Quick Start Guide

Version 1.3

Note: It can take up to 15-20 minutes from the time you start the Azure VM until the installation completes. Please provide the required time before performing the steps below.

DayOne configuration steps include:

  • Creating an application in Azure

  • Basic configuration

  • Optional - Creating a certificate that matches your server FQDN

  • Optional - DayOne Writeback Agent Installation

  • Securing DayOne

Creating an application in Microsoft Azure


1. Sign in to your Microsoft Azure account: Azure portal

2. Select Azure Active Directory

3. Select App registrations

4. Select New registration

5. Create a web application.

  • Enter https://<YourServerInFQDN> in the Redirect URI

  • Choose Accounts in this organizational directory or Accounts in any organizational directory (to allow access to admins from other tenants)

6. Copy the Application ID from the Overview tab

7. Select Authentication

8. Under Advanced Settings please select "ID tokens".

9. Select API permissions

10. Select Grant admin consent


Basic Configuration


1. Use a JavaScript enabled browser (Chrome is recommended) and browse to your DayOne server: https://Server.FQDN

  • You should see the following page:

2. Fill in your tenant domain and the application ID (that you have copied in a previous step)


3. Wait 1 minute and then refresh the page

​    You will be redirected to Microsoft Azure Active Directory and prompted to authenticate


4. Once authenticated, you should see the following DayOne dashboard page

5. You can add administrators to manage or view DayOne settings:

  • Click on the “hamburger” menu (Top-Left) and select Admins

  • Press the + sign and provide the following:

    • Global Admin: These admins will have Full permissions in DayOne

    • Tenant Admin: These admins will manage only connectors they have permissions on. They will also view DayOne dashboard page and logs (Permissions are applied at the tenant level; Tenant Admins will be able to manage only connectors where their tenant has been set as the synchronization source)

    • View Only: These admins will only be able to view DayOne dashboard and logs

6. An optional step is to change the DayOne web application's certificate to one of your own cert

  • Go to Settings in the “hamburger” menu

  • Prepare a PKCS#12.pfx certificate file

  • Input the private key password

  • Press UPLOAD and select the certificate you have prepared

  • Wait for 1 minute for the update process to complete before refreshing the page

7. Go to Tenants and configure the tenants you would like to sync objects with (From or To)​

Each tenant will require a user and an Azure AD Application.

  • The user that will be configured in this section requires the following permissions:

  • In Exchange online:

    • Mail Recipients

The application should be configures as follows:

  • Register a new Azure AD application

  • Copy the Application (client) ID

  • Select Authentication

  • Check ID tokens and click Save

  • Select Certificates & secrets

  • Select New client secret

  • Choose expiration and select Add

  • Copy the Client secret

  • Select API permissions

  • Select Add a permission

  • Select Microsoft Graph

  • Select Application permissions

  • Add the following permissions:

    • Group.Read.All​

    • User.Invite.All

    • User.ReadWrite.All

  • Select Grant admin consent… and Yes

  • Please provide the tenant and its user/application details (following is an example)

  • In this page you can also grant permissions for each tenant’s administrators (applied at their tenant only)

8. Go to Connectors

9. Click the + sign in the Connectors section

  • Trusted Tenant – Sync users from this tenant

  • Trusting Tenant – Sync users to this tenant

  • Active – Enable/Disable the sync operation for this connector

  • Sync Unlicensed Users – Sync users without any license in Office365

  • Member[On] Guest[Off] – Whether synced users will be created as “Guests” or as “Members” in the target tenant

  • Deletion Enabled – Should users be deleted in the target tenant in case they are deleted in the source tenant (only users that were created by the connector will be deleted by it)

  • Deletion Threshold – If the number of users to be deleted are above this threshold no deletion will occur and a warning will be issued (0 is no limit)

  • Display Objects – Enable/Disable displayed synced users in the address books of the target tenant

  • Display Name – Should display name be synced as is or changed according to organization policy

  • Display Name Suffix – Will be added to all synced users in destination tenant

10. Each connector has inclusions and exclusions of its own. You can import a list of emails into each of these settings using a text file that contains a single email address per line, or be configured with Azure AD group as source, the group can be dynamic or assigned and you should configure the group object ID.

  • Exclusions  Users in this list will not be synced, if they have already been synced by this connector they will be deleted (if deletion is enabled and the number of objects to be deleted is within the threshold configured)

  • Inclusions – If this list contains users, only these will be synced, if this connector synced other users they will be deleted (if deletion is enabled and the number of objects to be deleted is within the threshold configured)

DayOne Writeback Agent Installation

1. Create an Azure AD application for the DayOne Writeback agent.

2. Select Authentication

3. Please select “Access tokens”, “ID tokens”

4. Select API permissions

5 .Select Add permissions

6. Select Microsoft Graph

7. Select Application permissions

8. Select User.Read.All

9. Select Grant admin consent for <YourAppName>

10. Select Certificates & secrets

11. Select New client secret

12. Enter description and select expiration

13. Copy the secret value

14. Create an Organizational Unit (OU) in Active Directory where mail-enabled user objects will be created by the agent and copy this OU’s distinguishedName 

15. Exclude this Organizational Unit from Azure AD Connect Synchronization

16. Create an administrative account with the following permissions to in this OU: create + delete + modify user objects

17. Start the installation: “DayOne Writeback Agent Setup.msi” 

18. In the Set Service Login write the credentials for the user created in step 23

19. Edit the service configuration file located in: "C:\Program Files (x86)\DayOne Write Back Service\DayOne Writeback Agent.exe.config"

20. Set the following parameters in the “DayOne Writeback Agent.exe.config” file:

21. Following is a description of the DayOne Writeback Agent service events in Windows Event Viewer

Event Source: DayOne Writeback Agent

Securing DayOne

1. To secure DayOne dashboard:

  • Allow only your organization/s IP addresses to connect using TCP port 443

  • Configure your Admins to use MFA in Azure AD


2. To secure your tenant applications:

  • Configure DayOne VM/Server with a static IP address

  • Configure Azure AD conditional access that allows the Tenant Azure AD application and user to connect only from the above static IP address


3. To secure the DayOne write back agent application:

  • Configure Azure AD conditional access that allows the DayOne writeback agent Azure AD application to connect only from your organization external IP address

dayOne logo transparent.gif

Tel: 972-4-8211988

Khalamish 14, Industrial Park, Caesarea, Israel