M365 Direct Delivery

M365 Direct Delivery bypasses email filtering rules and injects the campaign emails, including training enrollment and training reminder emails, directly into your recipients' inboxes using Microsoft's Graph APIs.

When M365 Direct Delivery is turned on, it eliminates the need to add the Phish Threat domains and IP addresses to Microsoft's exception list and enhances the deliverability of the emails.

Your verified domains are listed on the M365 Direct Delivery page.

To turn on M365 Direct Delivery, do as follows:

1. Go to My Products > Phish Threat > Settings.
2. Click M365 Direct Delivery.
3. In the Direct delivery (M365 only) column, turn on direct delivery for your domain.

4. In the Credential Manager page, add a credential for Phish Threat that has the necessary M365 permissions.

   • If you have a credential configured for this domain, select an existing credential.

     Note

     You may see Disallowed credentials if you've created credentials in Sophos Central for other purposes without Phish Threat permissions. If you want to re-use an existing credential, you’ll need to modify it to add the necessary permissions for Phish Threat. See Integration Credential Manager.

   • If you turn on M365 Direct Delivery for the first time, you'll need to add a credential. See Add a credential.

Add a credential

To add a credential, do as follows:

1. On the Credential Manager page, click add new credential.

   On the Add Microsoft Graph Credential page, you can do as follows:

   • Use Microsoft 365 automated provisioning

     Tip

     We recommend using Microsoft 365 automatic provisioning because this automatically creates the credential with the necessary permissions.

   • Enter authentication details manually

   For details, see the following sections.

Use Microsoft 365 automated provisioning

1. On the Add Microsoft Graph Credential page, click Use Microsoft 365 automated provisioning.

2. Enter a credential name and description.

   You can enter your preferred unique credential name, for this only serves as an identifier.

   

3. Click Save and Continue to Provisioning.

4. On the Connect to Microsoft 365 page, click Continue.

   You'll be redirected to the Microsoft sign in to your account page.

5. On the Microsoft sign in to your account page, select a Microsoft account.

6. Review the terms and click Accept.

   This grants permission for the Master App.

7. Select a Microsoft account.

8. Review the terms and click Accept.

   This grants permission for Sophos Central integration.

9. Click Close to close the Microsoft sign in to your account page.

   The Credential Manager page shows the credential you created.

   

10. Click Enable.

M365 Direct Delivery is now turned on for your domain.

Enter authentication details manually

When you create a credential manually, make sure you have the Domain.Read.All and Mail.ReadWrite API permissions in Microsoft Azure.

1. On the Add Microsoft Graph Credential page, click Enter authentication details manually.

2. Enter the needed information.

   You can enter your preferred unique credential name, for this only serves as an identifier.

   

   Note

   You'll need to register an application to get your App ID and Secret details. To register an application, see Register an app with Microsoft Entra ID.

3. Click Save.

4. On the Credential Manager page, click Update.

M365 Direct Delivery is now turned on for your domain.

M365 direct delivery test

After turning on M365 Direct Delivery, you can run a quick test to verify that the setup was successful.

To run a quick test, do as follows:

1. Click the Play button next to the domain that has M365 Direct Delivery turned on.

   

2. On the Run a quick direct delivery test page, enter the recipient's email.

3. Click Proceed.

   A page appears to confirm whether the test is successful or not.

4. Click Close.