Microsoft 365 email¶

ASAB IRIS can send email notifications through Microsoft 365 (M365) by using the Microsoft Graph API.

Use this integration when LogMan.io notifications, alerts, or reports should be sent from a mailbox in a Microsoft 365 tenant.

IRIS supports two Microsoft 365 modes:

App mode: IRIS sends email as an application.
Delegated mode: IRIS sends email on behalf of a signed-in Microsoft 365 user.

Prerequisites¶

Ensure that the LogMan.io server has outbound HTTPS access on TCP port 443 to:

graph.microsoft.com
login.microsoftonline.com

Access to Microsoft Entra ID is required, with permissions to create or update an app registration and grant consent.

App mode¶

App mode uses Microsoft Graph application permissions. Use this mode when IRIS should send email automatically without a user signing in.

This is the recommended mode for service notifications and backend automation.

Required configuration fields¶

Field	Description
`mode`	Set to `app`.
`api_url`	Microsoft Graph send-mail endpoint. Use `https://graph.microsoft.com/v1.0/users/{}/sendMail`.
`tenant_id`	Microsoft Entra Directory (tenant) ID.
`client_id`	Application (client) ID of the app registration.
`client_secret`	Client secret value from the app registration.
`user_email`	Mailbox that IRIS sends from.

Configuration sample¶

Edit model.yaml to configure the asab-iris service:

/Site/model.yaml

define:
  type: rc/model

services:
  asab-iris:
    instances:
      - node1
    asab:
      config:
        m365_email:
          mode: app
          api_url: https://graph.microsoft.com/v1.0/users/{}/sendMail
          tenant_id: "{{M365_TENANT_ID}}"
          client_id: "{{M365_CLIENT_ID}}"
          client_secret: "{{M365_CLIENT_SECRET}}"
          user_email: "noreply@example.com"

Azure configuration¶

Open Microsoft Entra admin center.
Go to Applications > App registrations.
Click New registration.
Enter a descriptive name, for example LogMan.io IRIS Email.
Select Accounts in this organizational directory only.
Leave Redirect URI empty.
Click Register.
On the Overview page, copy:
Application (client) ID to client_id
Directory (tenant) ID to tenant_id
Go to Certificates & secrets.
Click New client secret.
Copy the secret Value to client_secret.

Warning

The client secret value is shown only once. Store it securely before leaving the page.

API permissions¶

Open the app registration.
Go to API permissions.
Click Add a permission.
Select Microsoft Graph.
Select Application permissions.
Add Mail.Send.
Click Grant admin consent for the organization.

Security recommendation

The Mail.Send application permission can allow the application to send as any mailbox in the tenant. Use an Exchange Online Application Access Policy to restrict the app to the mailbox configured in user_email.

Apply the configuration¶

Store the secret values in Vault or in the deployment secret store used by the LogMan.io installation.
Update /Site/model.yaml.
Apply the model from the Library, or run the deployment apply command used by the installation.
Send a test notification and verify that the message is delivered from the configured user_email mailbox.

Verify the configuration¶

The app mode configuration is ready when:

ASAB IRIS starts without Microsoft 365 configuration errors
the app registration has Microsoft Graph Mail.Send application permission
admin consent has been granted
a test email is delivered from the configured user_email mailbox
the ASAB IRIS service logs do not contain Microsoft Graph authentication errors

Delegated mode¶

Delegated mode uses Microsoft Graph delegated permissions. Use this mode when IRIS must send email on behalf of a specific Microsoft 365 user.

Delegated mode requires a one-time browser authorization. The user who signs in must be the mailbox user configured in user_email, or a user allowed by Microsoft 365 to send as that mailbox.

Required configuration fields¶

Field	Description
`mode`	Set to `delegated`.
`api_url`	Microsoft Graph send-mail endpoint. Use `https://graph.microsoft.com/v1.0/users/{}/sendMail`.
`tenant_id`	Microsoft Entra Directory (tenant) ID.
`client_id`	Application (client) ID of the app registration.
`client_secret`	Client secret value from the app registration.
`user_email`	Mailbox that IRIS sends from.
`redirect_uri`	Public IRIS authorization callback URL ending with `/authorize_ms365`.

Configuration sample¶

/Site/model.yaml

define:
  type: rc/model

services:
  asab-iris:
    instances:
      - node1
    asab:
      config:
        m365_email:
          mode: delegated
          api_url: https://graph.microsoft.com/v1.0/users/{}/sendMail
          tenant_id: "{{M365_TENANT_ID}}"
          client_id: "{{M365_CLIENT_ID}}"
          client_secret: "{{M365_CLIENT_SECRET}}"
          user_email: "notifications@example.com"
          redirect_uri: "https://logman.example.com/api/asab-iris/authorize_ms365"

`authorize_ms365` URL¶

The authorize_ms365 URL starts the Microsoft sign-in flow for delegated mode.

Open this URL in a browser after delegated mode is configured. IRIS redirects the browser to Microsoft sign-in. After successful sign-in, Microsoft redirects back to the same IRIS endpoint and IRIS stores the delegated authorization for future emails.

How to construct the URL¶

Build the URL from the public browser-accessible address of IRIS:

<public IRIS base URL>/authorize_ms365

If IRIS is exposed behind a reverse proxy with a path prefix, include the prefix:

https://logman.example.com/api/asab-iris/authorize_ms365

The value must be configured in two places:

In Microsoft Entra ID app registration as a Redirect URI.
In IRIS configuration as m365_email.redirect_uri.

Danger

The Redirect URI in Microsoft Entra ID and the redirect_uri value in IRIS must match exactly, including https, hostname, port, and path.

Azure configuration¶

Open Microsoft Entra admin center.
Go to Applications > App registrations.
Create a new app registration, or open the app registration used for IRIS.
Copy Application (client) ID to client_id.
Copy Directory (tenant) ID to tenant_id.
Go to Authentication.
Add a platform for Web.
Add the exact redirect_uri, for example https://logman.example.com/api/asab-iris/authorize_ms365.
Go to Certificates & secrets and create a client secret.
Copy the secret Value to client_secret.

API permissions¶

Open the app registration.
Go to API permissions.
Click Add a permission.
Select Microsoft Graph.
Select Delegated permissions.
Add Mail.Send.
Grant admin consent if the organization requires it.

Authorize delegated sending¶

Configure IRIS with mode: delegated.
Apply the LogMan.io model.
Open the public authorize_ms365 URL in a browser.
Sign in with the Microsoft 365 user that should send emails.
After the success message is shown, close the browser window.
Send a test notification.

If authorization is missing, IRIS returns an error containing an authorize_url. Open that URL in a browser and complete the sign-in.

Verify the configuration¶

The delegated mode configuration is ready when:

ASAB IRIS starts without Microsoft 365 configuration errors
the app registration has Microsoft Graph Mail.Send delegated permission
redirect_uri matches the Redirect URI in Microsoft Entra ID
opening authorize_ms365 completes with a success message

Email templates¶

Email templates must be stored in the /Templates/Email/ directory in the Library.

MS365 email supports attachments. IRIS sends them as Microsoft Graph file attachments.

For more information about email notifications and templates, see:

Microsoft 365 email¶

Prerequisites¶

App mode¶

Required configuration fields¶

Configuration sample¶

Azure configuration¶

API permissions¶

Apply the configuration¶

Verify the configuration¶

Delegated mode¶

Required configuration fields¶

Configuration sample¶

authorize_ms365 URL¶

How to construct the URL¶

Azure configuration¶

API permissions¶

Authorize delegated sending¶

Verify the configuration¶

Email templates¶

`authorize_ms365` URL¶