Skip to content

Email Capability

Overview

Email Capability is a shared service as part of SGS Cloud offering. The Email Service can be consumed by applications for communication purposes that covers but not limited to Vulnerability Alerts, Cost Reporting, Sentinel Alerts etc.

It can also be utilised for external client communications who are getting on-boarded in SGS and OCC Cloud as a Tenant.

Detailed Description

Features offered by Email

  1. Secure email
  2. Sending Email with attachments
  3. Email filtering
  4. Other domain users
  5. Service principle for sending email
  6. Limit service principle for mailbox
  7. Modern Auth/Use Oauth 2.0
  8. Bulk email

Architecture

img

Solution

Approches Use when Status
Client Submission SMTP auth is enabled (in case of Application or device) Implemented
Send Direct SMTP auth is disabled NA
SMTP relay SMTP auth is disabled NA
  • To Create mailbox, assign E5 license on entraID. It will automatically create mailbox for the user. Please raise service now ticket to get onboarded for mailbox on SGS.
  • To Configure mailbox open Exchange admin center (Exchange admin permission is required).
  • Exchange mail flow rules (also known as transport rules) can be used to look for specific conditions on messages that pass through the application's organization and take action on them. How to create Rules on EAC
  • TLS to secure email connections, this can be configured again with help of mail transport rules.
  • Create Service principal and grant Send.Mail (Graph API) permission.
  • Use Graph API sample code to send email from applications.

Access to work on Email

To work with Exchange Online in Azure, appropriate permissions are needed to perform tasks such as managing mailboxes, configuring settings, and accessing Exchange Online resources. These permissions are typically granted through roles within Azure Active Directory (Azure AD) or Exchange Online itself. Here are some of the key permissions and roles that are required:

Global Administrator

  • The Global Administrator role in Azure AD has full access to all administrative features and settings in Azure AD and Microsoft 365, including Exchange Online.
  • Global Administrators can manage user accounts, groups, domains, licenses, and other settings related to Exchange Online.

Exchange Administrator

  • The Exchange Administrator role in Exchange Online provides full access to Exchange Online administration tasks, including managing mailboxes, email addresses, distribution groups, connectors, and other exchange-related settings.
  • Exchange Administrators can perform tasks such as creating, modifying, and deleting mailboxes, managing mailbox permissions, configuring mail flow settings, and troubleshooting Exchange Online issues.

Application Permissions

  • When working with Exchange Online programmatically or using automation tools, permissions needs to be granted to applications or service principals to access Exchange Online resources.
  • Depending on the specific tasks and operations the application needs to perform, following permissions can be granted such as Mail.Read, Mail.Write, Mail.Send, MailboxSettings.Read, MailboxSettings.Write, etc., through Azure AD app registrations and OAuth 2.0 consent.

Security and Compliance Admin

  • Depending on the organization's security and compliance requirements, there could be a requirement for additional roles or permissions to manage security settings, compliance policies, data loss prevention (DLP), eDiscovery, and other related tasks.
  • Roles such as Security Administrator, Compliance Administrator, or Security Reader in Microsoft 365 provide access to security and compliance features that may be relevant to Exchange Online. It's important to grant permissions based on the principle of least privilege, ensuring that users and applications have only the permissions necessary to perform their intended tasks. Additionally, regular auditing and monitoring of permissions are essential to maintain security and compliance in Exchange Online environments.

Permissions

  • Graph API
Protocol Permissions/Scope
smtp mail.send
  • Exchange Online (IMAP)
Protocol Permissions/Scope
IMAP https://outlook.office.com/IMAP.AccessAsUser.All
POP https://outlook.office.com/POP.AccessAsUser.All
SMTP AUTH https://outlook.office.com/SMTP.SendAsApp

License to work on Email

  • E5 license

Email solution limit

  • 10000 email per day.