Setup Email Host - MS Graph
Microsoft Setup
Create Mailboxes
In the Office 365 admin portal, create two unique mailboxes - one for test and one for production. Generally users do not need access to these mailboxes.
Create Application Registration - Test
In Azure AD, create an application registration. Give it a name like Quavo-QFD-Email.
Under Certificates & Secrets, create a secret. Note the secret id and key.
Under API permissions, grant the following permissions and consent for your organization. The steps following this will ensure that the id only has access to send/receive from a specific email address:
User.Read API Permissions (not pictured below)
Mail.ReadWrite Permissions (below)
Mail.Send Permissions (below)
Follow the steps below, detailed in this document: Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph
Record the application id in the application registration in the Overview screen. It is labeled "Application (client) ID".
Go to the exchange console and create a mail enabled security group. Put the test mailbox to be allowed to QFD in this security group. Note its email address. A mail enabled security group is different than a security group! Make this in the exchange console under "groups". More info here: Manage mail-enabled security groups in Exchange Server
In Azure AD, launch a command line (or use your own powershell). Enter the following commands:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
New-ApplicationAccessPolicy -AppId <<App Id collected in step a) -PolicyScopeGroupId <<mail enabled security group address created in step b) -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group <<mail enabled security group address created in step b>>"
Assuming these steps completed successfully, you can test the policy to make sure it is working correctly with the following command:
Test-ApplicationAccessPolicy -Identity <<email mailbox address>> -AppId <<App Id collected in step a>>
You can run the same command with another email address and you should get access denied if the mailbox is not in your security group.
Create Application Registration - Production
Repeat the steps above but for the production mailbox. You should have a unique test and production:
Mailbox
Mail-enabled security group, with the mailbox included
App Registration
To configure your email in QFD, provide:
Staging
Client Id:
Tenant Id:
Client Secret:
Production
Client Id:
Tenant Id:
Client Secret:
When you reset your Secret after it expires, the Client ID doesn't change because this is the Application ID. However, the Client Secret, which of course is changed, would be the “Value”.
All email addresses need to be added to the ‘GraphBypass’ distribution list.