How to use the Microsoft Graph API for email

Written by Shane LonnemanDirector, Security Engineering, Applied Systems

Published on April 3, 2023

This article was posted more than 18 months ago.

Security teams are using automation solutions more and more to achieve consistent and faster response times. Some of these responses require emails to be sent to various users or groups, and traditional methods of sending emails are outdated and not very secure. Security teams also need the ability to read emails from specific mailboxes, whether that is for automating responses to phishing submissions or something similar. Security teams should adapt to the changing technologies, and one way to address this issue is by using APIs instead of standard Simple Mail Transfer Protocol (SMTP).

APIs are more secure and provide greater control. Traditional tools may only be able to use their own mail service or make use of service accounts, which are traditionally not secured, to send or read emails. Organizations may not have control over the mail systems that are used to send email, which could leave security teams vulnerable to the configuration of those systems and intercepted messages that contain sensitive information. With incident response teams and threat hunters, for example, the data they send could be information that would lead to other issues, should it be exposed.

Fortunately for these organizations that use Microsoft Office 365, there is a solution to this problem. While this solution is not foolproof, it is more secure than using traditional SMTP to send the mail and allows the organization to control where that message comes from. Using Tines, users can send email from their own Office 365 tenant as their own users, without using service accounts. The steps to achieve this are detailed below, and include permissions to enable reading a mailbox, as that is another common use case that security teams employ.

The first part is to set up Azure Active Directory and include least privileged permissions to restrict what mailboxes can be read or have email sent from.

Steps to send or read email using the Graph API  

1: Create a new Azure Active Directory Application Registration 

a. Add the following permissions to the application:

i. Type: Application, Name: Mail.Send

ii. Type: Application, Name: Mail.ReadWrite

b. Create a new client secret

2: Create a new user in Azure Active Directory 

a. Create either one that is synced to Azure Active Directory from your on-premises Active Directory or just a new Azure Active Directory user (this account will be used to send email as and is not required to be enabled for login)

b. Save the Azure Active Directory Object ID for this user

3: Select the user o