Message Injection allows you to bypass regular email delivery and put emails directly into your users' mailboxes, increasing the delivery success rate and removing the requirement for allow-listing.
Here's how to configure Message Injection in Microsoft 365.
Authorisation
Go to Settings > uPhish > Message Injection
Scroll down to Microsoft 365 and click Sign in with Microsoft to start the authorisation process.
After you have logged into the chosen Microsoft Account, a screen to authorise the Message Injection integration will appear. Please click Accept.
NOTE: This will grant the platform permission to insert emails into the mailbox of any user on the authorised Microsoft 365 tenant. We only use this permission to deliver simulated phishing emails, no other communications will be sent via this integration.
Once accepted, you should see the authentication completion page below. You can now close this tab and Message Injection will be available as a delivery method in your uPhish campaigns. You should use the test message injection feature to confirm that it works as expected.
Authorisation Requirements
Authorising the Microsoft Message Injection integration uses Application Permissions authentication. This requires an account that can grant tenant-wide admin consent for an AD Enterprise Application. This combined with the MS Graph API permissions required by the integration mean that an account with the Global Administrator role is needed.
Activation
After setting up Message Injection, a toggle on button appears on the settings page where you can add Message Injection as the default delivery method.
To enable Message Injection by default, go to Settings > uPhish > Message Injection and scroll to Additional Settings.
Advanced Options
You can re-authorise the Message Injection using the Sign In with Microsoft button on the Message Injection settings page. This is useful if message injection emails are failing due to authentication issues.
You can use the Revoke Authentication option if you wish to disable Message Injection. This deletes any authentication credentials we hold for the authorised Microsoft 365 tenant.