Skip to main content
Skip table of contents

Direct Message Injection (DMI) setup guide for Microsoft 365/Entra

The Direct Message Injection (DMI) feature eliminates the need to whitelist the domains in simulated phishing emails by securely delivering emails directly to users' inboxes. This is achieved by establishing a connection between your SoSafe account and Microsoft Entra ID (formerly Azure AD).

Step 1: Prerequisites

Before enabling DMI, ensure you meet the following requirements:

  • Mail Server Setup: At least one mail server must be enabled (unless you’re using IP ranges).

  • Microsoft Entra ID Access: You must authorize SoSafe to access your Microsoft Entra ID Graph API.

Step 2: Connecting SoSafe to Microsoft Entra ID

Enable the Microsoft DMI Integration

  1. Log into your SoSafe Manager at https://manager.sosafe.de/.

  2. Navigate to Settings / Integrations.

  3. Find the Microsoft 365 DMI card and select Connect.

If you don’t see the Microsoft 365 DMI card, reach out to your Customer Success Manager, who will make sure to activate it for you.

  1. In the dialog window that pops up, select either of the 2 options, depending on your situation:

    • If you have Microsoft Entra admin access: Proceed with Connect Microsoft 365 DMI and go to step a.

    • If you don’t have Microsoft Entra admina access: Select I don’t have admin rights and go to step b.

microsoft-dmi-dialog.png

a. Microsoft Entra Admin

  1. After selecting Connect Microsoft 365 DMI, a Microsoft login window will open. Log in with your Microsoft account.

  2. Review the SoSafe Email Connector application and its required permissions.

    microsoft-dmi-connector.png

  3. Select Accept to authorize the integration.

  4. Once successful, you’ll see a green "Connected" status in SoSafe Manager.

image-20250108-090655.png

b. Non-admin

  1. Obtain your organization’s Microsoft Entra Tenant ID (ask an admin for this if you don’t know it).

  2. Select I don’t have admin rights.

  3. Enter the Tenant ID in the corresponding field, select Generate consent link and then select Copy Link.

    microsoft-dmi-connect.png

  4. Send this link to a Microsoft Entra Admin, who will complete the authorization.

  5. Once the admin has approved the authorization, return to this page in the manager to verify the connection.

Important: Once the admin has approved the authorization, you must visit Settings / Integration in the manager. You don’t need to do anything, but visiting the page initializes the connection.

 

Step 3: Testing the Integration

To ensure DMI is working properly, send a test email:

  1. In SoSafe Manager, go to Settings / Integrations and click Edit under Microsoft 365 DMI.

image-20250108-132510.png

  1. Enter an email address that belongs to your Microsoft tenant.

  2. Select Send Test Email.

  3. Check the inbox of the test email account in Outlook, you should receive a test phishing email.

  4. In the manager, go to Emails / Email Log to confirm that the email is marked as "Delivered". If steps 4 and/or 5 did not work, try disconnecting the integration and reestablishing by following the steps above again. If this does not work, reach out to your Customer Success Manager.

We recommend following this guide as well to remove unsafe link warnings for SoSafe emails: Whitelisting domains with safe links (Microsoft Defender)

Disconnecting the DMI Integration

If you need to disable DMI, follow these steps:

  1. In the SoSafe Manager, go to Settings / Integrations.

  2. Locate the Microsoft 365 DMI card and click Edit.

  3. Click Disconnect.

Important: This only removes the connection from SoSafe’s side. To fully revoke permissions, a Microsoft Entra Admin must manually remove the SoSafe app from the Entra ID dashboard.

Current limitations

Enabling DMI and already running Personalized Phishing simulation campaigns

When enabling or disabling DMI, any personalized phishing simulation campaigns that are currently running will take a maximum of two days to update their settings. Therefore, if there are emails already scheduled, they will continue to use the previous method until the update process is completed. This delay applies only to personalized phishing simulation campaigns and not to classic simulation campaigns.

What permissions does SoSafe require in Microsoft Entra ID?

SoSafe requires two permissions to deliver simulated phishing emails through DMI:

  • user.readbasic.all: Allows SoSafe to read basic user profiles within Microsoft Entra ID.

  • mail.readwrite: Enables SoSafe to identify inbox locations and inject phishing simulations correctly.

For further assistance, contact SoSafe Support or your Customer Success Manager.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close