no-reply@conductorone.com. You can instead send through your own Microsoft 365 tenant using the Microsoft Graph sendMail API, so recipients see your company’s domain as the sender.
This task requires the Super Admin role in C1 and the Application Administrator (or Global Administrator) role in Entra ID, plus an Exchange Online administrator who can configure mailbox access policies.
C1 authenticates to your tenant via an Entra ID app registration with the Mail.Send application permission. No user passwords are shared with C1, and you can revoke access at any time by removing the client secret or deleting the app.
Before you begin
Configure SPF, DKIM, and DMARC for your sending domain by following Microsoft’s recommended email authentication settings before proceeding. If your domain is already used for Microsoft 365 mail, these records may already be in place.
- A Microsoft 365 (Entra ID) tenant.
- A licensed mailbox to send from (for example,
governance@yourcompany.com). - Permission to register applications and grant admin consent in Entra ID.
- Permission to run Exchange Online PowerShell to configure the mailbox access policy (Step 4).
Step 1: Register an app in Entra ID
Create an Entra ID app registration that C1 will authenticate as to call the Microsoft GraphsendMail API.
1
Sign in to entra.microsoft.com as an Application Administrator or Global Administrator.
2
Navigate to Identity > Applications > App registrations > New registration.
3
Fill in:
- Name: C1 Email Sender (or similar).
- Supported account types: Accounts in this organizational directory only (single tenant).
- Redirect URI: leave blank.
4
Click Register.
5
On the app’s Overview page, copy and save:
- Application (client) ID — you’ll paste this into C1.
- Directory (tenant) ID — you’ll paste this into C1.
Step 2: Grant the Mail.Send application permission
Grant the app permission to send mail and authorize it for your tenant.1
On the app’s page, navigate to API permissions > Add a permission.
2
Select Microsoft Graph > Application permissions (not Delegated).
3
Search for and select Mail.Send.
4
Click Add permissions.
5
Click Grant admin consent for your tenant and confirm. The Status column should show a green check next to Mail.Send.
Step 3: Create a client secret
Create the credential C1 will use to authenticate as the app.1
On the app’s page, navigate to Certificates & secrets > Client secrets > New client secret.
2
Enter a description (for example, C1 Email Sender) and choose an expiration. 24 months is the maximum; a shorter expiration is better practice.
3
Click Add.
4
Immediately copy the secret’s Value — Azure will not show it again after you leave the page. You’ll paste this into C1 in Step 5.
Step 4: Restrict the app to a specific mailbox (highly recommended)
By default, the app you created can send mail as any user in your tenant. Use an Application Access Policy in Exchange Online to scope it down to only the sender mailbox.1
Connect to Exchange Online PowerShell as an Exchange administrator:
2
Create the access policy, replacing
<APP_CLIENT_ID> with the Application (client) ID from Step 1 and <SENDER_MAILBOX> with the address you’ll use as the sender (for example, governance@yourcompany.com):3
Verify the policy:
Step 5: Configure the email provider in C1
Enter the app credentials and sender mailbox from the previous steps in C1 to activate the integration.1
In C1, navigate to Settings > Email provider.
2
Click Edit.
3
Select Customer provided.
4
In Email service, select Microsoft Graph.
5
Fill in the fields:
- Sender name: The display name recipients see (for example, Governance Team).
- Sender email address: The mailbox you scoped in Step 4 (for example,
governance@yourcompany.com). - Reply-to address: Usually the same as the sender address.
- Azure tenant ID: The Directory (tenant) ID from Step 1.
- Application (client) ID: The Application (client) ID from Step 1.
- Client secret: The secret value you copied in Step 3.
6
Click Save.
Step 6: Verify
Send a test message to confirm C1 can send through your Microsoft 365 tenant and that your email authentication records are passing.1
On the Email provider page, click Send test.
2
Enter your own email address and click Send test.
3
Check your inbox. View the raw headers and confirm SPF: PASS, DKIM: PASS with your domain as signer, DMARC: PASS.
4
If the message does not arrive, check the spam folder and Microsoft 365 message trace (Exchange admin center > Mail flow > Message trace).