Sent Items Update

Since signatures/disclaimers are added directly on the Exchange server after an email is sent, they are not visible to the senders. To let end users see their signatures in the Sent Items folder of their email clients, CodeTwo Exchange Rules Pro is equipped with the Sent Items Update (SIU) feature. The SIU service updates the sent emails after they have been processed by the program.

By default, the Sent Items Update service is disabled after a fresh installation and needs to be configured to start updating sent emails.

Overview

The Sent Items Update feature works as a separate Windows service that is installed together with the program. It accesses user mailboxes and updates them according to your rules (for example, adds signatures). The update process usually takes a few seconds.

Important

The Sent Items Update service accesses mailboxes of original senders to update emails they sent. Therefore, if a message is sent by a distribution group or any other object that does not have a mailbox, it cannot be updated.

Requirements for using the SIU service

The Sent Items Update service runs under the Local System account and works independently of other CodeTwo services, using the Windows Communication Foundation (WCF) to communicate with them. It can be used in an on-premises Exchange environment as well as in a hybrid environment (on-premises Exchange Server integrated with Exchange Online). The service accesses and updates user mailboxes via Exchange Web Services (EWS). In order for the software to authenticate with EWS, certain requirements need to be fulfilled.

Using the SIU service in an on-premises Exchange server

The SIU service requires the use of user account credentials to access on-premises Exchange server mailboxes. The organization's admins can: 

  • provide any existing, active user account credentials (e.g. if they have a dedicated service account to be used with third-party software or they want to use the administrator's credentials for that purpose); or
  • create a new account for the service; or
  • allow the software to create a new, dedicated user account automatically.

The account to be used by the Sent Items Update service:

  • must have a valid User Principal Name (UPN) assigned,
  • must be a member of the Domain Users group,
  • must be granted impersonation rights (see our Knowledge Base article on how to set impersonation rights manually),
  • should be in a working condition (it cannot be disabled, needs to have a valid password, etc.).

If you choose the Sent Items Update configuration wizard to create a dedicated service account automatically, this account will fulfill all the above requirements. If you select an existing user account manually, the software will verify it and, if necessary, add the required impersonation rights to that account.

Important

To configure the Sent Items Update service correctly, you need to be logged in to the system with an account that is a member of the Domain Admins group. This is required because the software that runs under your account will attempt to assign impersonation rights or create a new user, depending what option you choose. For either of these two actions, the Domain Admin permissions are required.

Using the SIU service in a hybrid environment

To use the SIU service in a hybrid environment, you need to fulfill the requirements for on-premises Exchange servers (listed above). In addition, the service connects to your Microsoft 365 (Office 365) tenant using a secure OAuth 2.0 authorization protocol. To allow the service to access Exchange Online mailboxes, you need to register the CodeTwo application in Azure Active Directory of the tenant configured for your hybrid Exchange deployment. The application needs to be assigned the full_access_as_app permissions so that in can use EWS with full access to all Exchange Online mailboxes.  

The application can be registered:

  • automatically, when configuring the SIU service for a hybrid environment;
  • manually in Azure AD, by following the instructions provided in this article.

If you choose the SIU service to register our application automatically, you will be asked to log in to your tenant using global admin account credentials via a dedicated Microsoft 365 sign-in page.

Configuration of the SIU service

To open the Sent Items Update configuration wizard, click Settings on the program's toolbar, go to the Sent Items Update tab and click Configure (Fig. 1.). If the SIU service has not been configured yet, you can also access the wizard by clicking the Click to change link in the upper-right corner of the Administration Panel (Fig. 1.).

Opening the Sent Items Update configuration wizard
Fig. 1. Opening the Sent Items Update configuration wizard.

If you want to reconfigure the SIU service (e.g. change the environment in which the service runs from on-premises Exchange to hybrid), click the Change button next to Account (see Fig. 16. below).

Environment

Once the Sent Items Update service configuration wizard opens, you are asked to choose the type of your environment (Fig. 2.).

The Sent Items Update configuration wizard: environment type selection
Fig. 2. The Sent Items Update configuration wizard: environment type selection.

The next steps of the wizard will differ slightly, depending on your choice. Some of the steps below will only be available when configuring the SIU service for use in a hybrid environment:

On-premises server connection

Define the method of connecting to your on-premises server. The Autodiscover Exchange Server option (Fig. 3.) will allow the SIU service to locate the server automatically, based on the admin account credentials provided in the next step of the wizard.

The Sent Items Update configuration wizard: connecting to an on-premises Exchange Server via the Autodiscover mechanism
Fig. 3.  The Sent Items Update configuration wizard: connecting to an on-premises Exchange Server via the Autodiscover mechanism.

If, for example, you want to connect to a server from a different domain, you can only do this by selecting the Configure connection manually option (Fig. 4.) and providing the server's FQDN name (e.g. servername.my-domain.com) or IP address. The EWS URL field is filled automatically, but you can edit it as well, if necessary.

The Sent Items Update configuration wizard: establishing a manual connection to an on-premises server
Fig. 4. The Sent Items Update configuration wizard: establishing a manual connection to an on-premises server.

Tip

If you prefer the manual configuration, you can use the localhost (127.0.0.1) endpoint in your EWS URL, provided that the Exchange server where the software is installed is a Client Access Server (CAS). In this case, the EWS URL is:

https://127.0.0.1/EWS/Exchange.asmx

If you still don't know what is your EWS URL, see this article.

On-premises admin account

In this step, you need to provide credentials of the account that will be used by the Sent Items Update service to authenticate with Exchange Web Services and update emails in the Sent Items folder.

Use the Choose an existing account option (Fig. 5.) to enter the credentials of an admin account that meets the requirements described in the above section.

The Sent Items Update configuration wizard: on-premises account manual setup
Fig. 5. The Sent Items Update configuration wizard: on-premises account manual setup.

You can type the account's UPN manually or select it via the Browse button. If you click the Browse button, you can pull the UPN from your Active Directory (Fig. 6.). By clicking Locations, you can pick the domain from which the administrator's UPN will be taken. This option is not available with untrusted domains, so if you want to select a UPN from an untrusted domain, you have to type it manually.

Choosing a domain to be searched for the administrator's UPN
Fig. 6. Choosing a domain to be searched for the administrator's UPN.

Important

Make sure that the selected account has its UPN configured (learn more). Otherwise, the setup process will be unsuccessful.

You can also select the Let the program create a new account automatically option (Fig. 7.). This will create a dedicated account that will be used by the service to update the processed emails.

The Sent Items Update configuration wizard: automatic creation of a dedicated service account
Fig. 7. The Sent Items Update configuration wizard: automatic creation of a dedicated service account.

If you select the option to create an account automatically, the created account will have the following UPN: CodeTwoSiuAgent@[your domain] (as shown in Fig. 7.).

Microsoft 365 cloud (hybrid environment only)

Select Microsoft 365 (Office 365) cloud where your Exchange Online organization is hosted: Microsoft 365 global (which is also known simply as Microsoft 365) or Microsoft 365 Germany (Fig. 8.). Keep in mind that these are two independent clouds, and it is not possible to use Microsoft 365 credentials to log in to Microsoft 365 Germany (and the other way around). If your Microsoft 365 email address ends with .de, for example admin@my-company.onmicrosoft.de, your tenant is hosted in the Microsoft 365 Germany cloud.

The Sent Items Update configuration wizard: selecting the Microsoft 365 cloud.
Fig. 8. The Sent Items Update configuration wizard: selecting the Microsoft 365 cloud.

ADD application registration (hybrid environment only)

To allow the SIU service to connect securely to your Exchange Online organization in order to access and update user mailboxes, you need to register CodeTwo Exchange Rules Pro in your Azure Active Directory. The registration can be performed automatically by the SIU configuration wizard or you can do it manually in your AAD.

Automatic registration

Select Automatic registration and click Log in as Microsoft 365 admin (Fig. 9.). This will open the Microsoft 365 sign-in page. Provide the credentials of a global admin account and accept the necessary permissions. This will allow the application to update emails in the Sent Items folder with signatures.

The Sent Items Update configuration wizard: automatic application registration.
Fig. 9. The Sent Items Update configuration wizard: automatic application registration.

The application will be registered as CodeTwo Exchange Rules in your Azure AD. A unique certificate will be generated and applied to this application.

Manual registration

Follow these steps to register the CodeTwo Exchange Rules application manually in your Azure Active Directory. Once done, select the Manual registration option in the AAD application registration step of the SIU service configuration wizard (Fig. 10.) and proceed to the next step.

The Sent Items Update configuration wizard: proceeding with the manual application registration option
Fig. 10. The Sent Items Update configuration wizard: proceeding with the manual application registration option.

ADD application details (hybrid environment only)

After you have registered the CodeTwo application in your Azure Active Directory, you need to provide the registration details in the AAD application details step (Fig. 11.).

The Sent Items Update configuration wizard: providing the application registration details
Fig. 11. The Sent Items Update configuration wizard: providing the application registration details.

All the necessary information can be found in the Azure Active Directory admin center of your tenant:

  • Client ID – this the ID assigned to the application after it has been registered in Azure AD. Go to Azure Active Directory > App registrations and click the name of the application. The ID will be shown on the Overview page, under Application (client) ID (Fig. 12.).
  • Tenant ID – this is the unique ID of your Microsoft 365 tenant. You can find it on the same Overview page as shown in Fig. 12., under Directory (tenant) ID.
  • Client secret or Certificate thumbprint – you only need to provide one of these credentials. Both are found in the Azure Active Directory admin center, on the Certificates & secrets page of the registered application (Fig. 13.). Find out more about how to use a client secret or certificate thumbprint.

ER Pro - SIU - Azure app IDs
Fig. 12. Location of the client and tenant IDs in the Azure AD admin center.

Location of the certificate thumbprint (A) and client secret (B) credentials in the Azure AD admin center
Fig. 13. Location of the certificate thumbprint (A) and client secret (B) credentials in the Azure AD admin center.

Using a client secret

To use the client secret (app password) credential in the SIU service configuration wizard, select the Client secret option and enter (or paste) the value in the right field. Be sure to copy the client secret value once you generate it. You will not be able to see (or copy) this credential once you leave the Certificates & secrets page in your Azure AD admin center.

Using a certificate thumbprint

If you assigned a certificate to the CodeTwo application in your Azure AD, you can use the thumbprint of that certificate in the SIU service configuration wizard (as shown in Fig. 11. above) to authenticate the application. To be able to do so, this certificate needs to be signed with a 2048 bits key and added to the personal certificate store of the currently logged in user. The wizard will also import the certificate to the personal store of the account under which the CodeTwo Exchange Rules Sent Items Update service runs.

You can use the Import button to open the Import certificate window (Fig. 14.). Here, click Browse, select your certificate, provide the password and click OK. This will install the certificate in the correct stores.

The Sent Items Update configuration wizard: importing a certificate
Fig. 14. The Sent Items Update configuration wizard: importing a certificate.

Warning

In case you ever need to reconfigure the SIU service from another instance of the Administration Panel installed on a different machine, you need to import the same certificate to the personal certificate store of the currently logged in user on that machine as well.

Configuration

In the last step, the wizard creates a dedicated service account (if you selected this option in the On-premises admin account step), assigns the impersonation rights to the selected account and tests if this works. If you configured the SIU service in a hybrid environment, the wizard will also register the CodeTwo Exchange Rules application in your Azure AD (if you selected the Automatic registration option) and verify the connection to this application as well as to the Exchange Web Services. Click Configure to begin this process. If the configuration is successful, the wizard shows green-colored check marks next to the actions performed (Fig. 15.).

Successful configuration of the SIU service. The displayed actions might differ depending on your setup
Fig. 15. Successful configuration of the SIU service. The displayed actions might differ depending on your setup.

Once the configuration is done, confirm it by clicking Finish. Note that the service might not work right away – it can take a few minutes before it is deployed in your environment.  

Important

Once the Sent Items Update service is configured in an Administration Panel, there is no need to set it up on any other instance of the program in your organization – the configuration is propagated automatically. You only need to restart the other Administration Panels to see the changes.

In case you encountered any errors during the configuration process, refer to the Troubleshooting section below.

SIU settings

After the successful configuration of the Sent Items Update service, new settings become available in the Program settings window (Fig. 16.).

The Sent Items Update options
Fig. 16. The Sent Items Update options.

The following entries provide general information about the SIU service:

  • Status – shows if the service is turned on/off. Use the button on the right side of the window to enable/disable the feature at any time.
  • Account – shows the account under which the service currently works. You can change that account as well as reconfigure the SIU service via the Change button.
  • Environment – informs whether the SIU service is configured for an on-premises environment only or for a hybrid environment (on-premises Exchange and Exchange Online). 

The other options are related to the way messages in the Sent Items folder are updated:

Senders scope

This option allows you to define the users whose sent messages (emails in the Sent Items folder) are updated by the SIU service. Click the Change button (Fig. 17.) to open the Scope of updated mailboxes window. Next, use the drop-down menu to choose all users (the Update all mailboxes option, which is selected by default) or to include/exclude individual users or groups. To do so, select Update mailboxes from the list below only/Update all mailboxes except the ones from the list below and use the Add button to specify these users/groups.

Changing the scope of mailboxes to be updated by SIU
Fig. 17. Changing the scope of mailboxes to be updated by SIU.

Create copy of the original message when updating Sent Items

This option is disabled by default. If you turn it on, there will be two messages in the Sent Items folder for each email sent – one that was not processed by the service and the second one that was processed (and, e.g., updated with a signature).

If message splitting is activated, apply changes to all split messages and save them in Sent Items

If a message is addressed to multiple recipients who match different rules, CodeTwo Exchange Rules Pro can split this message into several copies on the server to apply individual rules to corresponding recipients. If you enable this option, as shown in Fig. 18., the software will show all copies of this message (with different rules applied) in the Sent Items folder of the mailbox from which was sent. If this option is not available (grayed out), this means that the message splitting feature is not enabled in your organization. You can turn it on in the program's settings – see this article to learn more.

Enable this option to show all split messages in the Sent Items folder
Fig. 18. Enable this option to show all split messages in the Sent Items folder.

Troubleshooting

The Sent Items Update service configuration errors 

It may sometimes happen that the configuration ends up with errors. In such a case, the wizard displays which steps have failed.

Failed to create the Sent Items Update account on on-premises servers

This error (Fig. 19.) might be associated with the service's inability to locate your server. Go back in the configuration wizard to the On-premises server connection step and make sure to enter correct data. 

A failed configuration of the Sent Items Update service
Fig. 19. A failed configuration of the Sent Items Update service.

Failed to grant the impersonation rights on on-premises servers

This warning refers to the program’s inability to grant impersonation rights automatically. In such a situation (Fig. 20.), you are instructed to assign impersonation rights manually. Keep in mind that if other actions performed during the configuration step are completed successfully, the SIU service will still be shown as configured. 

Failure to grant impersonation rights automatically
Fig. 20. Failure to grant impersonation rights automatically.

Impersonation rights are not working correctly on on-premises servers

This warning is shown if the impersonation rights were granted, but the wizard failed to test them automatically. In such a case, you can test them manually by clicking on the Details link on the right (Fig. 21., point 1). In the Details window, press click here. Type in the UPN of a user account (or select one from your AD) and the program will test if the previously configured SIU account has impersonation rights on this user account.

Testing the selected admin account's impersonation rights on other user mailboxes
Fig. 21. Testing the selected admin account's impersonation rights on other user mailboxes.

Failed to register the application in Azure AD

This error (Fig. 22.) occurs if the account provided in the AAD application registration step of is not a global admin of your Microsoft 365 tenant. Log in to your tenant using global admin credentials.

Also make sure that you have a working internet connection. If necessary, perform the registration manually

The program failed to automatically register the CodeTwo application in Azure AD.
Fig. 22. The program failed to automatically register the CodeTwo application in Azure AD.

Failed to authenticate the application

If you get this error (Fig. 23.), make sure to click the Details button to find out more about the possible causes. 

If you registered the CodeTwo application manually, also make sure that:

  • all details provided in the AAD application registration step are correct,
  • the certificate or client secret applied to the CodeTwo application still exist in your Azure AD,
  • the certificate used with the CodeTwo application has a key size of at least 2048 bits.

The SIU service failed to connect to and authenticate the CodeTwo application registered in Azure AD.
Fig. 23. The SIU service failed to connect to and authenticate the CodeTwo application registered in Azure AD.

Failed to connect to Exchange Web Services

The most common reasons for this error (Fig. 24.) to occur are:

  • the CodeTwo Exchange Rules application registered in Azure AD is missing the full_access_as_app permission (click here to learn how to assign it),
  • the SMTP email address of the account used to register the application in Azure AD is different than its UPN (User Principal Name),
  • the application has just been registered, but not all changes have been propagated in your Azure AD. Wait awhile and try configuring the connection again.

ER Pro - SIU - error - connect to EWS
Fig. 24. The SIU service failed to connect to Exchange Web Services.

Sent Items not updated in Outlook

If you use Microsoft Outlook, occasionally emails in your Sent Items folder might not be refreshed/displayed correctly. This is usually caused by Outlook's default behavior in the Cached Exchange mode and is not related to the SIU service. See this article to learn how to solve this problem.

See next

Quick guide to creating email rules

See also

Message splitting – this article describes how to configure the program to update emails including signatures/disclaimers in the Sent items folder of a particular mailbox if a given message was sent to various recipients encompassed by different rules.

Was this information useful?