Steps to Configure Direct Email Injection (DMI) with Office 365

Dharmaraj Kurle 20 Reputation points
2024-11-06T14:37:56.4133333+00:00

Hello Team,

Is there a way to configure Direct Email Injection (DMI) with Microsoft Office 365 for training purposes? The goal is to utilize the Exchange Web Services (EWS) API to insert simulated phishing emails into users' inboxes.

Could anyone provide detailed steps to enable DMI with an application?

Thanks in advance.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,726 questions
Microsoft Exchange
Microsoft Exchange
Microsoft messaging and collaboration software.
604 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor
    2024-11-07T02:11:37.5966667+00:00

    Hi @Dharmaraj Kurle ,

    Welcome to the Microsoft Q&A platform!

    Yes, you can configure Direct Email Injection (DMI) with Microsoft Office 365 to insert simulated phishing emails into users' inboxes using the Exchange Web Services (EWS) API. Here are the detailed steps to enable DMI:

    1. Create a Microsoft 365 administrator account:
    • Create a dedicated administrator account for DMI authorization.
    • Assign the following roles to this account:
      • Application Impersonation
      • Application Administrator
    1. Authorize the DMI application in Azure:
    • Sign in to the Azure portal with your administrator account.
    • Navigate to Azure Active Directory > Enterprise Applications.
    • Click New Application and search for the DMI application.
    • Follow the prompts to authorize the application.
    1. Configure EWS API permissions:
    • Make sure the DMI application has the required permissions to use the EWS API.
    • You may need to configure specific API permissions under the API permissions section of the DMI application in the Azure portal.
    1. Set up a secure connection:
    • In the console of your DMI provider (e.g. KnowBe4, CanIPhish), navigate to Integration settings.
    • Select Microsoft 365 Direct Email Injection and click New Integration.
    • Provide a unique name for the integration and click Sign in with Microsoft.
    • Complete the authentication process to establish a secure connection.
    1. Test the configuration:
    • Send a test phishing email to ensure that the DMI setup is working properly.
    • Verify that the email bypasses the filtering rules and goes directly to the user's inbox.
    1. Monitor and adjust:
    • Monitor the DMI setup regularly to ensure that it continues to function as expected.
    • Make adjustments as needed, especially if there are changes to Microsoft 365 policies or DMI provider updates.

    For more detailed guidance, you can refer to the Direct Message Injection (DMI) Configuration Guide.


    Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

    Best,

    Jake Zhang


1 additional answer

Sort by: Most helpful
  1. Dharmaraj Kurle 20 Reputation points
    2024-12-16T05:49:48+00:00

    Hello Team,

    I am able to configure Direct Email Injection (DMI) with Microsoft Office 365.

    From SPA application, Admin user is redirected to Microsoft login page for sign-in & later asks for the users consent to assign the permissions to the application.

    But the AccessToken & RefreshToken received from Microsoft is short lived.

    My requirement is to save the refresh token & use it in background job to send the Phishing email to the users for extended period of time i.e. 6 to 12 months. Otherwise Background job will fail & Org Admins will have to provide consent on regular basis.

    Please advice about how to extend the lifetime of RefreshToken.

    Thanks in advance

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.