Kepion allows you to send email notifications to any email provider with Microsoft's Graph API. In this article, we will walk you through setting up the API, so you can start leveraging this feature.
Note: You can still send email notifications with SMTP; however, that protocol might not work with your email provider.
Before you Start
To use the Graph API, you need the following:
- An Azure app registration. To create one, refer to the New App Registration and Configure Client Secret sections in this article.
- Outlook and Exchange Online (Microsoft Email Server)
- Kepion installed within your environment
The setup process is three steps:
Graph API's Mail.Send permission allows your app registration to send emails from mailboxes in your AD. You will add the Mail.Send permission and grant admin consent to your app registration.
Mail-enabled security groups are used for granting access to resources (e.g., Sharepoint) and emailing notifications to group members. You will create a mail-enabled security group in Microsoft Exchange Online to define which mailboxes can send Kepion email notifications.
Access policies restrict email privileges to the mail-enabled security group defined in the previous step.
Step 1: Add Mail.Send Permission
We first need to add the Mail.Send permission to your app registration, so it can send emails.
1. Open https://portal.azure.com/.
2. Navigate to the App registrations service.
3. Select your target App Registration to open it.
4. Select API permissions.
5. Select Add a permission.
6. Select Microsoft Graph.
7. Select Application permissions and then Mail.Send.
8. Select Add permissions.
9. Select Grant admin consent for <DirectoryName>.
Your app registration can now send emails from any mailbox within your AD.
Step 2: Create Mail-Enabled Security Group
While your app registration can now send emails, you should define which mailboxes it can use to send emails. We will define the list of mailboxes by creating a mail-enabled security group in Exchange Online.
Note: You will be using a functionality called App Access Policies that will soon be replaced by Roles Based Access Control. Read more about the new functionality here.
2. Go to Recipients > Groups.
3. Select Mail-enabled security then Add a group.
4. Select Mail-enabled security and then Next.
5. Define a name and description for the group and click Next.
6. Select Assign Owners.
7. Select the target owners and then Add.
8. Select Next.
9. Add your target group members.
Note: The selected members' mailboxes will have permission to send emails.
10. Define a group email address and enable settings as desired. Click Next.
11. Review the security group and select Create group.
Step 3: Create Access Policy
Lastly, you need to create an access policy to limit email privileges to the mail-enabled security group defined in the previous step. The access policy can only be created using PowerShell scripts.
1. Open PowerShell.
2. (Optional) Run the following command to install the ExchangeOnlineManagement library:
Install-Module -Name ExchangeOnlineManagement
3. Run the following command after replacing the parameters with your information:
-AppId "application guid" `
-PolicyScopeGroupId "smptp address of the created security group" `
-AccessRight "RestrictAccess" `
-Description "Restrict this app to members of group." | Out-Null
Instead of manually setting up the access policy, you can run a PowerShell script. The script will:
- Install the Exchange Online Management cmdlet from manually setting up the access policym PSGallery.
- Create the security group.
- Assign members to it.
- Create an access policy restricting the Application to use only the defined mailboxes.
1. Download ps-exchange-SetPolicy.ps1 from the Attachments section.
2. Open PowerShell.
3. Change the directory to the downloaded folder with the following script:
cd (Resolve-Path ~); cd Downloads
4. Run the following script after changing its parameters: