Configuring Azure Graph API To Send Email

Prerequisites

Before you begin, ensure the following is in place:

• Administrator Access: You need an Azure account with permissions to manage applications in Azure Active Directory (e.g., Global Administrator or Application Administrator).
• Licensed Mailbox: The account that will be used to send emails (e.g., cerberus@yourcompany.com) must have a Microsoft 365 license assigned to it that includes an Exchange Online plan. This is required for the Graph API to access a mailbox to send from.

Step 1: Register a New Application

First, you need to register a new application in the Microsoft Azure portal. This registration creates an identity for your Cerberus application, allowing it to interact with the Microsoft Graph API.

• Navigate to the Azure Active Directory service in the Azure Portal.
• From the left-hand menu, select App Registrations.
• Click on + New registration.
• On the Register An Application page, enter the following details:
  • Name: Give your application a descriptive name, such as Cerberus Mail Sender.
  • Supported Account Types: Select Accounts in this organizational directory only (Your Tenant Name only - Single tenant).
  • Redirect URI (optional): You can leave this blank.
• Click the Register button.

Step 2: Collect Important IDs

Once the application is created, you'll be taken to its overview page. You need to copy the Application (client) ID and the Directory (tenant) ID. These will be required for the Cerberus configuration.

Step 3: Create a Client Secret

A client secret is a password for your application. Cerberus will use this secret, along with the Client ID, to authenticate itself to Microsoft.

• In your new app registration's menu, navigate to Certificates & Secrets.
• Click on the Client secrets tab and then click + New Client Secret.
• Add a Description for the secret and choose an Expires duration.
• Click Add.
• Immediately copy the secret's "Value". This is critical. The secret value is only displayed once, right after creation.

Step 4: Configure API Permissions

Now, you must grant your application the specific permission to send email without a signed-in user.

• From your app registration's menu, select API permissions.
• Click on + Add a permission.
• In the Request API permissions panel, select Microsoft Graph.
• Select Application permissions.
• In the search box, type Mail.Send to filter the permissions list.
• Check the box next to Mail.Send and click the Add permissions button.

Step 5: Grant Admin Consent

Because Mail.Send is a high-privilege permission, a tenant administrator must grant consent for the application to use it.

• On the same API permissions page, click the button that says Grant admin consent for [Your Tenant Name].
• A confirmation dialog will appear. Click Yes.
• The status for the Mail.Send permission should now update to show a green checkmark, indicating it has been granted. ✅

References and Further Reading

For more in-depth information and FAQs on each of these steps, you can refer to the official Microsoft documentation:

• Step 1: Register an Application: Quickstart: Register an application with the Microsoft identity platform
• Step 3: Add a Client Secret: Add application credentials
• Step 4: API Permissions: Microsoft Graph permissions reference
• Step 5: Grant Admin Consent: Overview of user and admin consent
• General Microsoft Graph API: Overview of Microsoft Graph