Skip to content

M365 Direct Delivery

This feature may not be available for all customers yet.

M365 Direct Delivery bypasses email filtering rules and inject the campaign emails directly into your recipients' inboxes using Microsoft's Graph APIs.

When M365 Direct Delivery is turned on, it eliminates the need to add the Phish Threat domains and IP addresses to Microsoft's exception list and enhances the deliverability of the emails.

Your verified domains are listed on the M365 Direct Delivery page.

Note

If you have multiple domains, you must turn on M365 Direct Delivery for each domain. If M365 Direct Delivery isn't turned on, the default, SMTP-based delivery will function.

To turn on M365 Direct Delivery, do as follows:

  1. Go to My Products > Phish Threat > Settings.
  2. Click M365 Direct Delivery.
  3. In the Direct delivery (M356 only) column, turn on direct delivery for your domain.
  4. In the Credential Manager page, add a credential for Phish Threat that has the necessary M365 permissions.

    • If you have a credential configured for this domain, select an existing credential.

      Note

      You may see Disallowed credentials if you've created credentials in Sophos Central for other purposes without Phish Threat permissions. If you want to re-use an existing credential, you’ll need to modify it to add the necessary permissions for Phish Threat. See Integration Credential Manager.

    • If you turn on M365 Direct Delivery for the first time, you'll need to add a credential. See Add a credential.

Add a credential

To add a credential, do as follows:

  1. On the Credential Manager page, click add new credential.

    On the Add Microsoft Graph Credential page, you can do as follows:

    For details, see the following sections.

Use Microsoft 365 automated provisioning

  1. On the Add Microsoft Graph Credential page, click Use Microsoft 365 automated provisioning.
  2. Enter a credential name and description.

    You can enter your preferred unique credential name, for this only serves as an identifier.

    Add Microsoft Graph Credential page.

  3. Click Save and Continue to Provisioning.

  4. On the Connect to Microsoft 365 page, click Continue.

    You'll be redirected to the Microsoft sign in to your account page.

  5. On the Microsoft sign in to your account page, select a Microsoft account.

  6. Review the terms and click Accept.

    This grants permission for the Master App.

  7. Select a Microsoft account.

  8. Review the terms and click Accept.

    This grants permission for Sophos Central integration.

  9. Click Close to close the Microsoft sign in to your account page.

    The Credential Manager page shows the credential you created.

    Credential Manager with a new credential.

  10. Click Enable.

M365 Direct Delivery is now turned on for your domain.

Enter authentication details manually

When you create a credential manually, make sure you have the Domain.Read.All and Mail.ReadWrite API permissions in Microsoft Azure.

  1. On the Add Microsoft Graph Credential page, click Enter authentication details manually.
  2. Enter the needed information.

    You can enter your preferred unique credential name, for this only serves as an identifier.

    Enter authentication details manually.

    Note

    You'll need to register an application to get your App ID and Secret details. To register an application, see Register an app with Microsoft Entra ID.

  3. Click Save.

  4. On the Credential Manager page, click Update.

M365 Direct Delivery is now turned on for your domain.

M365 direct delivery test

After turning on M365 Direct Delivery, you can run a quick test to verify that the setup was successful.

To run a quick test, do as follows:

  1. Click the Play button next to the domain that has M365 Direct Delivery turned on.

    Direct delivery test button.

  2. On the Run a quick direct delivery test page, enter the recipient's email.

  3. Click Proceed.

    A page appears to confirm whether the test is successful or not.

  4. Click Close.