboxes from the list below only/Update all mailboxes except the ones from the list below and use the Add button to specify these users/groups.
This option is disabled by default. If you turn it on, there will be two messages in the Sent Items folder for each email sent – one that was not processed by the service and the second one that was processed (and, e.g., updated with a signature).
If a message is addressed to multiple recipients who match different rules, CodeTwo Exchange Rules can split this message into several copies on the server to apply individual rules to corresponding recipients. If you enable this option, as shown in Fig. 18., the software will show all copies of this message (with different rules applied) in the Sent Items folder of the mailbox from which was sent. If this option is not available (grayed out), this means that the message splitting feature is not enabled in your organization. You can turn it on in the program's settings – see this article to learn more.
The Sent Items Update service configuration errors
Failed to create the Sent Items Update account on on-premises servers
This error (Fig. 19.) might be associated with the service's inability to locate your server. Go back in the configuration wizard to the On-premises server connection step and make sure to enter correct data.
This warning refers to the program’s inability to grant impersonation rights automatically. In such a situation (Fig. 20.), you are instructed to assign impersonation rights manually. Keep in mind that if other actions performed during the configuration step are completed successfully, the SIU service will still be shown as configured.
This warning is shown if the impersonation rights were granted, but the wizard failed to test them automatically. In such a case, you can test them manually by clicking on the Details link on the right (Fig. 21., point 1). In the Details window, press click here. Type in the UPN of a user account (or select one from your AD) and the program will test if the previously configured SIU account has impersonation rights on this user account.
This error (Fig. 22.) occurs if the account provided in the AAD application registration step of is not a global admin of your Microsoft 365 tenant. Log in to your tenant using global admin credentials.
Also make sure that you have a working internet connection. If necessary, perform the registration manually.
If you get this error (Fig. 23.), make sure to click the Details button to find out more about the possible causes.
If you registered the CodeTwo application manually, also make sure that:
- all details provided in the AAD application registration step are correct,
- the certificate or client secret applied to the CodeTwo application still exist in your Azure AD,
- the certificate used with the CodeTwo application has a key size of at least 2048 bits.
The most common reasons for this error (Fig. 24.) to occur are:
- the CodeTwo Exchange Rules application registered in Azure AD is missing the full_access_as_app permission (click here to learn how to assign it),
- the SMTP email address of the account used to register the application in Azure AD is different than its UPN (User Principal Name),
- the application has just been registered, but not all changes have been propagated in your Azure AD. Wait awhile and try configuring the connection again.
If you use Microsoft Outlook, occasionally emails in your Sent Items folder might not be refreshed/displayed correctly. This is usually caused by Outlook's default behavior in the Cached Exchange mode and is not related to the SIU service. See this article to learn how to solve this problem.
Message splitting – this article describes how to configure the program to update emails including signatures/disclaimers in the Sent items folder of a particular mailbox if a given message was sent to various recipients encompassed by different rules.