In order to send and receive email from Microsoft 365, your Azure administrator will need to create a HelpMaster App registration in your Azure tenant and then grant it permission to send and receive email on behalf of users.
To complete this step, you will need:
Once the HelpMaster App Registration has been created and configured in your Azure tenant, you will need to copy the app configuration details from your Azure tenant and copy them into the HelpMaster System Administration > API Integrations > Microsoft 365 tab. This will allow HelpMaster to connect to the Azure HelpMaster app, and use its credentials to send and recieve email.
Step 1 - Create and configure your Microsoft 365 HelpMaster App
- Log in to your Microsoft Azure Portal at portal.azure.com with an administrator account
- Navigate to Azure Active Directory > App Registrations
- Click New registration
- Enter a name. eg. HelpMaster
- Select Accounts in this organizational directory only (Your org - Single tenant)
- Click Register to create the app registration
Step 2 - Granting Graph API permissions
Send Only Permissions: Once the app has been created, you will need to configure what Graph API permissions it will have access to. The minimum permissions required to be able to send emails from HelpMaster, are Read.User.All so as to be able to find the required user or shared mailbox along with it’s basic details, and Mail.Send to be able to send from any mailbox.
Read, Write & Move Permissions: For Email Manager to be able to utilise M365 mailboxes, you will also need to grant Mail.ReadWrite permissions in addition to the above send permissions.
- Click View API Permissions (if you’re still on the initial screen, or API Permissions from the left-side menu)
- Click Add a permission
- From the Request API permissions panel, click the top panel Microsoft Graph
- Click on Application permissions at the top and scroll down to the Mail section and expand it
- Select (tick) Mail.Send (Send mail as any user) to enable the “Send As” permission
- Select (tick) Mail.ReadWrite (For Email Manager to be able to read, write and move) permissions if required
- Scroll down to the User section and select the User.Read.All permission to allow reading of user profile information. This permission is required for being able to select the account you want to use via the HelpMaster interface when configuring the mail account later.
- Click Add permissions
Microsoft 365 permissions delayMicrosoft 365 may take 20 to 60 minutes for these permissions to take effect. Do not conclude that it is not working until you have waited at least 60 minutes after completing ALL steps on this page
- Click Grant admin consent for [Your Organization] link and click Yes to the confirmation prompt
Step 3 - Create a Client Secret
In order to be able to use the app within HelpMaster, you need to configure a Client Secret for the app.
- Click Certificates & secrets from the left-side menu
- Click New client secret
- A dialog box will appear prompting for a Description of the secret. This is a descriptive label only - it isn’t the secret. Enter the descriptive name and set the expiry to your preference. Note that if a secret expires, any code/apps/APIs using this app (Including HelpMaster) will stop working, and you’ll need to create a new secret and re-enter this value into the configuration within HelpMaster. Click Add
Configuration NoticeThis is the only opportunity you will have to copy this secret, so ensure that you do it at this step. If you navigate away from this tab/page/panel, you will lose the opportunity to copy the secret and you will have to create a new secret
- Copy the secret from the Value column - click on the copy icon, or select and copy it manually. You may wish to save the secret somewhere safe, or just keep it on the clipboard to paste into HelpMaster.
Your Microsoft 365 HelpMaster app is almost ready to be used by HelpMaster. The next step is to create a Mail-enabled security group to restrict access.
Restrict mail access to only the accounts you needIt is highly recommended to restrict this access to only the mailboxes that you actually want to send or scan email from. This is achieved by creating a Mail-enabled security group and ApplicationAccessPolicy as outlined in steps 4 and 5 below. It is not functionally necessary but highly recommended NOT to skip these steps.
Step 4 - Create a Mail-enabled security group
In this step we will create a group to restrict the Mail.Send and/or Mail.Send.Shared API permissions to be able to send email only “AS” or “On Behalf Of” selected user mailboxes and exclude access to all others.
- Go to Microsoft 365 admin center > Teams & groups > Active teams & groups and select Mail-enabled security
- Click Add a group and select the group type Mail-enabled security followed by Next
- Enter a Name and Description of the new security group followed by Next
- Enter a Group email address (required but not used) followed by Next
- Review the new group details and click Finish to create it (It can take from 20 to 60 minutes for these settings to take effect)
- Select the new group and add members by clicking Members followed by View all and manage members and + Add members
- From the list search and select (tick) the user mailboxes HelpMaster requires access to
Step 5 - Create an ApplicationAccessPolicy based on the Mail-enabled security group
This step will create an ApplicationAccessPolicy to restrict access to only the members of the Mail-enabled security group above. This can only be accomplished via the Exchange Online Powershell console.
- Open a PowerShell v7 console window as an Administrator. Install PowerShell v7.xx if necessary
- Connect to your Exchange Online Powershell console using
Connect-ExchangeOnline -UserPrincipalName (Your Microsoft 365 admin login email address)
- Copy the following Powershell script, and modify the arguments of the script with your specific details from your app registration created earlier. For further information about this step, refer to this Microsoft article Limit mailbox access with Microsoft 365
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId HelpMasterApp@YourDomain.com -AccessRight RestrictAccess -Description "This will restrict the HelpMaster application's ability to send email "As" or "On Behalf Of" only the user mailboxes that are members of this security group."
- -AppId = Your Application (client) ID from the HelpMaster app you created in step 1
- -PolicyScopeGroupId = The email address of the Mail-enabled security group you created in step 2
- -Description = Your description of this ApplicationAccessPolicy within quotation marks
Check that your modified PowerShell command is correct. Click <Enter> to execute the command. It should look something like this…
Once the Powershell script has run successfully, your HelpMaster app registration should now be linked to the Mail Enabled security group to limit the mail access to only the members that were selected.
Adding / Removing members once the group has been created and linked
Once the mail-security group has been created and linked to the HelpMaster app registration via the powershell script, all changes to the group membership must be performed via the Exchange Administration Portal (https://admin.exchange.microsoft.com).
Step 6 - Configure the Microsoft 365 settings in HelpMaster
The final step is to copy the configuration settings from your Azure portal into HelpMaster.
Working in the HelpMaster Desktop application, navigate to the following screen:
Navigation in HelpMaster DesktopAdministration menu > System Administration toolbar button > System Integration > Microsoft 365 tab
- Copy the Application (client) ID, Directory (tenant) ID and Client secret from Azure to HelpMaster in the corresponding text boxes
- Click Test Settings to ensure that authentication and configuration is correct
- If you get a Microsoft 365 Authentication was successful message box, click Apply to save your configuration
Once this step has been completed successfully, create or edit a HelpMaster email account that uses this Microsoft 365 connection. See Global Email Accounts
Register an application with the Microsoft identity platform (External link)
Limit mailbox access with Microsoft 365 (External link)
Create a new Microsoft 365 application access policy (External link)
Connect to Exchange online with Powershell (External link)
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.