Introduction

Customer using a paid plan for Read and Understood will use an Office 365 mailbox to send email notifications to employees. The instructions provided below will take you through the steps of ensuring the App has permissions to send emails through an account in your company.

Why Use and Office 365 Account?

Using third-party services incur a cost, which would be passed onto the customer via our subscription fee. The account does not need a full office licence, simply a mailbox for Read and Understood to send emails.

Granting the Read and Understood App Read Access to Azure Groups

It is important to note that some of the images provided in this document are subject to change by Microsoft as the UI undergoes regular improvements, however the functionality for this process remains.

Integrate with Active Directory Security Groups and Enable Emails for Office 365

If you have not previously integrated Read and Understood with Active directory groups, you can follow the instructions here that will enable both Security groups and Permissions to send emails.

  1. Login to your Azure Portal as a global administrator

  2. Select Microsoft Entra ID

  3. Click, from the menu, 'App registrations'

    Important: Before proceeding with the next step, check if you already have a registered App called Read and Understood. If so, we recommend you click it to open and skip steps 4 and 5.

  4. Click 'New registration' and follow the steps below:

    1. Provide a User Friendly name for the App Registration e.g. Read and Understood

    2. Set the Application type as Web

    3. Set a value for the Redirect URI, it does not have to have a real endpoint, we suggest but replace YourTenantDomain with the Actual Tenant domain name https://readandinderstood.YOURTENANTDOMAIN.com

  5. Click Create

    Result: This page will appear with the App Details:

  6. Imporant: Copy and store the Application (client) Id. (You will need the value for all Read and Understood Apps in your SharePoint tenant)

  7. Next Create a Client Secret by following the steps below:

    1. From the Menu click Certificates & Secrets

    2. Click 'New secret'

      Note: If you already had an Application Registration for Read and Understood then you may already have a Client Secret, which you can reuse if you know the Secret. In which case you can skip to step 8.

    3. Enter the Description for the New Client Secret e.g. Read and Understood

    4. Set the secret to never expire

      IMPORTANT: Microsoft have started removing the ‘Never’ expiring secrets option in tenants and we have noticed the maximum limit is now 2 years. For this reason we strongly recommend you record the date of expiry and set a reminder to update it. Microsoft do not provide a mechanism currently, where we can check if a Secret is about to expire, we only know when it has expired.

    5. Click Add

  8. Click from the Menu API permissions

    1. Click Add a Permission

    2. Then select 'Microsoft APIs' followed by Microsoft Graph

    3. Click Application Permissions

    4. IMPORTANT, to support our Office Mail Plans find 'Mail.Send' and check the option.

    5. Having made the change click 'Add Permissions'

    6. Now grant those permissions added to the App


      Note: the image above will request consent to the Host Name of your Tenant.

    7. Confirm Consent by clicking Yes

      Result: The permissions will appear with green tickes as show below:

  9. Go to Site Content and click the Read and Understood App

  10. Click Site Administration from the menu

  11. Scroll down the page and locate 'Azure Active Directory Integration with App Registration'.

    Important: If Azure Group access had previously been enabled for the App you may have a value set for the App Id, in which case, having followed the instructions above you would have used the existing App Registration and added the new permission to 'Send.Mail'. In which case, please ignore the remaining steps.

    Paste the Application Client ID saved earlier in the process

  12. Paste the Client Secret ID into the Client Secret field

  13. The button 'Enable integration with Azure Active Directory for this tenant' will enable once the values are entered. Press the button.

    A validation is performed by the App to verify the access is correctly granted, any issues will be displaed to the user.