Microsoft 365

Microsoft 365 Integration

In order to send and receive email from Microsoft 365, your Azure administrator will need to create a HelpMaster App registration in your Azure tenant and then grant it permission to send and receive email on behalf of users.

azure app registration Permissions checklist!

To complete this step, you will need:

Once the HelpMaster App Registration has been created and configured in your Azure tenant, you will need to copy the app configuration details from your Azure tenant and copy them into the HelpMaster System Administration > API Integrations > Microsoft 365 tab. This will allow HelpMaster to connect to the Azure HelpMaster app, and use its credentials to send and recieve email.

Step 1 - Create and configure your Microsoft 365 HelpMaster App

  1. Log in to your Microsoft Azure Portal at portal.azure.com with an administrator account
  2. Navigate to Azure Active Directory > App Registrations
  3. Click New registration
  4. Enter a name. eg. HelpMaster
  5. Select Accounts in this organizational directory only (Your org - Single tenant)
  6. Click Register to create the app registration
    azure app registration

Step 2 - Granting Graph API permissions

Send Only Permissions: Once the app has been created, you will need to configure what Graph API permissions it will have access to. The minimum permissions required to be able to send emails from HelpMaster, are Read.User.All so as to be able to find the required user or shared mailbox along with it’s basic details, and Mail.Send to be able to send from any mailbox.

Read, Write & Move Permissions: For Email Manager to be able to utilise M365 mailboxes, you will also need to grant Mail.ReadWrite permissions in addition to the above send permissions.

  1. Click View API Permissions (if you’re still on the initial screen, or API Permissions from the left-side menu)
  2. Click Add a permission
  3. From the Request API permissions panel, click the top panel Microsoft Graph
  4. Click on Application permissions at the top and scroll down to the Mail section and expand it
  5. Select (tick) Mail.Send (Send mail as any user) to enable the “Send As” permission
  6. Select (tick) Mail.ReadWrite (For Email Manager to be able to read, write and move) permissions if required
  7. Scroll down to the User section and select the User.Read.All permission to allow reading of user profile information. This permission is required for being able to select the account you want to use via the HelpMaster interface when configuring the mail account later.
  8. Click Add permissions
    azure api permissions Once the API permissions have been granted to the HelpMaster app, you need to grant consent to use the app within your Azure tenant.
  9. Click Grant admin consent for [Your Organization] link and click Yes to the confirmation prompt
    azure admin consent

Step 3 - Create a Client Secret

In order to be able to use the app within HelpMaster, you need to configure a Client Secret for the app.

  1. Click Certificates & secrets from the left-side menu
  2. Click New client secret
  3. A dialog box will appear prompting for a Description of the secret. This is a descriptive label only - it isn’t the secret. Enter the descriptive name and set the expiry to your preference. Note that if a secret expires, any code/apps/APIs using this app (Including HelpMaster) will stop working, and you’ll need to create a new secret and re-enter this value into the configuration within HelpMaster. Click Add
    azure client secret
  4. Copy the secret from the Value column - click on the copy icon, or select and copy it manually. You may wish to save the secret somewhere safe, or just keep it on the clipboard to paste into HelpMaster.
    azure copy secret

Your Microsoft 365 HelpMaster app is almost ready to be used by HelpMaster. The next step is to create a Mail-enabled security group to restrict access.

Step 4 - Create a Mail-enabled security group

In this step we will create a group to restrict the Mail.Send and/or Mail.Send.Shared API permissions to be able to send email only “AS” or “On Behalf Of” selected user mailboxes and exclude access to all others.

  1. Go to Microsoft 365 admin center > Teams & groups > Active teams & groups and select Mail-enabled security
    Create Group
  2. Click Add a group and select the group type Mail-enabled security followed by Next
  3. Enter a Name and Description of the new security group followed by Next
  4. Enter a Group email address (required but not used) followed by Next
  5. Review the new group details and click Finish to create it (It can take from 20 to 60 minutes for these settings to take effect)
  6. Select the new group and add members by clicking Members followed by View all and manage members and + Add members
  7. From the list search and select (tick) the user mailboxes HelpMaster requires access to

Step 5 - Create an ApplicationAccessPolicy based on the Mail-enabled security group

This step will create an ApplicationAccessPolicy to restrict access to only the members of the Mail-enabled security group above. This can only be accomplished via the Exchange Online Powershell console.

  1. Open a PowerShell v7 console window as an Administrator. Install PowerShell v7.xx if necessary
  2. Connect to your Exchange Online Powershell console using

Import-Module ExchangeOnlineManagement
followed by
Connect-ExchangeOnline -UserPrincipalName (Your Microsoft 365 admin login email address)
Authenticate your login as prompted

  1. Copy the following Powershell script, and modify the arguments of the script with your specific details from your app registration created earlier. For further information about this step, refer to this Microsoft article Limit mailbox access with Microsoft 365
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId HelpMasterApp@YourDomain.com -AccessRight RestrictAccess -Description "This will restrict the HelpMaster application's ability to send email "As" or "On Behalf Of" only the user mailboxes that are members of this security group."
  • -AppId = Your Application (client) ID from the HelpMaster app you created in step 1
  • -PolicyScopeGroupId = The email address of the Mail-enabled security group you created in step 2
  • -Description = Your description of this ApplicationAccessPolicy within quotation marks
  1. Check that your modified PowerShell command is correct. Click <Enter> to execute the command. It should look something like this…
    Exchange Online PowerShell

    Once the Powershell script has run successfully, your HelpMaster app registration should now be linked to the Mail Enabled security group to limit the mail access to only the members that were selected.
    HelpMaster app restricted users group

Adding / Removing members once the group has been created and linked

Once the mail-security group has been created and linked to the HelpMaster app registration via the powershell script, all changes to the group membership must be performed via the Exchange Administration Portal (https://admin.exchange.microsoft.com).

Step 6 - Configure the Microsoft 365 settings in HelpMaster

The final step is to copy the configuration settings from your Azure portal into HelpMaster.

Working in the HelpMaster Desktop application, navigate to the following screen:

  1. Copy the Application (client) ID, Directory (tenant) ID and Client secret from Azure to HelpMaster in the corresponding text boxes
  2. Click Test Settings to ensure that authentication and configuration is correct
  3. If you get a Microsoft 365 Authentication was successful message box, click Apply to save your configuration
    system integration

Once this step has been completed successfully, create or edit a HelpMaster email account that uses this Microsoft 365 connection. See Global Email Accounts

See also

Register an application with the Microsoft identity platform (External link)

Limit mailbox access with Microsoft 365 (External link)

Create a new Microsoft 365 application access policy (External link)

Connect to Exchange online with Powershell (External link)