# Microsoft 365 Integration

The PortSIP PBX integrates with **Microsoft 365** to provide seamless identity, contact, and email integration. The integration includes the following features:

* **User synchronization** from Microsoft 365 or Microsoft Entra ID (including on-premises Active Directory synchronized to the cloud using Azure AD Connect)
* **Single Sign-On (SSO)**, allowing users to sign in to the PortSIP PBX Web Portal and PortSIP ONE app using their Microsoft account
* **Personal contact synchronization**, syncing Microsoft 365 users’ personal contacts to PortSIP PBX user contacts
* **Shared mailbox contact synchronization**, syncing shared mailbox contacts to PortSIP PBX company contacts
* **Email notifications sent via Microsoft 365**, using OAuth authentication

***

### Prerequisites

Before enabling Microsoft 365 integration, ensure the following requirements are met:

* PortSIP PBX is running on a **static public IP address**
* PortSIP PBX is accessed via a **fully qualified domain name (FQDN)** with a valid SSL certificate
  * The SSL certificate must be issued by a trusted Certificate Authority (for example: DigiCert, Thawte, GoDaddy). Please refer to the guide [Certificates for TLS/HTTPS/WebRTC](/portsip-communications-solution/tutorials/certificates-for-tls-https-webrtc.md).
* The PBX tenant enabling Microsoft 365 integration has Microsoft 365 accounts with an **Exchange subscription**, such as:
  * Microsoft 365 Business Basic, Standard, or Premium
  * Microsoft 365 F3, E3, or E5

***

### Configuring Microsoft 365 Access

#### Configure the Application ID for the Tenant

To enable synchronization between PortSIP PBX and your Microsoft 365 or Azure environment, follow these steps:

1. Sign in to your Microsoft Azure or Microsoft 365 account.
2. Navigate to **Microsoft Entra ID**.
3. Select **App registrations** from the left-hand menu.
4. Click **New registration** to create a new application.
5. Enter an application name, for example: **PBX Server-side**.
6. For **Supported account types**, select **Accounts in this organizational directory only (Single tenant)**.
7. Sign in to the PortSIP PBX Web Portal:
   * Log in as the **Tenant Administrator**, or
   * Switch to the tenant scope if logged in as a **System Administrator**
8. Navigate to **Advanced > Microsoft 365 Integration** and copy the **Redirect URI**.
   * If PortSIP SBC is configured, two Redirect URIs will be displayed; copy both.

You will paste the Redirect URI (or URIs) into the application configuration in Microsoft Entra ID in the next steps.

<figure><img src="/files/qCCYZOCvK3ClBHTGA6f5" alt=""><figcaption></figcaption></figure>

9. Paste the **Redirect URI** into Microsoft 365 and save the changes.\
   If two Redirect URIs are required, add the first URI now. You will add the second URI in a later step.

<figure><img src="/files/EIIF92gvlkLicSFjcWDh" alt=""><figcaption></figcaption></figure>

10. Copy the **Application (client) ID** and **Directory (tenant) ID** from Microsoft 365.

<figure><img src="/files/TFoggTXgV5h8C1ZoydJT" alt=""><figcaption></figcaption></figure>

11. Be sure to save the **Directory (tenant) ID** for later use. At this stage, you only need to copy and paste the **Application (client) ID** into the PortSIP PBX, as shown in the screenshot below.

<figure><img src="/files/8zVjStbNgwJrlPFJeM8m" alt=""><figcaption></figcaption></figure>

12. If you have installed and configured the PortSIP SBC with the PBX, two **Redirect URIs** will be displayed in the PBX Web Portal. The first Redirect URI was added in the previous **step 9**.

To add the second Redirect URI, follow these steps:

1. Navigate to **App registrations** in your Azure or Microsoft 365 account.
2. Select the application you created earlier.
3. Open the **Authentication** menu and click **Add URI**.
4. Paste the second Redirect URI and save the changes.

> **Important:** \
> If the PBX web domain or SBC web domain changes in the future, you must update the corresponding Redirect URIs in Microsoft 365 to ensure the integration continues to work properly.

<figure><img src="/files/QR1Jpm0FdhrMCOoGqU9K" alt=""><figcaption></figcaption></figure>

***

### Generate Key Pair

Generate the certificate public key for Microsoft 365 as follows:

1. Sign in to the PortSIP PBX Web Portal.
2. Navigate to **Advanced > Microsoft 365 Integration**.
3. Click **Generate New Key Pair** and download the **public\_key.pem** file.

<figure><img src="/files/NKwR91t431YPa9fHQSVC" alt=""><figcaption></figcaption></figure>

Next, upload the public key to Microsoft 365:

1. Sign in to Microsoft 365.
2. In the application configuration, click **Upload certificates**.
3. Upload the **public\_key.pem** file and save the changes.

> **Note**\
> By default, the generated certificate is valid for one year. To maintain uninterrupted Microsoft 365 integration, you must regenerate the key pair and repeat the upload process before the current certificate expires each year.

<figure><img src="/files/jZZLwPKgff927WPHcXib" alt=""><figcaption></figcaption></figure>

***

### Sync Options

To configure synchronization settings with Microsoft 365, follow these steps:

1. Sign in to the PortSIP PBX Web Portal.
2. Navigate to **Advanced > Microsoft 365 Integration**.

Configure the following options:

**Sync Schedule**\
Specify when the PBX should synchronize users from Microsoft 365. It is recommended to schedule synchronization at midnight (**00:00**) to minimize operational impact.

**Directory (Tenant) ID**\
Paste the **Directory (tenant) ID** that you saved earlier when registering the Microsoft 365 application.

**Microsoft 365 Region**\
National clouds are physically isolated Azure environments designed to meet data residency, sovereignty, and regulatory compliance requirements.

Microsoft Entra ID is available in the following cloud environments:

* Global Azure cloud
* Azure Government
* Microsoft Azure operated by 21Vianet

Currently, PortSIP PBX supports the **Global Azure cloud** and **Microsoft Azure operated by 21Vianet**. Select **GLOBAL** unless you explicitly need to connect to Microsoft Azure operated by 21Vianet.

<figure><img src="/files/kr4VowOm62CPZqKgEnht" alt=""><figcaption></figcaption></figure>

> **Important**\
> If both the **First Name** and **Last Name** fields of a Microsoft 365 user are empty (even if an email address exists), that user will not be synchronized to PortSIP PBX. This limitation is enforced by Microsoft 365.

<figure><img src="/files/rujwyFKNgtcfPIxbTWGs" alt=""><figcaption></figcaption></figure>

***

### Configuring API Permissions

Configure Microsoft Graph API permissions for the application as follows:

1. In the Azure or Microsoft 365 portal, open **API permissions** for the application.
2. Click **Add a permission**.
3. Select **Microsoft Graph**.

<figure><img src="/files/gD6DZ2j572MKIfKdSjxA" alt=""><figcaption></figcaption></figure>

4. On the Microsoft Graph page, choose **Application permissions**. Then, type each of the permissions listed below into the **Select permissions** field. After selecting them, click on the **Add permissions** button.&#x20;
   * User.ReadBasic.All: This permission is mandatory.

<figure><img src="/files/qF4TnSElkuEyuepk6Clr" alt=""><figcaption></figcaption></figure>

Once all required permissions have been successfully granted, they will appear in the API permissions list, as shown in the screenshot below.\
If you plan to use the Microsoft 365 mail server to send email notifications, you must also grant the **Mail.Send** permission.

Additionally, the following optional permissions are supported:

* **Contacts.Read** – Required if the application needs to synchronize users’ personal contacts.
* **User-Phone.ReadWrite.All** – Required if the application needs to read or write users' phone numbers.
* **Mail.Send** – Required if the application needs to send emails.
* **GroupMember.Read.All** – Required if group-based user filtering is used.
* **MailboxSettings.Read** – Required if the application needs to access contacts from shared mailboxes.

<figure><img src="/files/1YmPNFtuuB3Oe3r57NR2" alt=""><figcaption></figcaption></figure>

***

#### Control Sync for Specified Departments

PortSIP PBX now allows you to choose specific departments for syncing users and contacts. This feature gives you greater control over permissions and enhances enterprise security. Please refer to the screenshot below.

<figure><img src="/files/n2m4sZdDuK7Tkk9EHBH6" alt=""><figcaption></figcaption></figure>

***

#### Configuring SSO

To enable **Single Sign-On (SSO)**, you must configure the **Microsoft 365 integration at the tenant level**.

***

#### Configure User Synchronization

To synchronize users from Microsoft 365 to PortSIP PBX:

1. Sign in to the **PortSIP PBX Web Portal**.
2. Navigate to **Integrations > Microsoft 365**.
3. Click the **User Sync** tab.

**Sync Mode**

Select a **Sync Mode**:

* **Manual** – Administrators manually trigger synchronization.
* **Automatic** – The system synchronizes users automatically.

**Important:** After selecting the sync mode, it cannot be changed later. Choose carefully.

***

#### Extension Number Assignment

Specify how extension numbers will be assigned to synchronized users:

* You may define a **starting extension number range**.
* If no range is specified, the system automatically assigns the first available extension numbers.

***

#### User Photo Synchronization

You can enable synchronization of Microsoft 365 **profile photos**.

When enabled, user photos will be displayed as profile pictures in:

* PortSIP desktop and mobile apps
* The WebRTC client

<figure><img src="/files/Jkv8vSviiBVhTzLNbNcT" alt=""><figcaption></figcaption></figure>

***

#### Enable SSO

After configuring User Synchronization, you can enable Single Sign-On (SSO).

1. Sign in to the PortSIP PBX Web Portal.
2. Navigate to **Integrations > Microsoft 365**.
3. Click the **Sign In** tab.
4. Turn on **Enable**.
5. Select how users will use SSO according to your requirements.

After Microsoft 365 integration is successfully completed, a **Microsoft icon** will appear on the login pages of:

* The **PortSIP PBX Web Portal**
* The **PortSIP ONE app**

This indicates that SSO is enabled.

Users can click the **Microsoft icon** to sign in using their Microsoft 365 credentials.

<figure><img src="/files/ITnqKKqx0QOTDDJYctjn" alt=""><figcaption></figcaption></figure>

***

### Configuring Contact Synchronization

You can synchronize Microsoft 365 contacts with PortSIP PBX as follows:

* **Personal contacts**\
  Microsoft 365 personal contacts can be synced to each PortSIP PBX user’s personal contacts. This synchronization is **one-way**, meaning contacts must be created and maintained in Microsoft 365.
* **Shared mailbox contacts**\
  Contacts from Microsoft 365 shared mailboxes can be synchronized to the **PortSIP PBX company contacts**, making them available to all users.

All contacts stored in Microsoft 365 [Well-Known (Default) folders](https://learn.microsoft.com/en-us/dotnet/api/microsoft.exchange.webservices.data.wellknownfoldername?view=exchange-ews-api) will be synchronized.

<figure><img src="/files/EArBJajuDMJragN1gafi" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.portsip.com/portsip-communications-solution/portsip-pbx-administration-guide/29-integrations/microsoft-365-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.