Send and receive email using Microsoft Graph API


This guide describes how Microsoft 365 can be configured to allow for usage of Exchange to deliver outbound email from Kundo Mail using Active Directory and Microsoft Graph API.

In summary, you will send us three values on Kundo:

  1. The Client ID and Tenant ID value from the Overview page
  2. The Client Secret value from the Certificates & Secrets menu.

Step-by-step instructions

1. Add an app registration

  1. Go to the Active Directory page in your Azure portal.
  2. Go to App Registrations > New Registration.
  3. Fill in Name: "Kundo Mail" and then click on "Register".
    You don't need to fill in any Redirect URL.
  4. You will now come to an overview page for the app registration.
    Copy the Application (client) ID and Directory (tenant) ID values.

  5. Go to Certificates & Secrets > New client secret.
  6. Add a "client secret" and copy the value for later.
  7. Send the values to support@kundo.se.

2. Add permissions

  1. Go to API permissions 
  2. Click Add a permissions 
  3. Click on Microsoft Graph > Application permissions and search for "mail". 
  4. Check both Mail.Send and Mail.ReadWrite 
  5. Click Add permissions. 

The Mail.ReadWrite claim is required due to a limitation when sending email larger than 3MB. In this case a draft has to be created before the attachments can be uploaded and the email sent.

The permissions need to be granted, click Grant admin consent for <Organization>.

3. Add an logo to the app registration (optional)

Go to Branding and add a Kundo logo and title to the App registration, to make it easier to keep track of.

You are welcome to use this logo:

4. Add mail-enabled security group

To only allow access to the accounts you're connecting with Kundo you need to set up a security group with these accounts, following are the required settings to add this group and more information can be found here.

  1. In the new EAC, navigate to Recipients > Groups > Mail-enabled security.

  2. Click Add a group and follow the instructions in the details pane.

    • Under Choose a group type section, select Mail-enabled security and click Next.

    • Under Set up the basics section, enter your details and click Next.

  3. In Assign owners section, click + Assign owners, select a group owner from the list, and click Next.
  4. Under Add members, click + Add members, select the group members from the list, remember to only select the accounts that you're adding to kundo and click Next.

5. Add application access policy

The application access policy can only be added via Exchange Online Powershell. The following instructions describe the process to add a policy restricting an applications access to the users in the security group. More information can be found here.

  1. Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell.

  2. Create an application access policy.
    • Run the following command, replacing the arguments for AppId, PolicyScopeGroupId, and Description.
    • New-ApplicationAccessPolicy -AppId <app-id> -PolicyScopeGroupId <security-group-name or email> -AccessRight RestrictAccess -Description <Description for the policy, e.g. `Restrict Kundo Mail app to intended emails`>
  3. Test the newly created application access policy.
    • Run the following command, replacing the arguments for Identity and AppId.
    • Test-ApplicationAccessPolicy -Identity <email> -AppId <app-id>
    • Testing with an email in the security group should result in access granted and one not in the group should result in access denied.
    • Note: It can take some time for these settings to take effect in other parts of the system.