Configure Azure MS Graph API

Steps to connect ASM to M365 Email Accounts using the MS Graph API

Quick Start Guide (Download)

• Create an App Registration in Azure Portal

• Configure Microsoft Graph API Permissions

• Add a Client/Secret and set an Expiry Date

• Limit application permissions to a specific Exchange Online Mailbox

• Configure ASM - Outgoing Email

• Configure ASM - Incoming Email

• Test Connectivity

1. Create an App Registration in Azure Portal

1. Sign in to the Azure Portal (https://portal.azure.com) using an account with the correct permissions to create an App Registration e.g. an Administrator Account.

2. Select Azure Entra ID (previously Azure Active Directory)

3. Under Manage select App Registration

4. Click on New Registration

4. In the Register an Application screen enter your application's registration information:

• In the Name section, enter an application name that will be displayed to the users.

• Select Accounts in any organizational directory option from Supported account types section.

• Set the Redirect URI (optional)

• Click on Register to create the application.

The app registration will be created and then direct you to the App Registration Overview Page.

5. On the App Registration Overview screen, hover over Application (client) ID value, and select the Copy to clipboard icon to copy the value as you'll need to specify this in ASM.

6. Under Manage, select API Permissions and proceed to Step 2.

2. Configure MS Graph API Permissions

1. Under the Configured Permissions section select Add a Permission

2. Select Microsoft APIs and then select Microsoft Graph

2. Select Application Permissions

3. In the Search field type 'mail'

4. Expand the options under Mail and enable the following permissions:

5. Press the Add permissions button to apply the API Permissions

3. Add a Client Secret

In the Azure Portal for the Application Registration create a new Client Secret by going to the Certificates & Secrets Menu:

1. Under Manage select Certificates & secrets

2. Select New Client Secret

3. Add a Name and choose an Expiry Date

4. Press Add

5. Obtain the Client Secret ID from the Azure Portal by selecting the Copy to clipboard icon, to copy the value as you'll need to specify this in ASM.

4. Limiting application permissions to specific Exchange Online mailboxes

The permissions required for this type of mail service could allow ASM to send and receive email from any mailbox.

In production environments, mailbox permissions should be limited to only allow sending and receiving from the required addresses.

Configuring permissions for Exchange Online mailboxes is beyond the scope of this document but further information is available here:https:

Configure ASM

5. Outgoing Email

Add a new Outgoing Mail server. Instructions on how to do this can be found here:

Copy :

• Tenant ID

• Client ID

• Client Secret

values from Azure Portal and use them to configure the ASM Email Server

6. Incoming Email

Add a new Incoming Mail Server in ASM. Instructions can be found here:

Copy :

• Tenant ID

• Client ID

• Client Secret

values from the Azure Portal App Registration and use them to configure the ASM Incoming Email Server.

7. Test Connectivity

Once Outgoing and Incoming Email has been configured you should test connectivity by using the Test button in the toolbar and then by sending and receiving email via the configured mail servers.

FAQ Resource could not be discovered

This probably means the email address is not spelled correctly. You should double check the spelling of the email domain name. It might also mean that the associated account does not have email enabled.

FAQ Access Denied

This is likely because Azure has not been configured for the correct roles and permission through the API.