# Configure Azure MS Graph API

{% hint style="info" %}
Applicable versions:  ASM 10.5.5 and above

MS Graph API has also been provided as a patch to some earlier versions of ASM and vFire Core
{% endhint %}

## Steps to connect ASM to M365 Email Accounts using the MS Graph API

1. Create an App Registration in Azure Portal
2. Configure Microsoft Graph API Permissions
3. Add a Client/Secret and set an Expiry Date
4. Limit application permissions to a specific Exchange Online Mailbox
5. Configure ASM - Outgoing Email
6. Configure ASM - Incoming Email
7. Test Connectivity

## 1. Create an App Registration in Azure Portal

{% hint style="info" %}
You must use an Azure account in the same Microsoft 365 Subscription (Tenant) that you intend to register the app with.
{% endhint %}

1. Sign in to the Azure Portal (<https://portal.azure.com>) using an account with the correct permissions to create an App Registration e.g. an Administrator Account.
2. Select **Azure Entra ID** (previously Azure Active Directory)
3. Under **Manage** select **App Registration**

<figure><img src="/files/DMvID2q0AflIjr2ES9Xt" alt=""><figcaption><p>Azure Entra ID App Registration</p></figcaption></figure>

4. Click on **New Registration**

<figure><img src="/files/L2NZaxnVIJBgx1kb6D4i" alt=""><figcaption><p>New App Registration</p></figcaption></figure>

4. In the **Register an Application** screen enter your application's registration information:

* In the **Name** section, enter an application name that will be displayed to the users.
* Select **Accounts in any organizational directory** option from Supported account types section.
* Set the **Redirect URI** (optional)
* Click on **Register** to create the application.

<figure><img src="/files/m7iEN1pRxGhtzoukYTRQ" alt=""><figcaption><p>Register an Application in Azure Entra ID</p></figcaption></figure>

The app registration will be created and then direct you to the App Registration Overview Page.

5. On the App Registration Overview screen, hover over **Application (client) ID** value, and select the Copy to clipboard icon to copy the value as you'll need to specify this in ASM.

<figure><img src="/files/oaSwXhqGPpJxSefgbefy" alt=""><figcaption></figcaption></figure>

6. Under **Manage**, select **API Permissions** and proceed to Step 2.

## 2. Configure MS Graph API Permissions

<figure><img src="/files/lDphr4Fbk5TLeOhMwA0c" alt=""><figcaption><p>Adding an API Permission to the App Registration</p></figcaption></figure>

1. Under the **Configured Permissions** section select **Add a Permission**
2. Select **Microsoft APIs** and then select **Microsoft Graph**

<figure><img src="/files/chCTMheyIuanMGWLVPwH" alt=""><figcaption><p>Select the Microsoft Graph API</p></figcaption></figure>

2. Select Application Permissions
3. In the Search field type 'mail'
4. Expand the options under Mail and enable the following permissions:

<figure><img src="/files/c6ibax16yypaT4gxEYiu" alt=""><figcaption></figcaption></figure>

5. Press the **Add permissions** button to apply the API Permissions

<figure><img src="/files/GtkmbOJ43oMXRDLQSNbI" alt=""><figcaption><p>Adding the API Permissions to the App Registration</p></figcaption></figure>

## 3. Add a Client Secret

In the Azure Portal for the Application Registration create a new Client Secret by going to the Certificates & Secrets Menu:

1. Under **Manage** select **Certificates & secrets**

<figure><img src="/files/1p7VoEOnR5tUbh9FTuLx" alt=""><figcaption><p>Add a New Client Secret</p></figcaption></figure>

2. Select **New Client Secret**
3. Add a **Name** and choose an **Expiry Date**

{% hint style="danger" %}
The Client Secret **Expiry Date** can be set by default up to 24 months. Microsoft recommend that you do not set an expiry date higher than this period for Client Secret IDs.

Once the Client Secret ID has expired the ASM Email Accounts configurred will stop connecting to Exchange Online and emails will stop working until a valid Client Secret ID is configured in Azure Portal.

It is the Customers responsibility to track/manage the Client Secret ID's expiry date and renew in order to maintain service continuity.
{% endhint %}

<figure><img src="/files/rgbROqvmuifmtbLn37ST" alt=""><figcaption></figcaption></figure>

4. Press **Add**
5. Obtain the Client Secret ID from the Azure Portal by selecting the Copy to clipboard icon, to copy the value as you'll need to specify this in ASM.

<figure><img src="/files/AWhSjavEkfpWZUpncjDc" alt=""><figcaption><p>Client Secret ID for the App Registration</p></figcaption></figure>

## 4. Limiting application permissions to specific Exchange Online mailboxes

The permissions required for this type of mail service could allow ASM to send and receive email from any mailbox.

In production environments, mailbox permissions should be limited to only allow sending and receiving from the required addresses.

Configuring permissions for Exchange Online mailboxes is beyond the scope of this document but further information is available here:https:

{% embed url="<https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access>" %}

## Configure ASM

### 5. Outgoing Email

Add a new Outgoing Mail server. Instructions on how to do this can be found here:

{% content-ref url="/pages/tNsKZN1psbYwSTfeLBfb" %}
[Email Server Configuration](/asm-legacy-product-documentation/setup-and-configure-asm/setting-up-your-system/setup-email/setting-up-incoming-and-outgoing-email/email-server-configuration.md)
{% endcontent-ref %}

<figure><img src="/files/RBDFjTTV6mt6jAzpWf3L" alt=""><figcaption><p>Dialogue Window to select Email Protocol</p></figcaption></figure>

Copy :

* Tenant ID
* Client ID
* Client Secret&#x20;

values from Azure Portal and use them to configure the ASM Email Server

<figure><img src="/files/YUKdZCVn4FeQeefNIZTj" alt=""><figcaption><p>Example Outgoing Email Server Configuration</p></figcaption></figure>

### 6. Incoming Email

Add a new Incoming Mail Server in ASM. Instructions can be found here:

{% content-ref url="/pages/tNsKZN1psbYwSTfeLBfb" %}
[Email Server Configuration](/asm-legacy-product-documentation/setup-and-configure-asm/setting-up-your-system/setup-email/setting-up-incoming-and-outgoing-email/email-server-configuration.md)
{% endcontent-ref %}

Copy :

* Tenant ID
* &#x20;Client ID
* Client Secret&#x20;

values from the Azure Portal App Registration and use them to configure the ASM Incoming Email Server.

<figure><img src="/files/hq4y57SRmzj2vDR9Jrrg" alt=""><figcaption><p>Example Incoming Email Server Configuration</p></figcaption></figure>

## 7. Test Connectivity

Once Outgoing and Incoming Email has been configured you should test connectivity by using the Test button in the toolbar and then by sending and receiving email via the configured mail servers.

### *FAQ Resource could not be discovered*

This probably means the email address is not spelled correctly.  You should double check the spelling of the email domain name.\
It might also mean that the associated account does not have email enabled.

### *FAQ Access Denied*

<figure><img src="/files/f2VodSLJocOAqgKO8CVH" alt=""><figcaption></figcaption></figure>

This is likely because Azure has not been configured for the correct roles and permission through the API. &#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.alemba.com/asm-legacy-product-documentation/setup-and-configure-asm/setting-up-your-system/setup-email/setting-up-incoming-and-outgoing-email/configure-azure-ms-graph-api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.