Microsoft 365 Integration
The PortSIP PBX integrates with Microsoft 365 to provide seamless identity, contact, and email integration. The integration includes the following features:
User synchronization from Microsoft 365 or Microsoft Entra ID (including on-premises Active Directory synchronized to the cloud using Azure AD Connect)
Single Sign-On (SSO), allowing users to sign in to the PortSIP PBX Web Portal and PortSIP ONE app using their Microsoft account
Personal contact synchronization, syncing Microsoft 365 users’ personal contacts to PortSIP PBX user contacts
Shared mailbox contact synchronization, syncing shared mailbox contacts to PortSIP PBX company contacts
Email notifications sent via Microsoft 365, using OAuth authentication
Prerequisites
Before enabling Microsoft 365 integration, ensure the following requirements are met:
PortSIP PBX is running on a static public IP address
PortSIP PBX is accessed via a fully qualified domain name (FQDN) with a valid SSL certificate
The SSL certificate must be issued by a trusted Certificate Authority (for example: DigiCert, Thawte, GoDaddy). Please refer to the guide Certificates for TLS/HTTPS/WebRTC.
The PBX tenant enabling Microsoft 365 integration has Microsoft 365 accounts with an Exchange subscription, such as:
Microsoft 365 Business Basic, Standard, or Premium
Microsoft 365 F3, E3, or E5
Configuring Microsoft 365 Access
Configure the Application ID for the Tenant
To enable synchronization between PortSIP PBX and your Microsoft 365 or Azure environment, follow these steps:
Sign in to your Microsoft Azure or Microsoft 365 account.
Navigate to Microsoft Entra ID.
Select App registrations from the left-hand menu.
Click New registration to create a new application.
Enter an application name, for example: PBX Server-side.
For Supported account types, select Accounts in this organizational directory only (Single tenant).
Sign in to the PortSIP PBX Web Portal:
Log in as the Tenant Administrator, or
Switch to the tenant scope if logged in as a System Administrator
Navigate to Advanced > Microsoft 365 Integration and copy the Redirect URI.
If PortSIP SBC is configured, two Redirect URIs will be displayed; copy both.
You will paste the Redirect URI (or URIs) into the application configuration in Microsoft Entra ID in the next steps.
Paste the Redirect URI into Microsoft 365 and save the changes. If two Redirect URIs are required, add the first URI now. You will add the second URI in a later step.
Copy the Application (client) ID and Directory (tenant) ID from Microsoft 365.
Be sure to save the Directory (tenant) ID for later use. At this stage, you only need to copy and paste the Application (client) ID into the PortSIP PBX, as shown in the screenshot below.
If you have installed and configured the PortSIP SBC with the PBX, two Redirect URIs will be displayed in the PBX Web Portal. The first Redirect URI was added in the previous step 9.
To add the second Redirect URI, follow these steps:
Navigate to App registrations in your Azure or Microsoft 365 account.
Select the application you created earlier.
Open the Authentication menu and click Add URI.
Paste the second Redirect URI and save the changes.
Important: If the PBX web domain or SBC web domain changes in the future, you must update the corresponding Redirect URIs in Microsoft 365 to ensure the integration continues to work properly.
Generate Key Pair
Generate the certificate public key for Microsoft 365 as follows:
Sign in to the PortSIP PBX Web Portal.
Navigate to Advanced > Microsoft 365 Integration.
Click Generate New Key Pair and download the public_key.pem file.
Next, upload the public key to Microsoft 365:
Sign in to Microsoft 365.
In the application configuration, click Upload certificates.
Upload the public_key.pem file and save the changes.
Note By default, the generated certificate is valid for one year. To maintain uninterrupted Microsoft 365 integration, you must regenerate the key pair and repeat the upload process before the current certificate expires each year.
Sync Options
To configure synchronization settings with Microsoft 365, follow these steps:
Sign in to the PortSIP PBX Web Portal.
Navigate to Advanced > Microsoft 365 Integration.
Configure the following options:
Sync Schedule Specify when the PBX should synchronize users from Microsoft 365. It is recommended to schedule synchronization at midnight (00:00) to minimize operational impact.
Directory (Tenant) ID Paste the Directory (tenant) ID that you saved earlier when registering the Microsoft 365 application.
Microsoft 365 Region National clouds are physically isolated Azure environments designed to meet data residency, sovereignty, and regulatory compliance requirements.
Microsoft Entra ID is available in the following cloud environments:
Global Azure cloud
Azure Government
Microsoft Azure operated by 21Vianet
Currently, PortSIP PBX supports the Global Azure cloud and Microsoft Azure operated by 21Vianet. Select GLOBAL unless you explicitly need to connect to Microsoft Azure operated by 21Vianet.
Important If both the First Name and Last Name fields of a Microsoft 365 user are empty (even if an email address exists), that user will not be synchronized to PortSIP PBX. This limitation is enforced by Microsoft 365.
Configuring API Permissions
Configure Microsoft Graph API permissions for the application as follows:
In the Azure or Microsoft 365 portal, open API permissions for the application.
Click Add a permission.
Select Microsoft Graph.
On the Microsoft Graph page, choose Application permissions. Then, type each of the permissions listed below into the Select permissions field. After selecting them, click on the Add permissions button.
User.Read.All
Contacts.Read
Once all required permissions have been granted successfully, they will appear in the API permissions list, as shown in the screenshot below.
If you plan to use the Microsoft 365 mail server to send email notifications, you must also grant the Mail.Send permission.
Configuring SSO
To enable Single Sign-On (SSO), you must configure the Microsoft 365 integration at the tenant level.
Configure User Synchronization
To synchronize users from Microsoft 365 to PortSIP PBX:
Sign in to the PortSIP PBX Web Portal.
Navigate to Integrations > Microsoft 365.
Click the User Sync tab.
Sync Mode
Select a Sync Mode:
Manual – Administrators manually trigger synchronization.
Automatic – The system synchronizes users automatically.
Important: After selecting the sync mode, it cannot be changed later. Choose carefully.
Extension Number Assignment
Specify how extension numbers will be assigned to synchronized users:
You may define a starting extension number range.
If no range is specified, the system automatically assigns the first available extension numbers.
User Photo Synchronization
You can enable synchronization of Microsoft 365 profile photos.
When enabled, user photos will be displayed as profile pictures in:
PortSIP desktop and mobile apps
The WebRTC client
Enable SSO
After configuring User Synchronization, you can enable Single Sign-On (SSO).
Sign in to the PortSIP PBX Web Portal.
Navigate to Integrations > Microsoft 365.
Click the Sign In tab.
Turn on Enable.
Select how users will use SSO according to your requirements.
After Microsoft 365 integration is successfully completed, a Microsoft icon will appear on the login pages of:
The PortSIP PBX Web Portal
The PortSIP ONE app
This indicates that SSO is enabled.
Users can click the Microsoft icon to sign in using their Microsoft 365 credentials.
Configuring Contact Synchronization
You can synchronize Microsoft 365 contacts with PortSIP PBX as follows:
Personal contacts Microsoft 365 personal contacts can be synced to each PortSIP PBX user’s personal contacts. This synchronization is one-way, meaning contacts must be created and maintained in Microsoft 365.
Shared mailbox contacts Contacts from Microsoft 365 shared mailboxes can be synchronized to the PortSIP PBX company contacts, making them available to all users.
All contacts stored in Microsoft 365 Well-Known (Default) folders will be synchronized.
Last updated