How to connect to Microsoft 365 for email notifications

Microsoft 365 (M365) can be used to send email notifications from TeskaLabs LogMan.io using the Microsoft Graph API.

This integration uses the MSAL (Microsoft Authentication Library) with the client-credentials flow to authenticate and send emails through your organization's Microsoft 365 tenant.

Prerequisites

Network connectivity

Ensure that your LogMan.io server has outbound internet access on TCP port 443 to the following domains:

• graph.microsoft.com - Microsoft Graph API endpoint
• login.microsoftonline.com - Microsoft authentication endpoint

Configure your firewall rules to allow HTTPS (TCP 443) connections to these endpoints.

Azure Portal configuration

To enable LogMan.io to send emails through Microsoft 365, you need to register an application in Azure Active Directory and grant it the necessary permissions.

1. Register a new application in Azure Portal

1. Navigate to Azure Portal
2. Go to Azure Active Directory > App registrations
3. Click New registration
4. Enter the following details:
5. Name: LogMan.io Email Integration (or any descriptive name)
6. Supported account types: Select "Accounts in this organizational directory only"
7. Redirect URI: Leave blank (not needed for client credentials flow)
8. Click Register

2. Note down the application credentials

After registration, you will need to collect the following values:

1. On the application's Overview page, note down:
2. Application (client) ID - This will be your client_id
3. Directory (tenant) ID - This will be your tenant_id

3. Create a client secret

1. Navigate to Certificates & secrets in the left menu
2. Click New client secret
3. Enter a description (e.g., "LogMan.io Email Secret")
4. Select an expiration period (recommended: 24 months)
5. Click Add
6. Important: Copy the Value immediately - this will be your client_secret

Warning

The client secret value is only shown once. Make sure to copy it immediately and store it securely. You won't be able to retrieve it later.

4. Grant API permissions

The application needs permissions to send emails on behalf of users or the organization.

1. Navigate to API permissions in the left menu
2. Click Add a permission
3. Select Microsoft Graph
4. Select Application permissions (not Delegated permissions)
5. Add the following permission:
6. Mail.Send - Allows the app to send mail as any user without a signed-in user

Security recommendation: Use Application Access Policies instead

The Mail.Send permission allows the application to send emails as any user in your organization, which poses a security risk if the credentials are compromised.

More secure alternative: Configure the application with Application Access Policy to restrict it to a specific mailbox only.

Steps to implement Application Access Policy:

1. Use Mail.Send permission initially (as described above)
2. After granting admin consent, configure an Application Access Policy in Exchange Online PowerShell to limit the app to a specific mailbox:

# Connect to Exchange Online
Connect-ExchangeOnline

# Create a new Application Access Policy
# Replace YOUR_APP_CLIENT_ID with your Application (client) ID
# Replace noreply@yourcompany.com with the mailbox you want to restrict access to
New-ApplicationAccessPolicy -AppId YOUR_APP_CLIENT_ID -PolicyScopeGroupId noreply@yourcompany.com -AccessRight RestrictAccess -Description "Restrict LogMan.io to send only from noreply mailbox"

# Verify the policy
Test-ApplicationAccessPolicy -Identity noreply@yourcompany.com -AppId YOUR_APP_CLIENT_ID

This ensures that even if the application credentials are compromised, the attacker can only send emails from the designated mailbox, not from any user in your organization.

Note: You need Exchange Online PowerShell module and appropriate admin permissions to configure Application Access Policies.

1. Click Add permissions

5. Grant admin consent

1. After adding the permissions, click Grant admin consent for [Your Organization]
2. Confirm by clicking Yes
3. Verify that the status shows a green checkmark with "Granted for [Your Organization]"

Danger

Admin consent is required for application permissions. Without it, the integration will not work.

LogMan.io configuration

Configure the Microsoft 365 email integration in your LogMan.io model configuration.

IRIS (the email notification service) will automatically choose MS365 when all required M365 settings are present. Otherwise, it falls back to SMTP if configured.

Configuration example

Edit your model.yaml file to configure the asab-iris service:

define:
  type: rc/model

services:
  asab-iris:
    instances:
      - node1    # List of nodes with asab-iris instance
    asab:
      config:
        "m365_email":
          tenant_id: "{{M365_TENANT_ID}}"
          client_id: "{{M365_CLIENT_ID}}"
          client_secret: "{{M365_CLIENT_SECRET}}"
          user_email: "noreply@yourcompany.com"      # Required: sender email address
          subject: "LogMan.io Notification"          # Optional: default email subject

secrets:
  M365_TENANT_ID: {}
  M365_CLIENT_ID: {}
  M365_CLIENT_SECRET: {}

Important

• All M365 email settings must be present for IRIS to use Microsoft 365
• If any M365 setting is missing, IRIS will fall back to SMTP (if configured)
• The user_email field is required and must be a valid email address in your M365 tenant
• Email templates must be stored in the /Templates/Email/ directory in the Library

Storing secrets in the Vault

To securely save the credentials to the Vault, use these commands on the LogMan.io host server. Replace the values with your actual Azure application credentials:

# Store the tenant ID
curl -X PUT localhost:8891/vault/M365_TENANT_ID --data 'your-tenant-id-guid'

# Store the client ID
curl -X PUT localhost:8891/vault/M365_CLIENT_ID --data 'your-client-id-guid'

# Store the client secret
curl -X PUT localhost:8891/vault/M365_CLIENT_SECRET --data 'your-client-secret-value'

Tip

Make sure to replace your-tenant-id-guid, your-client-id-guid, and your-client-secret-value with the actual values from the Azure Portal.

Apply the configuration

After configuring the model and storing the secrets:

1. Hit the Apply button accessible in the /Site folder of the Library, or
2. Use the command line option on the host server:

cd /opt/site
./gov.sh up

This will apply the changes to all components across all cluster nodes.

Email templates and sending

Email templates location

All email templates must be stored in the /Templates/Email/ directory in the Library. You can use:

• Jinja templates for dynamic content
• Markdown templates for simple formatting
• HTML templates for rich formatting

Templates can be personalized with parameters for recipients, subject, and body content.

Sending emails

Emails are triggered through the /send_email endpoint, which can be accessed via:

• HTTP - Direct API calls
• Kafka - Event-driven messaging

For more information on creating email templates and notifications, see:

• Email notifications
• Creating email templates

Limitations

Microsoft 365 email limitations

• No attachment support: MS365 email integration does not support attachments
• If you need to send attachments, use SMTP configuration instead
• If you attempt to send attachments via MS365, you will see a warning in the logs

Verify the integration

To verify that the integration is working correctly:

1. Check the service logs for any authentication errors
2. Send a test email notification through LogMan.io
3. Verify that the email is received at the destination address

Troubleshooting

Authentication errors

If you see authentication errors in the logs:

• Verify that all three credentials (tenant_id, client_id, client_secret) are correct
• Ensure admin consent has been granted for the API permissions
• Check that the client secret has not expired
• Verify network connectivity to login.microsoftonline.com

Email sending errors

If emails are not being sent:

• Verify that the Mail.Send permission is granted and admin consent is approved
• Check that the sender email address is valid in your M365 tenant
• Review the service logs for specific error messages
• Verify network connectivity to graph.microsoft.com

Network connectivity issues

If you cannot reach the Microsoft endpoints:

• Verify firewall rules allow outbound HTTPS (TCP 443) to *.microsoft.com and *.microsoftonline.com
• Check proxy settings if your organization uses a proxy server
• Use curl or telnet to test connectivity:

curl -I https://graph.microsoft.com
curl -I https://login.microsoftonline.com

Additional resources

• Microsoft Graph API documentation
• Microsoft Graph Mail API
• MSAL authentication flows