Setting up Microsoft Entra to use an Exchange account to send email notifications
Registering the Confidencial app in Microsoft Entra
These instructions are derived from Microsoft documentation found here
- Create a new or select an existing M365 account from which you want Confidencial to send email notifications
- Log in to the Microsoft Entra admin center
- Expand the Identity menu > expand Applications> select App registrations > New registration
- Enter the following values:
- Name:
Confidencial
- Supported account types:
Accounts in this organizational directory only
- Redirect URI (optional): Leave blank
- Click Register
- Select Certificates & secrets > Certificates > Upload certificate
- Upload the certificate that is provided by Confidencial
- Click Add
- Click Overview and make note of the application’s (client) ID. This ID will be used later when restricting application permissions.
Creating a mail-enabled security group
These instructions are derived from Microsoft documentation found here
- In the Exchange Admin Center, click Recipients > Groups > Mail-enabled security
- Click Add a group, select Mail-enabled security, and click Next
- Enter the following values:
- Name:
Confidencial notifications
- Description:
Mailboxes used to send notifications on behalf of the Confidencial app
- Click Next
- Assign owners to the group - these are users that have the ability to manage group settings
- Click Next
- Add the member that owns the mailbox to be used for Confidencial notifications
- Click Next
- For Group email address, enter
confidencial
(@yourdomain.com
) - Leave the Communication checkbox unchecked
- Check the Approval checkbox to limit membership to the group
- Click Next
- Click Create group, then click Close
Restricting Confidencial app access to a single mailbox
These instructions are derived from Microsoft documentation found here
- Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell.
- Create an application access policy by executing the command below in Exchange Online PowerShell. Replace
app-id
with the application (client) ID noted in the first section above. Replaceyourdomain.com
with your domain.
NOTE: It is likely you will need to execute commands to allow for script execution. See here for details.
New-ApplicationAccessPolicy -AppId app-id -PolicyScopeGroupId confidencial@yourdomain.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group confidencial@yourdomain.com"
- Test the access policy with the command below. Replace
yourmailbox@yourdomain.com
with the email address of the mailbox to be used for Confidencial notifications (note that this is different from the group email address you specified in the previous step). Replaceapp-id
with the application (client) ID noted in the first section above. Repeat this command using an email address that is NOT the one to be used to send Confidencial notifications.
Test-ApplicationAccessPolicy -Identity yourmailbox@yourdomain.com -AppId app-id
If the access policy is correct, the output of the above command should include
AccessCheckResult : Granted
. If you run the above command with an email address that is NOT in the security group, you should see AccessCheckResult : Denied
.NOTE: Changes to application access policies can take longer than one hour to take effect in Microsoft Graph REST API calls, even when
Test-ApplicationAccessPolicy
shows positive results. If there is concern about exposing unnecessary access to Graph API calls, it is recommended to wait at least one hour before proceeding to the next section.Setting Confidencial app permissions in Entra
- Log in to the Microsoft Entra admin center
- Expand the Identity menu > expand Applications > select App registrations
- Select the Confidencial app registration that you created in the first section. You may need to click the All applications tab for this application to appear in the list.
- Under Manage, click API permissions, then click Add a permission
- Click Microsoft Graph
- Select Application permissions
- In the Select Permissions search box, enter
Mail.Send
- Expand the Mail result that appears, click the checkbox next to Mail.Send, then click Add Permissions
- Click Grant admin consent for… and click Yes on the resulting confirmation dialog
This completes customer-side configuration for use of a customer-owned mailbox to send Confidencial notifications. Confidencial staff will complete the remainder of the needed configuration changes. Confidencial will send you a Secure Document Request (SDR) asking for the following:
- Sender email address (email address from which notifications are sent)
- Entra tenant ID
- Entra Confidencial client (app) ID