Disclaimer

The mentioned functionalities may be restricted depending on the purchased software license.

Microsoft Graph API Setup for Mail Sending

This guide explains how to grant your organization's admin consent to our multi-tenant mail sending app and restrict its access so that it can only send emails from a designated mailbox (for example, noreply@yourdomain.com). Even if you have limited IT experience, the step-by-step instructions and prerequisites provided here will help you complete the setup using tools installed on your PC.

Note:
If you need assistance, please create a support ticket at eniris.io/support.

Table of Contents

• Overview
• Prerequisites
• Step 1: Granting Admin Consent
• Step 2: Capturing Your Tenant Details
• Step 3: Configuring Access Restrictions
• Additional Information & Resources
• Troubleshooting

Overview

Our mail sending app uses the Microsoft Graph API with application permissions to send emails from a designated mailbox. To enable this functionality, your admin must:

1. Grant tenant-wide consent to the app.
2. Provide us with your domain name, tenant ID, and the email address you want to use (e.g., noreply@yourdomain.com).

These details can be found in your tenant overview at Microsoft Entra.

Prerequisites

Before you begin, please ensure you have the following:

• Admin Credentials: You must have Global Administrator rights for your Microsoft 365 tenant.
• Access to Microsoft Entra: You will need to view your tenant details at Microsoft Entra.
• PowerShell on Your PC:
  • Windows PowerShell or PowerShell Core.
  • Install the ExchangeOnlineManagement module by running:

    Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

• Basic Knowledge: Familiarity with copying and pasting commands in PowerShell. Don’t worry if you are a beginner—the steps below are detailed and straightforward.

Step 1: Granting Admin Consent

1. Construct the Admin Consent URL:
   Use the following URL format. Replace <YOUR-DOMAIN-NAME> with your actual domain name (for example, if your domain is "contoso.com", use that):

   https://login.microsoftonline.com/<YOUR-DOMAIN-NAME>/adminconsent?client_id=03126c25-5828-4b2e-aa6d-d97380cb1cb5&redirect_uri=https://eniris.io

2. Visit the URL:
   Have your Microsoft 365 global admin log into their browser and navigate to the URL. They will see a consent dialog listing the permissions our app is requesting (for example, Mail.Send).

3. Grant Consent:
   The admin should click "Accept" to grant consent. This action will create a service principal for our app in your tenant and allow it to send emails.

4. Notify Us:
   After granting consent, please create a ticket eniris.io/support with the following details:

• Your domain name.
• Your tenant ID (found at Microsoft Entra Tenant Overview).
• The email address you wish to use for sending mails (e.g., noreply@yourdomain.com).

Step 2: Capturing Your Tenant Details

Our onboarding process will capture your tenant ID automatically when the admin grants consent. However, if you need to manually verify this, you can:

• Sign in to Microsoft Entra.
• Copy your Tenant ID from the Tenant Overview page.

Step 3: Configuring Access Restrictions

For security best practices, we'll create a dedicated security group and use it to restrict the app's access to only your designated mailbox. This implements the principle of least privilege, ensuring the app can only access what's absolutely necessary.

Creating the Required Mail Security Group

1. Log into the Microsoft 365 Admin Center:
   Go to admin.microsoft.com and sign in with your admin account.

2. Create a Security Group:

• Navigate to "Groups" > "Active groups"
• Click "Add a group"
• Select "Security" as the group type and click "Next"
• Enter a name (e.g., "Noreply Access Only") and description
• Add the noreply@yourdomain.com account as a member
• Click "Next" and then "Create group"

Applying Access Restrictions

1. Open PowerShell:
   Run PowerShell as an administrator on your PC.

2. Connect to Exchange Online:
   Install the ExchangeOnlineManagement module (if not already installed) and then connect:

   Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser
   Connect-ExchangeOnline -UserPrincipalName "<YOUR-ADMIN-EMAIL>"  # For example: admin@yourdomain.com

3. Create the Application Access Policy:
   Run the following command. Replace <YOUR-SECURITY-GROUP-EMAIL> with the actual email address or Object ID of your security group:

   New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "03126c25-5828-4b2e-aa6d-d97380cb1cb5" -PolicyScopeGroupId "<YOUR-SECURITY-GROUP-EMAIL>" -Description "Restrict app access to the noreply mailbox only"

4. Verify the Policy:
   Test that the policy works by running (replace with your actual noreply email address):

   Test-ApplicationAccessPolicy -Identity "<YOUR-NOREPLY-EMAIL>" -AppId "03126c25-5828-4b2e-aa6d-d97380cb1cb5"

Security Considerations

• Data Isolation: The service principal created in your tenant ensures the app only has access as allowed by the policy.
• Least Privilege: The app requests only the Mail.Send permission and is further restricted to a single mailbox.
• Auditing: We recommend periodic reviews of your service principal and Application Access Policy.

Additional Information & Resources

Common Issues:

Consent Errors:

• Verify admin account permissions at Microsoft Entra roles
• Check the consent troubleshooting guide
• Ensure the URL is constructed correctly

PowerShell Errors:

• Check that the ExchangeOnlineManagement module is installed and up to date
• Verify your admin credentials have sufficient permissions

Policy Verification:

• Use Test-ApplicationAccessPolicy to verify access restrictions
• Review the Application Access Policy documentation