Send email using Microsoft Graph

Use this guide if you want to configure the WordPress + Office 365 plugin to send emails from your WordPress website using Microsoft Graph. Also see the following video https://youtu.be/fQM1zP0pKqI.

Please Note

Please follow the steps below if you want to use the Graph Mailer without configuring other capabilities such as single sign-on

  • Go WP Admin > Plugins > Installed Plugins and make sure you de-activate and delete the WPO365 | LOGIN plugin.
  • Scroll to the top of the Plugins page and click Add new.
  • Search for WPO365 and click to install WPO365 | MS GRAPH MAILER.
  • Continue to the installation guide for the WPO365 | MS GRAPH MAILER.

Features

WPO365 | MS GRAPH MAILER or WPO365 | LOGIN (Free)

  • Delivery Send WordPress transactional emails from one of your Microsoft 365 Exchange Online / Mail enabled accounts using Microsoft Graph instead of - for example - SMTP.
  • Choose between sending emails using application-level permissions to send emails as any user and sending emails using delegated permissions (= recommend) to send emails as one specific authorized user. 
  • Save to Sent Items Emails sent will be saved in the Microsoft 365 account's mailbox in the Sent Items folder, further helping to track (successful) mail delivery.
  • Send as HTML Send emails formatted as HTML.
  • Attachments Send files up to 3 MB from your WordPress website as attachments.
  • Configuration / Test Easy configuration with detailed step-by-step Getting started guide and ability to test the configuration by sending a test email to various types of recipients incl. CC, BCC, optionally with attachment.
  • Support for WordPress Multisite.

WPO365 | MAIL (Paid premium extension)

  • Use WP-Config for AAD-secrets Further improve overall security by choosing to store Azure Active Directory secrets in your WordPress WP-Config.php (on disk) and have those secrets removed from the database.
  • Mail audit / resend Log every transactional email sent from your WordPress website, review errors and try to send unsuccessfully sent mails again.
  • Allow forms to override "From" address Allow other plugins e.g Contact Form 7 to dynamically configure the account used to send the email from. If the dynamically configured "From" address appears not to have the same domain ending as the default "From" address, the plugin will use the default "From" address instead.
  • Send as BCC Send emails as BCC instead and prevent reply-to-all mail pollution.
  • Reply-to Configure a default reply-to mail address if this should differ from the account's mail address that is used to send WordPress transactional emails from.

Visit our website for details and pricing.

Before you start

  • You must also already have configured the Integration capability of the WPO365 | LOGIN plugin.
  • You are a Global Administrator for your company’s Office 365 tenant / Azure AD directory (or at least know someone in your organization who has sufficient privileges to edit the Azure Active Directory App registration(s) that was created previously to add the Mail.Send delegated or application-level permission and grant consent as an administrator).
  • You are an Administrator for your WordPress website.

Option 1: Send mail using delegated permissions (recommended)

Sending WordPress emails using delegated permissions is currently your best option, unless you have a requirement to send WordPress emails from more than one address, for example using different Contact Form 7 forms. In that case you would need to configure application-level permissions. However, the use of application-level permissions to send emails as any user means great responsibilities and you must ensure that your website is protected at all times!

Perform the following steps to enable your WordPress website to send emails using Microsoft Graph using delegated permissions.

App registration

  • In Azure Portal click the 'hamburger' (icon with three horizontal lines in the upper corner) to open the menu.
  • Navigate to Azure Active Directory > App registrations.
  • Select the App registration that you created when you configured the SSO / Integration portion of the WPO365 | LOGIN plugin.

API Permissions

  • Click API permissions from your App registration's menu on the left.
  • Click + Add permission.
  • Select Microsoft Graph > Delegated permissions.
  • Ensure that the following permissions are already checked (or check them if not):
    • openid
    • profile
    • email
    • User.Read
    • offline_access
  • Scroll down to Mail and check
    • Mail.Send
  • Click  Add permissions.
  • Wait until  Grant admin consent for … has become available, then click to grant consent for all users in your tenant to use this ‘App registration’.

Please note To successfully authorize the WordPress application to send emails using Microsoft Graph as a specific user you must have added (and granted admin consent for) at least the API permissions as shown in the previous screenshot.

Important Customers with advanced Azure AD management skills might be interested to grant consent on behalf of a single user instead. Microsoft has prepared this article that explains the steps that are required to accomplish this using PowerShell. In this case the administrator has not granted consent for all users to use the Mail.Send permission but for a single user only (which must be the account that is used in the next step to complete the mail authorization configuration).

Configure the Microsoft Graph Mailer for WordPress

  • To reconfigure your website and send WordPress emails using Microsoft Graph you must check the corresponding option, as shown below.

  • Immediately after sending emails with Microsoft Graph is enabled, the plugin starts to search for an existing mail authorization configuration. If no mail authorization exists this will most likely mean that the plugin only found the Directory (tenant) ID. To complete the mail authorization configuration you must now supply the Application (client) ID and an Application (client) secret of the App registration for which you changed the API Permissions in the previous step. You will find the Directory (tenant) ID and Application (client) ID on the App registration's Overview page. The Application (client) secret is not visible at this point anymore. However, you can look it up when you go to WP Admin > WPO365 > ... > Import / export and look in the JSON configuration search for the applicationId property.

As soon as you all three fields Directory (tenant) ID, Application (client) ID and Application (client) secret are filled out, you will notice that the plugin again starts to search for an existing mail authorization configuration because a spinner will turn to right of the Authorize button. And the Refresh button to right of the Authorization status field allows you to manually start this search.

  • Enter the mail account that you want to use to send all WordPress emails from. Please note that the account's username is not necessarily the same as the mail account's email address.
  • Finally click Authorize to initiate the mail authorization flow. 
    • You will be redirected to https://login.microsoftonline.com/.
    • You will be asked to sign in with the mail account's user and must enter the password for that user.
    • After you authenticated successfully, you will be redirected back to the website and to the plugin's Mail configuration page.
    • The plugin will again start to search for an existing mail authorization configuration. Since you authenticated successfully, the plugin should now be able to retrieve the mail authorization configuration and show Authorized! to the right of the Authorize button.
    • If an error occurred during any of the previous steps, the plugin will display an error message. You can also navigate to WP Admin > WPO365 > ... > Debug and check here for any errors of warnings.

  • To delete an existing mail authorization configuration, simply uncheck the box Delegated permissions.

At this point, you configured the WPO365 | LOGIN plugin to send WordPress emails using Microsoft Graph using delegated permissions. Now please scroll down to Test the Microsoft Graph Mailer for WordPress to test the configuration you just applied.

Option 2: Send mail using application-level permissions (send mail as any user)

Sending WordPress emails using application-level permissions means that you allow the application to send emails as any user, which means great responsibilities and you must ensure that your website is protected at all times! However, if you have a requirement to send different WordPress emails from different accounts and you feel that you cannot resolve this by sending all emails from the same account but with - for example - different reply-to addresses, then configuring application-level permissions may be your only option.

Perform the following steps to enable your WordPress website to send emails using Microsoft Graph using application-level permissions.

App registration

  • In Azure Portal click the 'hamburger' (icon with three horizontal lines in the upper corner) to open the menu.
  • Navigate to Azure Active Directory > App registrations.
  • Select an existing App registration e.g. the one that you created when you configured the SSO / Integration portion of the WPO365 | LOGIN plugin.

Please note You can also register a new application in Azure AD instead.

API Permissions

  • Click API permissions from your App registration's menu on the left.
  • Click + Add permission.
  • Select Microsoft Graph > Application permissions.
  • Scroll down to Mail and check
    • Mail.Send
  • Click  Add permissions.
  • Wait until  Grant admin consent for … has become available, then click to grant consent for all users in your tenant to use this ‘App registration’.
Please note At this point you must be aware of the fact that you have now granted an application identity the unlimited permission to send emails as any user in your organization and ensure that you have taken sufficient precautions to protect your website against attacks.

Configure the Microsoft Graph Mailer for WordPress

  • To reconfigure your website and send WordPress emails using Microsoft Graph you must check the corresponding option, as shown below.

  • Immediately after sending emails with Microsoft Graph is enabled, the plugin start to search for an existing mail authorization configuration. If no mail authorization exists this will most likely mean that the plugin only found the Directory (tenant) ID. To complete the mail authorization configuration you must now supply the Application (client) ID and an Application (client) secret of the App registration for which you changed the API Permissions in the previous step. 

As soon as you all three fields Directory (tenant) ID, Application (client) ID and Application (client) secret are filled out, you will notice that the plugin again starts to search for an existing mail authorization configuration because a spinner will turn to right of the Authorize button. And the Refresh button to right of the Authorization status field allows you to manually start this search.

This time the search should be able to detect that you have reconfigured the API Permissions for the registered application and as a result the Authorization status should show that Application-level permissions have been detected, as shown below.

Please note Starting with version 19.0 of the WPO365 | LOGIN the plugin supports sending WordPress emails using delegated permissions, which has since also become the recommended way. Therefore the plugin will show a warning and recommends that you remove the application-level permissions and instead configure delegated permissions. But obviously, if you have good reasons to configure application-level permissions that you can safely ignore the recommendation.

  • Since you configured application-level permissions you should NOT click the Authorize button. However, if you do, you'll see a notice that you should not click it if you're configuring the plugin to use application-level permissions and you can click to cancel the mail authorization flow.
  • Enter the mail account that you want to use to send all WordPress emails from. Please note that the account's username is not necessarily the same as the mail account's email address.

Perform the following steps to remove application-level permissions to send WordPress emails using Microsoft Graph.

  • Navigate to your App registration in Azure AD e.g. by click the link View in Azure Portal for the Application (client) ID field on the plugin's Mail configuration page.
  • Continue to the API Permissions page.
  • From the list, delete the application type permission for Mail.Send.
  • Grant consent as an administrator and confirm that you would like to remove the permissions that you just deleted altogether.
  • Return to the plugin's Mail configuration page and click the Refresh button to the rights of the Authorization status field.

At this point, you configured the WPO365 | LOGIN plugin to send WordPress emails using Microsoft Graph using application-level permissions. Now please scroll down to Test the Microsoft Graph Mailer for WordPress to test the configuration you just applied.

Test plugin configuration

  • Navigate to WP Admin > WPO365 and click Plugin self-test.
  • Click to Start self-test.
  • When the self-test completes you must scroll to the end of the results and ensure that the self-test has found the permissions to be

Test the Microsoft Graph Mailer for WordPress

  • To test the configuration you can enter comma separated email addresses for the following recipients:
    • To recipients
    • CC recipients
    • BCC recipients
  • Optionally you can also add an attachment when sending the test email.

  • Finally click Save configuration + Send test email and wait for the corresponding Feedback.

Adding premium features

You can unlock the premium features by purchasing the  WPO365 | MAIL extension (see our website for details and pricing). The extension must be installed in addition to the WPO365 | MS GRAPH MAILER plugin.

Configure premium features

  • If you want to further improve the overall security you can choose to add the confidential values to your WP-Config.php. If enabled those values are removed from the database.
  • Allow forms to override "From" address Allow other plugins e.g Contact Form 7 to dynamically configure the account used to send the email from. If the dynamically configured "From" address appears not to have the same domain ending as the default "From" address, the plugin will use the default "From" address instead. Please note that this feature is only available when you configured application-level permissions.
  • You can send emails with a Reply-to address that is different from the address sending the email.
  • If you are regularly sending emails to multiple (CC) recipients you can Send to BCC instead. When you check this option all to and CC recipients will be configured as BCC recipients instead and the email will be sent to the Default To: recipient's email address that you must enter in the corresponding field.
  • You can enable the mail audit / resend functionality that will help you monitor emails sent and gives you an opportunity to resend emails that failed to send. See the following paragraph for details.

Please note The option to Allow forms to override "From" address is only available if you configured application-level permissions.

Mail Audit / Resend

  • If you check the premium option to Log all emails sent from your WordPress website, the plugin will save all sent items in the database.

  • When you checked this option, a link to View logs will be shown and allow you to review errors and try to send unsuccessfully sent mails again.

Troubleshooting

If the test email was not sent successfully you may check the plugin's debug-log for any errors.

You can reach the WPO365 team for support and questions in one of the following ways:

  • Click the Contact link at the top of this page.
  • Use the Beacon by clicking the question mark in the blue dot on the plugin's configuration page.
  • Fill out the Contact Form on the website.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us