mailvault365

Documentation

Setup, permissions,
and how it works.

Everything you need to wire mailvault365 into your Microsoft 365 organization. Most setups are live in under five minutes.

Get started · 1

Quick start

From zero to archive in three clicks. The whole flow takes about two minutes if you have Microsoft 365 admin rights.

  1. 1

    Sign in with Microsoft 365

    ~20 seconds

    Click Continue with Microsoft 365 on the login page, using a Microsoft 365 admin account. The first user signing in for your organization becomes the account owner automatically.

  2. 2

    Grant admin consent

    ~30 seconds

    On the onboarding screen, click Grant admin consent. Microsoft prompts you to authorize the two read-only Graph permissions. Only a Microsoft 365 admin can approve.

  3. 3

    Wait for first sync

    ~5 minutes

    Mailboxes are discovered within seconds. Initial backfill runs in the background — depending on history size, the first messages appear within minutes and the rest within hours.

Get started · 2

M365 plan compatibility

mailvault365 works with any Microsoft 365 plan that includes Exchange Online — which is essentially all business plans.

Business Basic / Standard / Premium
Microsoft 365 E1 / E3 / E5
Microsoft 365 Apps for Business — no Exchange Online
Exchange Online Plan 1 / Plan 2
Office 365 E1 / E3 / E5
Personal / Family (consumer) — no Exchange Online

Shared, room, and equipment mailboxes are archived alongside user mailboxes. There is no separate license needed on Microsoft's side — just the mailbox itself.

Get started · 3

Microsoft 365 permissions

mailvault365 uses two Application permissions on Microsoft Graph. Both are read-only — no mailbox is ever modified.

Permission Why we need it
User.Read.All List the mailboxes that exist in your organization.
Mail.Read Read messages from those mailboxes (read-only access).

Get started · 4

First login & onboarding

After your admin grants consent, the onboarding wizard runs through four phases — each is automatic once started.

01

Admin consent

One-time approval of the two read-only Graph permissions, by a Microsoft 365 admin.

02

Mailbox discovery

mailvault365 lists every active mailbox in your organization — users, shared, room, equipment.

03

Initial backfill

Every historical message is fetched and archived. Larger histories run in the background for hours.

04

Live archiving

A 5-minute scheduled sync keeps every mailbox current. No manual exports, no gaps.

Configuration

Email notifications

When a mailbox sync fails three times in a row, the account owner receives an email with the error and a link to retry. Transient failures auto-retry in the queue and are silent.

Notifications are sent from mail@mailvault365.com — nothing for you to configure.

Configuration

Users & roles

There are three role tiers. Each user gets exactly one role at a time.

Owner

The single billing contact. Manages the subscription, invoices and account deletion. Receives all sync-failure alerts. Exactly one per account — transferable.

Admin

Manages mailboxes, users, role assignments and reads the audit log. Cannot access billing — that's owner-only. Multiple admins per account allowed.

Member

Sees their own mailbox by default (matched by email). Cross-mailbox access requires an explicit grant from an admin or owner.

The first user signing in for your organization becomes owner automatically. Subsequent users default to member. Admins manage other users under Administration → Users; only the owner can transfer ownership.

Configuration

Mailbox management

Under Administration → Mailboxes, you can:

  • See live sync state per mailbox: up to date, syncing X/Y, failed, removed.
  • Re-discover mailboxes from Microsoft 365 after adding users in Azure.
  • Manage who has access to each mailbox via search-driven user grants.
  • Permanently delete a mailbox from the archive when it's no longer needed (irreversible — drops billing for that mailbox).

Mailbox archiving runs continuously. There is no per-mailbox pause — when a Microsoft 365 user is deactivated or removed, sync stops automatically and the mailbox is flagged Removed while the archive stays read-only accessible.

Using the archive

Searching

Every search runs against subject, sender name, sender email, and body preview — full-text, instant, debounced as you type. Filters stack: combine any of them in one query.

Per mailbox

Open a mailbox from the Archive page. The filter bar sits at the top of the message list — every keystroke updates the matches.

Across mailboxes

Click Search messages on the Archive page. Results come from every mailbox you currently have access to — your own, plus any explicit grants.

Filter dimensions

Stack any combination in one query. Active filters appear as removable chips above the results.

Filter What it matches
Free-text Subject, sender name, sender email, body preview.
Sender Match by display name or address — partial matches work. Example: @kontrakt-ag.com.
Recipient Match across the To and Cc headers — by name or address.
Attachment Three states: Any, With attachment, Without attachment.
Date range Quick presets — Today, Last 7 days, Last 30 days, This month, This year — or pick a custom from/to.

Saved searches

A saved search captures the current filter combination under a name. Click it once to bring all those filters back — handy for queries you run every week ("this quarter's invoices", "contracts from legal", "attachments over 10 MB").

  • Save current — names the active filter combination. Saved searches are per-user, not shared with anyone else.
  • Click any saved search to apply it instantly. The chip turns blue while active.
  • Delete a saved search from the strip when you no longer need it.

Working with results

  • Cross-mailbox results show the source mailbox next to each match — so you always see where the hit came from.
  • Search terms are highlighted in the body preview, so you can scan results without opening every match.
  • Clicking a result opens the message detail page. Opening a message in a mailbox you don't own is recorded in the audit log.

Using the archive

Downloads & EML files

Every archived message is stored as a standard .eml file (RFC822 format) — open it anywhere, anytime, even decades from now. On the message detail page, click Download .eml to get the original — opens in Outlook, Thunderbird, Apple Mail, or any standards-compliant client.

When the same email reaches multiple mailboxes (e.g. company-wide announcements), mailvault365 stores it only once — no duplication, no wasted storage.

Using the archive

Attachments

When you open a message that has attachments, each one appears as a clickable card with filename, MIME type, and size. Click to download the individual attachment without downloading the entire EML.

Billing

Pricing & invoices

Per mailbox

$4 / month

Every mailbox in your organization

Storage included

20 GB / mailbox

Pooled across all your archives

Setup fee

$0

No onboarding charges

Invoices are issued monthly and paid via card or SEPA direct debit. Local sales tax / VAT / GST is calculated and added automatically based on your billing country — B2B customers with a valid VAT-ID see reverse-charge applied where applicable.

When a mailbox appears or disappears in Microsoft 365 mid-cycle, your subscription updates automatically. New mailboxes are billed pro-rata immediately; reductions credit on the next renewal.

Mailboxes that have been removed in Microsoft 365 (the user was deactivated) continue to be billed because their archive remains stored and searchable. To stop billing for a removed mailbox, use Delete from archive on Administration → Mailboxes — that step is irreversible.

Billing

Cancellation & data export

Cancel any time from the billing portal. Your subscription ends at the close of the current billing period — you keep full access until then.

Your archived emails are stored as standard .eml files (RFC 822) from day one — never a proprietary format. Individual .eml downloads are available from every message detail page. If you need a complete archive export before cancellation, contact support and we'll arrange it.

After cancellation, your data is retained for 30 days as a grace period — re-subscribing within that window restores everything instantly. After 30 days, all archived content is permanently deleted from our systems and backups.

Compliance

Retention & deleted users

When a user is deactivated or removed in Azure, their mailbox is not deleted from mailvault365. The archive must outlive the original mailbox — that's the entire point of compliance archiving. The mailbox shows a Removed badge but stays read-only accessible.

If the user is later re-activated in Azure, the mailbox is automatically restored on the next sync, and historical email becomes searchable again.

Compliance

Audit log

Cross-mailbox activity and administrative changes are recorded with user, timestamp, and target. Admins and owners review the log under Administration → Activity.

What gets logged

Cross-mailbox view

Opening a mailbox you don't own (admin or granted access).

Message read

Opening an individual message in a mailbox you don't own.

EML download

Downloading the original .eml file.

Attachment download

Downloading an individual attachment from a message.

Access grant or revoke

Admin grants or revokes a user's access to a mailbox.

Role change

Promotion to admin, demotion to member, or ownership transfer.

Reading your own mailbox is not logged — that's expected, day-to-day behavior, not a compliance event. The log focuses on the cross-mailbox access an auditor or internal review actually cares about.

Compliance

Data residency & storage

Your archive is stored on European infrastructure and is yours alone — other customers can never see it, search it, or end up in it. All connections to Microsoft 365 and to mailvault365 are encrypted. Detailed hosting information is available on request.

Email content is stored as the original RFC 822 .eml file — exactly as Microsoft 365 delivered it, with no re-encoding. Once archived, individual messages cannot be deleted by users or admins. The only exception is your account owner permanently removing an entire mailbox archive after the employee has been removed from Microsoft 365 — a deliberate cleanup step that frees up the mailbox from your billing.

Help

FAQ

Does mailvault365 ever modify mailboxes?
No. The Graph permissions we use are read-only. We never write, delete, mark as read, or move messages.
How often does sync run?
Every 5 minutes per mailbox. Initial sync (first time you connect) pulls every existing message — depending on volume this can take minutes to hours.
What happens to deleted users?
Their mailbox stays in mailvault365 with a "Removed" badge. The archive must outlive the source mailbox — that's the point of compliance.
Can I stop billing for a mailbox?
Yes — permanently delete it from the archive on Administration → Mailboxes. This erases the data and removes the mailbox from billing on the next renewal. The action is irreversible.
Where is data stored?
Your archive is stored on European infrastructure and is yours alone — other customers can never see it, search it, or end up in it. All connections are encrypted. Detailed hosting information is available on request.
Can external auditors get access?
Admins or owners can grant per-mailbox access to any user in your organization. External-auditor access (someone outside your Microsoft 365 organization) is on the roadmap.

Still stuck?

If something in the docs doesn't fit your setup, drop us a line — we read every message.

Contact us