Part 2: setting up Zammad with Microsoft 365 for a practical support desk

Part 2: setting up Zammad with Microsoft 365 for a practical support desk

In the first part, we looked at the moment a shared mailbox stops being enough. This second article picks up from there and moves into the practical side of the work.

In the first part, we looked at the moment a shared mailbox stops being enough. This second article picks up from there and moves into the practical side of the work.

Once a team decides it needs more structure, the next question is usually straightforward. What does a clean first setup actually look like?

In real projects, the goal is rarely to build a complicated help desk on day one. The goal is to put a stable foundation in place so incoming emails become tickets, agents can work from one system, and the support process stops depending on memory and inbox habits.

What This Setup Is Meant to Do

A basic Zammad setup connected to Microsoft 365 should do four things well.

It should collect emails from the support mailbox, turn them into tickets, let agents reply from inside the system, and preserve the full history of the case in one place.

That alone solves a surprising amount of operational friction.

The team keeps using a familiar support address. Customers still send emails in the usual way. Internally, though, the company is no longer managing work through a crowded mailbox.

Why Zammad Fits This Kind of Project

Zammad is a practical choice for teams that want a real ticketing workflow without jumping straight into a large, expensive platform.

It covers the essentials well. Emails can become tickets, tickets can be assigned to groups and agents, internal notes stay separate from customer communication, and managers get a much clearer view of what is open and what is stuck.

For smaller and mid-sized businesses, that balance matters. The system is capable enough for real support work, but it can still be shaped around the way the business already operates.

A Sensible Basic Architecture

In most cases, the cleanest version is simple.

Zammad runs on a VPS or server, usually through Docker Compose. A subdomain such as support.company.com points to that server. HTTPS is handled through a reverse proxy, and Microsoft 365 is connected through the Graph Email channel.

From the customer side, nothing feels dramatic. They still write to [email protected].

Behind the scenes, that message is pulled into Zammad, logged as a ticket, and worked through a more structured process.

Start With Enough Server Capacity

One mistake teams make early is treating the ticketing server as an afterthought.

Zammad may be straightforward to deploy, but it still needs reasonable resources, especially when search, attachments, and multiple users are involved.

For a small live environment, a sensible starting point is usually a clean Linux server with 2 to 4 CPU cores, 8 GB of RAM, enough disk space for attachments and backups, and Docker with Docker Compose already installed.

For test setups, you can get away with less. For a real client environment, it is better not to build too close to the edge.

The Elasticsearch host setting also needs attention before deployment, because search support depends on it working properly.

Prepare the Server Properly Before You Install Anything

Before the containers are started, the basics should already be in place.

DNS should point the chosen subdomain to the server. The firewall should be checked. Docker should be working cleanly. The server should also be prepared for Zammad’s Elasticsearch requirement with vm.max_map_count set correctly.

This is not glamorous work, but it prevents a lot of avoidable confusion later.

A support system is one of those tools where a rushed infrastructure setup tends to show up very quickly in production.

Installing Zammad Is the Easy Part

The actual Docker deployment is usually the least complicated part of the project.

In most cases, the stack is brought up from the official Zammad Docker Compose setup, and within a short time the application is reachable on the server.

That first launch is useful, but it is only the beginning. A live support system should not stay exposed as a raw internal container service.

HTTPS and the Public URL Need to Be Right

Once the stack is running, the public address has to be made clean and trustworthy.

That normally means putting Zammad behind Nginx Proxy Manager, Traefik, Nginx, or another reverse proxy and exposing it through HTTPS on the final subdomain.

This step matters for security, for user confidence, and for the Microsoft 365 integration that comes later. If the public URL is wrong, redirect handling and callback flows tend to fail in frustrating ways.

It is worth slowing down here and making sure the final public address is exactly the one the system should use long term.

Finish the First-Time Wizard With Real Admin Details

When Zammad opens for the first time, the initial wizard handles the obvious setup tasks.

This is where the first administrator account is created, company details are added, and the system URL is checked. Those details are easy to rush through, but they should be treated as real production settings rather than temporary placeholders.

The first admin account should have a strong password and should belong to a clearly responsible person, not to a loosely shared team login.

Decide Which Mailbox Should Become the Support Channel

Before Microsoft 365 is connected, it helps to make one clear decision which mailbox is actually going to power support?

Sometimes that is a licensed mailbox such as [email protected]. Sometimes it is a shared mailbox like [email protected]. In other environments, it may be a dedicated department address such as [email protected].

In many Microsoft 365 environments, a shared mailbox is a practical choice because it matches the address customers already know and can keep licensing simpler.

The more important point is consistency. The address should be stable, monitored, and intentionally chosen before the technical connection begins.

Why the Microsoft 365 Graph Channel Is Usually the Better Choice

If Microsoft 365 is already in place, the Graph Email channel is usually the cleaner route compared with a basic IMAP and SMTP setup.

It tends to handle shared mailboxes better, fits modern Microsoft 365 environments more naturally, and gives a more future-oriented way to connect the mailbox to the ticketing system.

In practice, that means fewer awkward workarounds and a setup that is easier to defend over time.

The App Registration Is Where the Integration Becomes Real

To let Zammad talk to Microsoft 365 through Graph API, an application registration has to be created in Microsoft Entra ID.

That process usually includes creating the app, setting the redirect URI, creating a client secret, assigning the needed Graph permissions, and granting admin consent where required.

The screen names inside Microsoft may change over time, but the logic stays the same. Microsoft needs to trust the Zammad instance as an application that is allowed to work with the mailbox.

This is often the point where projects feel more technical, but it is still very manageable when each setting is checked carefully.

Connect the Mailbox in Zammad

Inside Zammad, the Microsoft 365 Graph Email channel is then configured with the tenant ID, client ID, client secret, mailbox, and folder settings.

Once the authorization succeeds, the system can start watching the mailbox, importing messages, creating tickets, and sending replies back through the same email identity.

That is the moment the workflow from part one starts becoming real. A customer still writes an email, but internally the business is now handling a ticket.

Be Careful With Existing Mail in the Inbox

This is one of the most practical warnings in the whole setup.

If the mailbox already contains older emails, Zammad may treat them as messages to process and create tickets from them.

That can turn a clean rollout into an unnecessary mess very quickly.

Before connecting a live mailbox, it is often worth archiving old emails, testing with a fresh folder, or using a separate test mailbox first. A little caution here saves a lot of cleanup later.

Set Up Groups Before the Queue Gets Messy

Once the email flow works, the next job is to shape the support structure.

In Zammad, groups are what keep the queue understandable. A small team may start with a single Support group, while a more layered workflow might add Technical Support, Finance, or Management Escalation.

The point is not to create a complicated org chart inside the software. The point is to avoid the old habit where everyone receives everything and nobody has a clean view of responsibility.

Keep Roles and Permissions Simple at First

The same principle applies to user accounts.

Start with a small, realistic structure administrators, agents, managers, and only any extra access levels that truly solve a real need.

Tickets often contain customer details, invoices, attachments, internal notes, and operational context, so permissions should be deliberate.

Simple is usually better at the beginning. A system that matches the real team clearly is easier to operate than one filled with overly clever role combinations.

Auto-Replies Are Small but Important

One of the first useful automations is a clear confirmation email.

Customers should know their request reached the system. A short acknowledgement with the ticket number is often enough to build confidence immediately.

What matters most is tone and realism. The message should be clear, professional, and honest about when the team will actually respond.

If support only operates during business hours, that should be stated plainly rather than hidden.

Filters and Routing Rules Are Where the Workflow Starts Paying Off

Once the basics are stable, filters make the system much more useful.

Billing requests can be sent to Finance. Technical errors can go to Technical Support. Certain customers or keywords can trigger priority changes or special handling. Noise can be filtered out.

This is the moment where the support desk stops feeling like a digital mailbox and starts behaving like a real process.

Test Outgoing Identity Before Going Live

Outgoing email details deserve their own check.

Sender name, sender address, reply behavior, signature, formatting, and ticket references should all be tested with real external emails before the system is declared ready.

Microsoft 365 can sometimes introduce surprises around display names, so this is not the place to assume everything looks correct just because sending works.

A few test messages now are much cheaper than a confusing launch later.

Run a Full End-to-End Ticket Test

Before go-live, test the whole loop from start to finish.

Send a message from an external address. Confirm that a ticket is created. Check that the auto-reply is delivered. Assign the ticket, add an internal note, reply from Zammad, and then reply again as the customer to make sure the conversation stays on the same ticket.

That kind of full-path test catches the issues that matter in real life, not just the ones that appear in isolated setup screens.

A Good First Launch Is Usually Quite Modest

Most teams do not need a perfect support system on day one. They need a stable one.

A sensible go-live usually means finishing the technical setup, training the support team, moving the real support address into Zammad, and then watching the first wave of tickets carefully.

After that, filters, triggers, groups, and notifications can be refined based on actual usage instead of guesswork.

The Most Common Problems Are Usually Configuration Problems

In this kind of project, the biggest issues are usually not dramatic product failures.

They are mismatched DNS records, incorrect redirect URIs, expired client secrets, missing Microsoft permissions, wrong folder selections, old emails being imported, or outgoing replies using an unexpected sender identity.

That is why a steady, layer-by-layer setup matters so much. It is far easier to fix one known configuration issue than to troubleshoot five assumptions at once.

Maintenance Still Matters After Launch

A ticketing system is not a one-time install.

After rollout, the server, backups, Docker stack, disk space, failed imports, filters, permissions, and Microsoft 365 secret expiry still need to be reviewed over time.

The setup becomes far more dependable when maintenance is treated as part of the implementation instead of something postponed indefinitely.

Closing Thought

The technical build matters here. Docker, HTTPS, Microsoft 365, Graph API, mailbox setup, permissions, and backups all need to be handled properly.

But the real value is still operational. Once the setup is complete, emails become tickets, tickets have owners, teams can collaborate internally, and managers finally get visibility into the work.

That is why this kind of Zammad project should never be seen as just an installation task. It is the practical continuation of the workflow change discussed in part one.