Setup Email Host - MS Graph

Owned by Samantha Hedrick
Last updated: Oct 01, 2024 by Christopher Yukubousky
2 min read

Microsoft Setup

Create Mailboxes

In the Office 365 admin portal, create two unique mailboxes - one for test and one for production.  Generally users do not need access to these mailboxes.

Create Application Registration - Test

  1. In Azure AD, create an application registration.  Give it a name like Quavo-QFD-Email.

  2. Under Certificates & Secrets, create a secret.  Note the secret id and key.

  3. Under API permissions, grant the following permissions and consent for your organization.  The steps following this will ensure that the id only has access to send/receive from a specific email address:

    1. User.Read API Permissions (not pictured below)

    2. Mail.ReadWrite Permissions (below)

    3. Mail.Send Permissions (below)

  4. Follow the steps below, detailed in this document: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access

    1. Record the application id in the application registration in the Overview screen.  It is labeled "Application (client) ID".

    2. Go to the exchange console and create a mail enabled security group.  Put the test mailbox to be allowed to QFD in this security group.  Note its email address.  A mail enabled security group is different than a security group!  Make this in the exchange console under "groups".  More info here: https://docs.microsoft.com/en-us/exchange/recipients/mail-enabled-security-groups?view=exchserver-2019

    3. In Azure AD, launch a command line (or use your own powershell).  Enter the following commands:

      1. Import-Module ExchangeOnlineManagement

      2. Connect-ExchangeOnline

      3. New-ApplicationAccessPolicy -AppId <<App Id collected in step a) -PolicyScopeGroupId <<mail enabled security group address created in step b) -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group <<mail enabled security group address created in step b>>"

    4. Assuming these steps completed successfully, you can test the policy to make sure it is working correctly with the following command:

      1. Test-ApplicationAccessPolicy -Identity <<email mailbox address>> -AppId <<App Id collected in step a>>

    5. You can run the same command with another email address and you should get access denied if the mailbox is not in your security group.

Create Application Registration - Production

Repeat the steps above but for the production mailbox.  You should have a unique test and production:

  1. Mailbox

  2. Mail-enabled security group, with the mailbox included

  3. App Registration

To configure your email in QFD, provide:

  1. Staging

    1. Client Id:

    2. Tenant Id:

    3. Client Secret:

  2. Production

    1. Client Id:

    2. Tenant Id:

    3. Client Secret:

When you reset your Secret after it expires, the Client ID doesn't change because this is the Application ID. However, the Client Secret, which of course is changed, would be the “Value”. 

All email addresses need to be added to the ‘GraphBypass’ distribution list.