Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=Phish-Threat-M365-direct-delivery

Direct Delivery for M365 and Google

Direct Delivery bypasses email filtering rules and injects the campaign emails, including training enrollment and training reminder emails, directly into your recipients' inboxes using Microsoft's Graph APIs and Gmail's APIs. When turned on, it eliminates the need to add the Phish Threat domains and IP addresses to Microsoft's or Google's exception list and enhances the deliverability of the emails.

To turn on Direct Delivery for M365, see Turn on Direct Delivery for M365.

To turn on Direct Delivery for Google, see Turn on Google Direct Delivery.

Turn on Direct Delivery for M365

This video provides an overview of M365 Direct Delivery, including how to turn it on, add a new credential, and run a test.

Turn on M365 Direct Delivery

Your verified domains are listed on the Direct Delivery for M365/Google page.

Note

If you have multiple domains, you must turn on M365 Direct Delivery for each domain. If M365 Direct Delivery isn't turned on, the default, SMTP-based delivery will function.

To turn on M365 Direct Delivery, do as follows:

  1. Go to My Products > Phish Threat > Settings.
  2. Click Direct Delivery for M365/Google.
  3. In the Direct delivery column, turn on direct delivery for your domain.
  4. In the Configure Direct Delivery dialog, select Microsoft M365.
  5. Click Proceed.

  6. On the Credential Manager page, add a credential for Phish Threat that has the necessary M365 permissions.

    • If you have a credential configured for this domain, select an existing credential.

      Note

      You may see Disallowed credentials if you've created credentials in Sophos Central for other purposes without Phish Threat permissions. If you want to re-use an existing credential, you’ll need to modify it to add the necessary permissions for Phish Threat. See Integration Credential Manager.

    • If you turn on M365 Direct Delivery for the first time, you'll need to add a credential. See Add a credential.

Add a credential

To add a credential, do as follows:

  1. On the Credential Manager page, click add new credential.

    On the Add Microsoft Graph Credential page, you can do as follows:

    For details, see the following sections.

Use Microsoft 365 automated provisioning

  1. On the Add Microsoft Graph Credential page, click Use Microsoft 365 automated provisioning.

  2. Enter a credential name and description.

    You can enter your preferred unique credential name, for this only serves as an identifier.

    Add Microsoft Graph Credential page.

  3. Click Save and Continue to Provisioning.

  4. On the Connect to Microsoft 365 page, click Continue.

    You'll be redirected to the Microsoft sign in to your account page.

  5. On the Microsoft sign in to your account page, select a Microsoft account.

  6. Review the terms and click Accept.

    This grants permission for the Master App.

  7. Select a Microsoft account.

  8. Review the terms and click Accept.

    This grants permission for Sophos Central integration.

  9. Click Close to close the Microsoft sign in to your account page.

    The Credential Manager page shows the credential you created.

    Credential Manager with a new credential.

  10. Click Enable.

M365 Direct Delivery is now turned on for your domain.

Enter authentication details manually

When you create a credential manually, make sure you have the Domain.Read.All and Mail.ReadWrite API permissions in Microsoft Azure.

  1. On the Add Microsoft Graph Credential page, click Enter authentication details manually.

  2. Enter the needed information.

    You can enter your preferred unique credential name, for this only serves as an identifier.

    Enter authentication details manually.

    Note

    You'll need to register an application to get your App ID and Secret details. To register an application, see Register an app with Microsoft Entra ID.

  3. Click Save.

  4. On the Credential Manager page, click Update.

M365 Direct Delivery is now turned on for your domain.

M365 direct delivery test

After turning on M365 Direct Delivery, you can run a quick test to verify if the setup was successful.

To run a quick test, do as follows:

  1. Click the Test button next to the domain that has M365 Direct Delivery turned on.

    Direct delivery test button.

  2. On the Run a quick direct delivery test page, enter the recipient's email.

  3. Click Proceed.

    A page appears to confirm whether the test is successful or not.

  4. Click Close.

Blocked URLs from email campaigns

Safe Links protection may block URLs from simulated phishing email campaigns when users click them.

Safe Links blocks URL.

To resolve this issue, you must add the Phish Threat IP addresses and domain names to the allow list. See IP addresses and domains and M365 exclusions.

Note

Make sure to use the *.domainname/* format when adding your domains to the allow list. For example, *.hr-benefits.site/*. For more information, see "Do not rewrite the following URLs" lists in Safe Links policies.

Turn on Google Direct Delivery

This feature might not be available for all customers yet.

When you set up Google Direct Delivery, you must give permission for Sophos applications to access your Google Workspace domains.

To do this, your browser must accept pop-ups during the setup process. You might have to turn off pop-up blockers or add exceptions for Google Workspace domains.

You must also be able to sign in to the correct domain. If your browser has stored sign-in credentials for a different domain, use an incognito or private browsing window.

Warning

By default, the service account key creation policy in Google Cloud is enabled for new Google Workspace accounts. If you don't disable this policy, connecting Google Workspace for direct delivery will fail.

To prevent the connection from failing, disable this policy in Google Cloud. For more information, see Disable service account key creation policy in Google Cloud.

To turn on Google Direct Delivery, do as follows:

  1. Go to My Products > Phish Threat > Settings.
  2. Click Direct Delivery for M365/Google.
  3. In the Direct delivery column, turn on direct delivery for your domain.
  4. In the Configure Direct Delivery dialog, select Google Workspace.
  5. Click Proceed.
  6. On the Sign in with Google dialog, select an account and enter your password.
  7. Review the privacy policy and Terms of Service and click Continue.

  8. Select what Sophos can access and click Continue.

    Sophos connects to your Google account. You must wait until the process reaches 100%.

  9. When the Google connection is set up, click Close.

Authorize access

To authorize access, do as follows:

  1. On the Direct Delivery for M365/Google page, click the domain you turned on Google direct delivery for.
  2. Take note of your Google OAuth Client ID information.
  3. Click Google Workspace Admin console. You'll be asked to enter your Google account password.
  4. Click Next.
  5. On the Google Workspace Admin console, click Client ID.

  6. On the Add a new client ID dialog, do as follows:

    1. In Client ID, enter the client ID.
    2. In OAuth scopes (comma-delimited), enter the OAuth scopes.
    3. Click Authorise.

  7. On the Direct Delivery for M365/Google page, click Verify and connect.

  8. On the Verify Connection dialog, click Ok.

Test Google Direct Delivery

After turning on Google Direct Delivery, you can run a quick test to verify if the setup was successful.

To run a quick test, do as follows:

  1. Click the Test button next to the domain that has Google Direct Delivery turned on.

    Direct delivery test button.

  2. On the Run a quick direct delivery test dialog, enter an email address. The phishing simulation email will be sent to this email address.

  3. Click Proceed.

    You'll see a confirmation message indicating whether the test is successful or not.

Turn off Google Direct Delivery for a domain

To turn off Google Direct Delivery, do as follows:

  1. On the Direct Delivery for M365/Google page, under the Direct delivery column, turn off direct delivery for the domain.

    Turn off Google Direct Delivery.

    Note

    Each time you disconnect a domain from Google Direct Delivery, you must read and accept the terms and conditions of use.

  2. Select the Google account you want to disconnect from.

    Note

    You must use a Google Workspace account with administrator privileges.

    Google requires you to verify your administrator account to complete the disconnection.

    If this is your first time signing in, enter your email address and password.

    If you've signed in before, Google shows the permission request pop-ups immediately.

  3. Review the Google sign-in confirmation and click Continue.

    After selecting your account, Google shows a confirmation window indicating that sophos.com is requesting access to your account information.

  4. Review the permission request pop-up and grant consent to Sophos.

    In the permission pop-up, make sure the required access is selected.

    Google permission pop-up for Sophos access.

  5. After the permissions are granted, click Continue.

    Disconnecting starts. This may take a few minutes.

  6. When the disconnection is completed, click Close.

Your domain is now disconnected from Google Direct Delivery.