Confidencial Documentation
HomepageLog In
  • Getting Started
    • Sending secure PDFs with Confidencial
    • Viewing secure PDFs with Confidencial
    • Sending secure Word docs with Confidencial
    • Viewing secure Word docs with Confidencial
    • Sending secure Excel workbooks with Confidencial
    • Viewing secure Excel workbooks with Confidencial
    • Sending secure images with Confidencial
    • Viewing secure images with Confidencial
    • Sending secure messages with Confidencial
    • Viewing secure messages with Confidencial
    • Protecting content with Confidencial
    • Re-encrypting and changing who can see protected content
  • General
    • How Confidencial Works
      • What is End-to-End Protection
      • In-doc encryption
      • The Confidencial Public Key Registry
      • The Confidencial Private Key Server
      • The Confidencial Log Server
    • Account types
      • Individual
      • Organization
      • Organization administrator
    • File types
    • Key types
      • Cloud-stored keys
      • Device-stored keys
      • Temporary keys
      • Enterprise keys
      • Recovery keys
    • Logging in to the desktop or web app
    • Logging in to Confidencial
    • Encryption policies
    • Selecting encryption recipients
    • Inviting other users to Confidencial
    • Accepting an invite to Confidencial
    • Creating a Confidencial individual account
    • Re-encrypting and changing who can see protected content
    • Confidencial organizations
  • Web App
    • Encrypting a message
    • Decrypting a message
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
    • Re-encrypting a Confidencial-protected file or file bundle and changing who can see them
  • Desktop App
    • Installing the desktop app
    • Encrypting files and folders
    • Decrypting a .c11 file or .c11.zip file bundle
  • Microsoft Office Add-ins
    • Installing the Microsoft Office add-ins
    • Opening the task pane
    • Logging in from an Office application
    • Encrypting an entire Word document
    • Encrypting parts of a Word document
    • Decrypting a Word document
    • Re-encrypting a Word document and changing who can see protected content
    • Installing Microsoft Add-ins via the Admin Center
  • Advanced Features
    • Storing keys on your device
    • Loading a key from your device
    • Creating a machine token
    • Obtaining public-private key pairs for use with the Confidencial SDK
  • How to Use Secure Document Request (SDR)
  • Secure Document Send
    • Sending Documents with Secure Document Send
    • Viewing Historical Document Sends
    • Creating a Persistent Share Link
    • Receiving a Persistent Share Link
  • Cloud Protector
    • Connecting AWS S3
    • Connecting Box
    • Connecting Dropbox
    • Connecting Google Cloud
    • Connecting Google Drive
    • Connecting Microsoft Azure Blob
    • Connecting Microsoft OneDrive
    • Connecting Microsoft SharePoint
    • Connecting Server Message Block
    • Connecting Wasabi
    • Connecting On-Premises Storage
  • Enterprise Deployment
    • Connecting your identity provider to Confidencial
    • Creating an S3 bucket for document requests
    • Creating a Cognito user pool to enable S3 bucket access via IDP credentials
    • Deploying the Confidencial Key Server in your environment
      • Configuring an AWS Elastic Container Service (ESC) instance
    • Running a database migration
    • Pushing a container image to your AWS container registry
    • Connecting your identity provider to the Confidencial Key Server
    • Deploying the Confidencial Desktop App to your enterprise users
    • Deploying the Confidencial Office Add-ins to your enterprise users
    • Setting up Microsoft Entra to use an Exchange account to send email notifications
  • Organization Administration
    • Adding members to an organization
    • Pre-loading members into your organization
    • Designating a member as an administrator
    • Creating a recovery key for an organization
    • Monitoring Confidencial usage within an organization
    • Organization-level policies
    • Administrator permissions
  • Command-Line Interface (CLI)
  • Software Development Kit (SDK)
  • Contact Us
  • System Requirements
  • Legal/Licensing
  • How to Access Confidencial Documents for First Time Recipients
Powered by GitBook
On this page
  • Registering the Confidencial app in Microsoft Entra
  • Creating a mail-enabled security group
  • Restricting Confidencial app access to a single mailbox
  • Setting Confidencial app permissions in Entra
Export as PDF
  1. Enterprise Deployment

Setting up Microsoft Entra to use an Exchange account to send email notifications

PreviousDeploying the Confidencial Office Add-ins to your enterprise usersNextOrganization Administration

Last updated 2 months ago

Registering the Confidencial app in Microsoft Entra

ℹ️ These instructions are derived from Microsoft documentation found

  1. Create a new or select an existing M365 account from which you want Confidencial to send email notifications

  2. Log in to the

  3. Expand the Identity menu > expand Applications> select App registrations > New registration

  4. Enter the following values:

    1. Name: Confidencial

    2. Supported account types: Accounts in this organizational directory only

    3. Redirect URI (optional): Leave blank

  5. Click Register

  6. Select Certificates & secrets > Certificates > Upload certificate

  7. Upload the certificate that is provided by Confidencial

  8. Click Add

  9. Click Overview and make note of the application’s (client) ID. This ID will be used later when restricting application permissions.

Creating a mail-enabled security group

ℹ️ These instructions are derived from Microsoft documentation found here

  1. Click Add a group, select Mail-enabled security, and click Next

  2. Enter the following values:

    1. Name: Confidencial notifications

    2. Description: Mailboxes used to send notifications on behalf of the Confidencial app

  3. Click Next

  4. Assign owners to the group - these are users that have the ability to manage group settings

  5. Click Next

  6. Add the member that owns the mailbox to be used for Confidencial notifications

  7. Click Next

  8. For Group email address, enter confidencial (@yourdomain.com)

    1. Leave the Communication checkbox unchecked

    2. Check the Approval checkbox to limit membership to the group

  9. Click Next

  10. Click Create group, then click Close

Restricting Confidencial app access to a single mailbox

  1. Create an application access policy by executing the command below in Exchange Online PowerShell. Replace app-id with the application (client) ID noted in the first section above. Replace yourdomain.com with your domain. 1.

    New-ApplicationAccessPolicy -AppId app-id -PolicyScopeGroupId confidencial@yourdomain.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group confidencial@yourdomain.com"
  2. Test the access policy with the command below. Replace yourmailbox@yourdomain.com with the email address of the mailbox to be used for Confidencial notifications (note that this is different from the group email address you specified in the previous step). Replace *app-id* with the application (client) ID noted in the first section above. Repeat this command using an email address that is NOT the one to be used to send Confidencial notifications.

    Test-ApplicationAccessPolicy -Identity yourmailbox@yourdomain.com -AppId app-id

    If the access policy is correct, the output of the above command should include AccessCheckResult : Granted. If you run the above command with an email address that is NOT in the security group, you should see AccessCheckResult : Denied.

    ⚠️ NOTE: Changes to application access policies can take longer than one hour to take effect in Microsoft Graph REST API calls, even when `Test-ApplicationAccessPolicy` shows positive results. If there is concern about exposing unnecessary access to Graph API calls, it is recommended to wait at least one hour before proceeding to the next section.

Setting Confidencial app permissions in Entra

  1. Expand the Identity menu > expand Applications > select App registrations

  2. Select the Confidencial app registration that you created in the first section. You may need to click the All applications tab for this application to appear in the list.

  3. Under Manage, click API permissions, then click Add a permission

  4. Click Microsoft Graph

  5. Select Application permissions

  6. In the Select Permissions search box, enter Mail.Send

  7. Expand the Mail result that appears, click the checkbox next to Mail.Send, then click Add Permissions

  8. Click Grant admin consent for… and click Yes on the resulting confirmation dialog

  • Sender email address (email address from which notifications are sent)

  • Entra tenant ID

  • Entra Confidencial client (app) ID

In the , click Recipients > Groups > Mail-enabled security

ℹ️ These instructions are derived from Microsoft documentation found

Connect to Exchange Online PowerShell. For details, see .

⚠️ NOTE: It is likely you will need to execute commands to allow for script execution. See for details.

Log in to the

✅ This completes customer-side configuration for use of a customer-owned mailbox to send Confidencial notifications. Confidencial staff will complete the remainder of the needed configuration changes. Confidencial will send you a asking for the following:

here
Microsoft Entra admin center
Exchange Admin Center
here
Connect to Exchange Online PowerShell
here
Microsoft Entra admin center
Secure Document Request (SDR)