Microsoft Office 365 Email Integration with Enate via Graph API model

You can now sync Enate to Microsoft Office 365 email boxes to both receive AND send emails into/from Enate. Read below to find out how to go about this.

This feature is designed for organizations that want to align their communication workflows directly with Microsoft’s preferred, high-security API protocols for improved security, compliance, and governance standards.

Microsoft Graph API Features

Microsoft Graph API brings some additional features at the server level:

Sent Items are preserved automatically. Emails sent from Enate via Graph API are saved to the Sent Items folder of the sending mailbox on your Exchange/Microsoft 365 server, giving you a server-side record of all outbound Enate correspondence. For specific information on how Microsoft Graph API handles the storing of sent items see here.
Modern authentication replaces legacy credentials. Graph API uses OAuth 2.0 via an Azure AD app registration, rather than the username/password or app-password approach.
Outbound mail flows through the full M365 stack. Because emails sent via Graph API, pass through Exchange Online transport rules, DLP policies, and message tracking logs just like any other mail from your organisation. That means your existing compliance controls, retention policies, and audit trails apply automatically, with no additional configuration needed.

Steps to set up MS Office 365 Email Integration via Graph API

Note: If you already have your inbound email Graph API setup in place and are looking to add an outbound email Graph API setup, only a single extra API Permission is required - see here for information on this.

1. Register with Azure AD

To configure integration between Enate and Office 365, each unique Enate instance must be registered with the Microsoft Identity Platform in the Azure AD of the Office 365 tenant to which you need to establish connectivity.

To create the “App Registration” please follow the guide from Microsoft at https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app.

When configuring the Enate App Registration, the supported account types option should be chosen based on the mailboxes you wish to access. No redirect URL is required.

2. Configure API Permissions

Once the App Registration is complete you must add credentials and setup permissions.

To add the required permissions follow the guide at https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-web-apis.

It is important to select an “Application permission” and not a “Delegated permission”. Be sure to grant admin consent for the permission within the Azure AD tenant.

For Incoming Emails

To receive emails, the following API permission is required: Microsoft Graph\Mail.ReadWrite.

For Outgoing Emails

To send emails out from Enate, the following API permission is required: Microsoft Graph\Mail.Send.

3. Create a Credential

To create a credential follow the guide at https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application. Enate supports Client Secrets and Certificates.

4. Restrict App Registration Access

To restrict the App Registration to only accessing certain mailboxes (strongly recommended), follow the Microsoft guide at https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access

5. Add Azure AD Data to Enate

After Azure AD has been configured to grant access, login to Enate Builder as a user with the “Can Edit Shared Configuration” permission.

Click the settings cog in the bottom left and open the “Office 365 Integration” pane and enter the details from your Azure AD App Registration.

The Tenant ID (aka Directory or Domain) and Application ID is shown on the Overview pane of the Azure AD App Registration; the client secret or certificate (and private key password) are supplied by you to both Azure AD and Enate.

6. Integrate with Office 365

You always use shared mailbox.

Click on the Office 365 Integration” pane and select whether you want to authenticate with a certificate (this is the recommended route as it is more secure), or whether you want to authenticate with client secret.

7. Authenticate

Authentication With Certificate (recommended)

As part of this set up, an Office365 Certificate would need to be generated - Generating a certificate is an activity for your Office365 Administrator to undertake, and is done completely independent of Enate. For your reference we have provided below a SAMPLE of the kind of PowerShell script that can be used to generate such a certificate. It will save the Certificate with the private key (for Enate) to a PFX file and without the private key (for Azure):

$pw = Read-Host -Prompt "Please enter a password for the Private Key" -AsSecureString
$name = Read-Host -Prompt "Please enter a name for the Certificate"
Write-Host "Creating Certifcate $Certname" -ForegroundColor Green
$Cert = New-SelfSignedCertificate -certstorelocation cert:\CurrentUser\my -Subject "CN=$name" -KeyExportPolicy Exportable -KeySpec Signature
$desktopPath = [Environment]::GetFolderPath("Desktop")
Write-Host "Exporting Certificate with Private Key to $desktopPath\$name.pfx" -ForegroundColor Green
Export-PfxCertificate -cert $Cert -FilePath $desktopPath\$name.pfx -Password $pw
Write-Host "Exporting Certificate with Public Key only to $desktopPath\$name.cer" -ForegroundColor Green
Export-Certificate -cert $Cert -FilePath $desktopPath\$name.cer

Enter the Tenant ID/Domain and the Application ID, select the 'Authentication with Certificate' option, add the certificate file ( Personal Information File, .pfx) and enter the password for the certificate file.

Then click to test the connection. Once the connection has been successfully tested, click to save.

You have now successfully configured your Office 365 integration.

Alternate approach - Authentication With Client Secret

To authenticate with client secret code, enter the Tenant ID/Domain and the Application ID, select the 'Authentication with Client Secret' option, add the client secret code (this is generated by the network admin of your company).

Then click to check the connection. Once the connection has been successfully tested, click to save.

You have now successfully configured your Office 365 integration.

You can now proceed to configuring an INCOMING Graph API Connector, or and OUTGOING Graph API Connector, or indeed both.

8A. Configure INCOMING Graph API Connector

Once you have successfully configured your Office 365 integration, you can configure your Incoming Graph API Connector by going to the Email Connectors page and selecting to add a Graph API Connector.

In the Graph API pop-up chose Incoming from the 'Use For' drop-down menu. With this done, you can configure the Name of the Connector, the Primary Email Address, Folder Path(s) and then you can define the Email Route. The Email Route means that any incoming mails which are addressed specifically to the primary email address of this connector can be processed into a work item defined in the Email Route.

Once you have defined the Email Route, you have some optional settings. You can toggle on 'Send Automated Emails' and 'Only create Work in Test Mode' as well as toggling on any of the four available AI Email Integrations, 'Email Classification', 'Sentiment Analysis', 'Email Data Extraction' and 'Thank You Email Evaluation'.

Once you have finished with you configuration, you will need to click 'Test Connection'. To ensure that your connector does not encounter any issues when Live, you will not be able to set the connector live (i.e. set it to Enabled) until you have a successful 'Test Connection'.

After you have successfully tested the connection, click to Enable the Graph API Connector, and then click to Save. Your Inbound Graph API Connector is now setup and a default Route will instantly be created.

8B. Configure OUTGOING Graph API Connector

Once you have successfully configured your Office 365 integration, you can configure your Outbound Graph API Connector by going to the Email Connectors page and selecting to add a Graph API Connector.

In the Graph API pop-up chose Outbound from the 'Use For' drop-down menu. With this done, you can configure the name of the connector and the Primary Email Address for the Connector.

Once you have finished with you configuration, you will need to click 'Test Connection'. To ensure that your Connector does not encounter any issues when Live, you will not be able to set the Connector live until you have a successful 'Test Connection'.

After you have successfully tested the connection, click to Enable the Graph API Connector, and then click to save. Your Outbound Graph API Connector is now setup and a default Route will instantly be created.

Subsequent Setup Option - Routes

Once your Connector(s) are set up, you can also set further:

Incoming Routes, to route incoming mails to create work items in multiple different locations
Outgoing Routes, essentially supporting Alias 'From' email addresses for outgoing mails.

See below for setup step for each of these:

Setting up Additional INCOMING Email Routes

If you wish, once your Incoming Graph API connector is setup you can create different Incoming Email Routes for it. To create a new route you need to navigate to the Routes page in Builder. Once there, locate the Inbound Connector that you wish to create an additional Route for and click to add a new Route.

In the pop-up you will need to give your new Incoming Email Route a Name, a Description, the Email Connector Name and Email Address. The Email Connector Name will default to the name of the Connector you are creating the Route for. You can then define the process.

Once you have defined the process you have three additional options: Send Automated Emails; For Attention; Only Create Work in Test Mode. Once you are happy with your Email Route configuration, Enable the Route, and then click Save to set the Route live.

Setting up Additional OUTGOING Email Routes

Once you have finished configuring your Outbound Graph API Connector and set it live, you can if you need create additional Outgoing Email Routes - this allows you to define multiple 'From' email addresses Aliases for this outbound connector.

To do this navigate to the Routes page in Builder. Once there, locate the Outgoing Connector that you wish to create an additional Outgoing Route for and click to add a new Route.

In the pop-up you will need to give your new Outbound Email Route a Name, a Description and Email Address - this new Email Address is the additional Alias From address you're adding to the connector. The Email Connector Name will default to the name of the Connector you are creating the Alias/Route for.

After you have finished with your configuration, you will need to 'Test Connection' of the Route. After you have a successful 'Test Connection' you can Enable to Route, and then click Save to set the it live.

Once your new Outgoing Email Route (Alias) has been created, it can now be used as a legitimate 'From' email address when configuring Cases, Tickets and Actions in your processes.

PreviousEmail Mailbox Configuration NextSMTP Email Configuration

Last updated 5 days ago

Was this helpful?