Setting up Microsoft Entra to use an Exchange account to send email notifications

PreviousDeploying the Confidencial Office Add-ins to your enterprise users NextOrganization Administration

Last updated 1 month ago

Setting up Microsoft Entra to use an Exchange account to send email notifications

Registering the Confidencial app in Microsoft Entra

ℹ️ These instructions are derived from Microsoft documentation found

Create a new or select an existing M365 account from which you want Confidencial to send email notifications
Log in to the
Expand the Identity menu > expand Applications> select App registrations > New registration
Enter the following values:
1. Name: Confidencial
2. Supported account types: Accounts in this organizational directory only
3. Redirect URI (optional): Leave blank
Click Register
Select Certificates & secrets > Certificates > Upload certificate
Upload the certificate that is provided by Confidencial
Click Add
Click Overview and make note of the application’s (client) ID. This ID will be used later when restricting application permissions.

Creating a mail-enabled security group

ℹ️ These instructions are derived from Microsoft documentation found here

Click Add a group, select Mail-enabled security, and click Next
Enter the following values:
1. Name: Confidencial notifications
2. Description: Mailboxes used to send notifications on behalf of the Confidencial app
Click Next
Assign owners to the group - these are users that have the ability to manage group settings
Click Next
Add the member that owns the mailbox to be used for Confidencial notifications
Click Next
For Group email address, enter confidencial (@yourdomain.com)
1. Leave the Communication checkbox unchecked
2. Check the Approval checkbox to limit membership to the group
Click Next
Click Create group, then click Close

Restricting Confidencial app access to a single mailbox

Create an application access policy by executing the command below in Exchange Online PowerShell. Replace app-id with the application (client) ID noted in the first section above. Replace yourdomain.com with your domain. 1.
```
New-ApplicationAccessPolicy -AppId app-id -PolicyScopeGroupId confidencial@yourdomain.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group confidencial@yourdomain.com"
```
Test the access policy with the command below. Replace yourmailbox@yourdomain.com with the email address of the mailbox to be used for Confidencial notifications (note that this is different from the group email address you specified in the previous step). Replace *app-id* with the application (client) ID noted in the first section above. Repeat this command using an email address that is NOT the one to be used to send Confidencial notifications.
```
Test-ApplicationAccessPolicy -Identity yourmailbox@yourdomain.com -AppId app-id
```
If the access policy is correct, the output of the above command should include AccessCheckResult : Granted. If you run the above command with an email address that is NOT in the security group, you should see AccessCheckResult : Denied.
⚠️ NOTE: Changes to application access policies can take longer than one hour to take effect in Microsoft Graph REST API calls, even when `Test-ApplicationAccessPolicy` shows positive results. If there is concern about exposing unnecessary access to Graph API calls, it is recommended to wait at least one hour before proceeding to the next section.

Setting Confidencial app permissions in Entra

Expand the Identity menu > expand Applications > select App registrations
Select the Confidencial app registration that you created in the first section. You may need to click the All applications tab for this application to appear in the list.
Under Manage, click API permissions, then click Add a permission
Click Microsoft Graph
Select Application permissions
In the Select Permissions search box, enter Mail.Send
Expand the Mail result that appears, click the checkbox next to Mail.Send, then click Add Permissions
Click Grant admin consent for… and click Yes on the resulting confirmation dialog

Sender email address (email address from which notifications are sent)
Entra tenant ID
Entra Confidencial client (app) ID

PreviousDeploying the Confidencial Office Add-ins to your enterprise users NextOrganization Administration

Last updated 1 month ago

Registering the Confidencial app in Microsoft Entra

ℹ️ These instructions are derived from Microsoft documentation found

Create a new or select an existing M365 account from which you want Confidencial to send email notifications
Log in to the
Expand the Identity menu > expand Applications> select App registrations > New registration
Enter the following values:
1. Name: Confidencial
2. Supported account types: Accounts in this organizational directory only
3. Redirect URI (optional): Leave blank
Click Register
Select Certificates & secrets > Certificates > Upload certificate
Upload the certificate that is provided by Confidencial
Click Add
Click Overview and make note of the application’s (client) ID. This ID will be used later when restricting application permissions.

Creating a mail-enabled security group

ℹ️ These instructions are derived from Microsoft documentation found here

In the , click Recipients > Groups > Mail-enabled security
Click Add a group, select Mail-enabled security, and click Next
Enter the following values:
1. Name: Confidencial notifications
2. Description: Mailboxes used to send notifications on behalf of the Confidencial app
Click Next
Assign owners to the group - these are users that have the ability to manage group settings
Click Next
Add the member that owns the mailbox to be used for Confidencial notifications
Click Next
For Group email address, enter confidencial (@yourdomain.com)
1. Leave the Communication checkbox unchecked
2. Check the Approval checkbox to limit membership to the group
Click Next
Click Create group, then click Close

Restricting Confidencial app access to a single mailbox

ℹ️ These instructions are derived from Microsoft documentation found

Connect to Exchange Online PowerShell. For details, see .
Create an application access policy by executing the command below in Exchange Online PowerShell. Replace app-id with the application (client) ID noted in the first section above. Replace yourdomain.com with your domain. 1.
⚠️ NOTE: It is likely you will need to execute commands to allow for script execution. See for details.
```
New-ApplicationAccessPolicy -AppId app-id -PolicyScopeGroupId confidencial@yourdomain.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group confidencial@yourdomain.com"
```
Test the access policy with the command below. Replace yourmailbox@yourdomain.com with the email address of the mailbox to be used for Confidencial notifications (note that this is different from the group email address you specified in the previous step). Replace *app-id* with the application (client) ID noted in the first section above. Repeat this command using an email address that is NOT the one to be used to send Confidencial notifications.
```
Test-ApplicationAccessPolicy -Identity yourmailbox@yourdomain.com -AppId app-id
```
If the access policy is correct, the output of the above command should include AccessCheckResult : Granted. If you run the above command with an email address that is NOT in the security group, you should see AccessCheckResult : Denied.
⚠️ NOTE: Changes to application access policies can take longer than one hour to take effect in Microsoft Graph REST API calls, even when `Test-ApplicationAccessPolicy` shows positive results. If there is concern about exposing unnecessary access to Graph API calls, it is recommended to wait at least one hour before proceeding to the next section.

Setting Confidencial app permissions in Entra

Log in to the
Expand the Identity menu > expand Applications > select App registrations
Select the Confidencial app registration that you created in the first section. You may need to click the All applications tab for this application to appear in the list.
Under Manage, click API permissions, then click Add a permission
Click Microsoft Graph
Select Application permissions
In the Select Permissions search box, enter Mail.Send
Expand the Mail result that appears, click the checkbox next to Mail.Send, then click Add Permissions
Click Grant admin consent for… and click Yes on the resulting confirmation dialog

✅ This completes customer-side configuration for use of a customer-owned mailbox to send Confidencial notifications. Confidencial staff will complete the remainder of the needed configuration changes. Confidencial will send you a asking for the following:

Sender email address (email address from which notifications are sent)
Entra tenant ID
Entra Confidencial client (app) ID