Step 1 - Create an Azure Application
-
Go to your Azure AD portal https://portal.azure.com → “App registrations”
-
New registration → give it a name → select option “Accounts in this organizational directory only (your tenant name)”
-
Leave Redirect URI blank
-
Register
Step 2 - Set a Client Secret
-
Select the newly created Application -> “Certificates & secrets” → “New client secret”
-
Provide a name and set an expiration of “Never”
Step 3 - Add the required permissions to send email
-
“API permissions” → “Add a permission”
- Ensure this is of type "Application". "Delegated" will not give sufficient access for SureCloud to send emails as required.
-
Add the permission “Mail.Send”
-
“Grant admin consent for SureCloud”
Step 4 - Lock down the Application to only allow sending of the specified mailbox
(https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access)
You will need:
-
AppId/ClientId of the newly created application
-
A mail-enabled security group containing the mailbox and the ID of this group
-
Powershell & ability to use CmdLet Connect-ExchangeOnline
Run the following cmd to restrict access replacing the value with your appid and mail-enabled security group:
New-ApplicationAccessPolicy -AppId e8f4eefc-046g-4084-9b4b-2ab8f144b59f -PolicyScopeGroupId EvenUsers@contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
Run the following cmd to test the access policy:
Test-ApplicationAccessPolicy -Identity user1@contoso.com -AppId e8f4eefc-046g-4084-9b4b-2ab8f144b59f
Step 5 - Provide SureCloud with the following details:
-
TenantID → Can be found in AzureAD (portal.azure.com) → Properties → “DirectoryID”
-
Client Id/Application Id → Can be found in your application overview section
-
Client Secret (see above)
-
UUID of the mailbox to be used (Directory ObjectID UUID)
Comments