Phone Lines icon GFI Support Home Start a conversation Sign in
Start a conversation
  1. GFI Archiver
  2. GFI Archiver - Configuration
  3. Articles

Registering Archiver in Azure Portal

Overview

After updating from GFI Archiver 15.7 to version 15.8, you might face an error with archive mailbox: 

Failed to authenticate with EWS using app-only authentication. Error: The value cannot be null. Parameter name: clientSecret

Symptoms:

  • GFI Archiver fails to access Exchange Online mailboxes.
  • Archive jobs do not complete or fail silently.
  • Error messages referencing missing or null clientSecret.

Root Cause:

The error is caused by incorrect or missing Azure app registration details, especially the clientSecret, during EWS app-only authentication setup, which stems from the ApplicationImpersonation RBAC Role Deprecation in Exchange Online | Microsoft Community Hub. This forced the invalidation of previous tokens because they were tied to a (now) deprecated method.

Prerequisites

  • Azure business account
  • Admin access to the Azure portal
  • Exchange Online plan for users

Registration:

1. Initial Setup in Azure Portal

  1. Log into https://portal.azure.com/ as an admin
  2. Go to Microsoft Entra ID page
  3. In the sidebar navigate to Manage -> App registrations
  4. You can update an existing app or create a new application
  5. If creating a new app  
    1. Set any tenant type (single or multi) according to requirements
    2. No need for redirect URI
  6. Once you are in your application note down these values from the overview tab:  
    1. clientId
    2. tenantID
    3. Generate a secret value and note down the secretId and secret value  
      1. Set 2 year limit while generating a secret value.
      2. When the client secret is prompted you need to provide <clientId>_@ClientSecret_<clientSecret> (or <SecretId>_@ClientSecret_<clientSecret>)

2. Permission Configuration

  1. Go to API permissions in the sidebar for your application
  2. Select add a permission -> API my organization uses -> Office 365 Exchange Online -> Application permissions -> full_access_as_app  
    1. This will provide the archiver full access to all mailboxes
  3. Click again on add a permission -> Microsoft Graph -> Application permission -> Application -> Application.Read.All  
    1. This will provide the credentials the permission to fetch the expiry time of the client secret to alert the user regarding expiring client secret
  4. Grant admin consent for these permissions to access your domain

3. GFI Archiver Configuration:

  1. Go to your archiver server and in configuration use the clientid and tenantId mentioned above while registering the EWS online user
  2. For client secret provide: <clientId>_@ClientSecret_<clientSecret>
  3. Configure your server to run the latest version of TLS as follows. Restart your server after running the commands to ensure the registry settings are enabled  

    3.3.1 Configure TLS on Archiver Server


      On the Archiver server, run the following PowerShell commands to mitigate any potential TLS issues.   
    New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NetFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-Null

4. (Optional) Application access restriction

  1. The above process will provide mail archiver access to all email addresses in the domain.
  2. To restrict access to only a few email addresses we can use ApplicationAccessPolicy
  3. Document on how to set ApplicationAccessPolicy  
    1. https://help.genesys.com/pureconnect/mergedprojects/wh_tr/mergedprojects/wh_tr_installation_and_configuration/desktop/limiting_mailbox_access_by_application_access_policy.htm
    2. https://learn.microsoft.com/en-us/powershell/module/exchange/new-applicationaccesspolicy?view=exchange-ps

Testing and Verification

Email processing workflow

  1. Send a new email to your EWS online email configured in the mail archiver
  2. Wait for a minute and confirm if the archiver has received the email

Summary

If you're seeing a clientSecret null error in GFI Archiver 15.8, it's likely due to misconfigured Azure app authentication. Ensure all Azure app registration details—particularly the client secret—are correctly set, permissions are granted, and TLS is enforced on your server. Optionally, limit access to specific mailboxes for security.

FAQ

1. What format should the client secret take in the GFI Archiver config?

Use: clientId_@ClientSecret_clientSecret
  Or: secretId_@ClientSecret_clientSecret

2. What permissions does the Azure app need?

  • full_access_as_app from Office 365 Exchange Online.
  • Application.Read.All from Microsoft Graph.

3. Why is TLS configuration necessary?

TLS ensures secure communication between GFI Archiver and Microsoft services. Without it, authentication may fail even if credentials are correct.

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments