Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you’d like to try it out or share feedback.
By default, C1 sends notifications from no-reply@conductorone.com. You can instead send through your own Microsoft 365 tenant using the Microsoft Graph sendMail API, so recipients see your company’s domain as the sender. This task requires the Super Admin role in C1 and the Application Administrator (or Global Administrator) role in Entra ID, plus an Exchange Online administrator who can configure mailbox access policies. C1 authenticates to your tenant via an Entra ID app registration with the Mail.Send application permission. No user passwords are shared with C1, and you can revoke access at any time by removing the client secret or deleting the app.

Before you begin

Configure SPF, DKIM, and DMARC for your sending domain by following Microsoft’s recommended email authentication settings before proceeding. If your domain is already used for Microsoft 365 mail, these records may already be in place.
You’ll need:
  • A Microsoft 365 (Entra ID) tenant.
  • A licensed mailbox to send from (for example, governance@yourcompany.com).
  • Permission to register applications and grant admin consent in Entra ID.
  • Permission to run Exchange Online PowerShell to configure the mailbox access policy (Step 4).

Step 1: Register an app in Entra ID

Create an Entra ID app registration that C1 will authenticate as to call the Microsoft Graph sendMail API.
1
Sign in to entra.microsoft.com as an Application Administrator or Global Administrator.
2
Navigate to Identity > Applications > App registrations > New registration.
3
Fill in:
  • Name: C1 Email Sender (or similar).
  • Supported account types: Accounts in this organizational directory only (single tenant).
  • Redirect URI: leave blank.
4
Click Register.
5
On the app’s Overview page, copy and save:
  • Application (client) ID — you’ll paste this into C1.
  • Directory (tenant) ID — you’ll paste this into C1.

Step 2: Grant the Mail.Send application permission

Grant the app permission to send mail and authorize it for your tenant.
1
On the app’s page, navigate to API permissions > Add a permission.
2
Select Microsoft Graph > Application permissions (not Delegated).
3
Search for and select Mail.Send.
4
Click Add permissions.
5
Click Grant admin consent for your tenant and confirm. The Status column should show a green check next to Mail.Send.
Application permission is required, not Delegated. Delegated permissions require an interactive user sign-in, which doesn’t fit a service-to-service email sender. Application permissions allow C1 to send mail without a user present, but also grant the app the ability to send as any mailbox in the tenant by default. Step 4 below restricts that scope.

Step 3: Create a client secret

Create the credential C1 will use to authenticate as the app.
1
On the app’s page, navigate to Certificates & secrets > Client secrets > New client secret.
2
Enter a description (for example, C1 Email Sender) and choose an expiration. 24 months is the maximum; a shorter expiration is better practice.
3
Click Add.
4
Immediately copy the secret’s Value — Azure will not show it again after you leave the page. You’ll paste this into C1 in Step 5.
Set a calendar reminder before this secret expires. Once it expires, C1 will fail to send email and there is no automatic renewal. Best practice: rotate the secret 30 days before expiry.
By default, the app you created can send mail as any user in your tenant. Use an Application Access Policy in Exchange Online to scope it down to only the sender mailbox.
1
Connect to Exchange Online PowerShell as an Exchange administrator:
Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline
2
Create the access policy, replacing <APP_CLIENT_ID> with the Application (client) ID from Step 1 and <SENDER_MAILBOX> with the address you’ll use as the sender (for example, governance@yourcompany.com):
New-ApplicationAccessPolicy `
    -AppId "<APP_CLIENT_ID>" `
    -PolicyScopeGroupId "<SENDER_MAILBOX>" `
    -AccessRight RestrictAccess `
    -Description "Restrict C1 Email Sender to governance mailbox"
3
Verify the policy:
Test-ApplicationAccessPolicy -Identity "<SENDER_MAILBOX>" -AppId "<APP_CLIENT_ID>"
# AccessCheckResult: Granted

Test-ApplicationAccessPolicy -Identity "<ANY_OTHER_MAILBOX>" -AppId "<APP_CLIENT_ID>"
# AccessCheckResult: Denied
Why this matters. Without this policy, anyone with the app’s client secret can send mail as any user in your tenant, including executives. The policy is enforced at the Exchange layer.If you want the app to send from multiple mailboxes (for example, governance@ and security@), create a mail-enabled security group containing those mailboxes and use the group’s primary SMTP address for -PolicyScopeGroupId — one policy covers the whole group.

Step 5: Configure the email provider in C1

Enter the app credentials and sender mailbox from the previous steps in C1 to activate the integration.
1
In C1, navigate to Settings > Email provider.
2
Click Edit.
3
Select Customer provided.
4
In Email service, select Microsoft Graph.
5
Fill in the fields:
  • Sender name: The display name recipients see (for example, Governance Team).
  • Sender email address: The mailbox you scoped in Step 4 (for example, governance@yourcompany.com).
  • Reply-to address: Usually the same as the sender address.
  • Azure tenant ID: The Directory (tenant) ID from Step 1.
  • Application (client) ID: The Application (client) ID from Step 1.
  • Client secret: The secret value you copied in Step 3.
6
Click Save.
When you save, C1 validates the credentials by acquiring an OAuth token from Azure AD. If the tenant ID, client ID, or secret is wrong, save fails with a clear error and your previous configuration is preserved.
Sender mailbox must be allowed by the access policyIf you applied an Application Access Policy in Step 4, the Sender email address must match a mailbox covered by that policy. Otherwise Microsoft Graph rejects the send with ErrorAccessDenied.

Step 6: Verify

Send a test message to confirm C1 can send through your Microsoft 365 tenant and that your email authentication records are passing.
1
On the Email provider page, click Send test.
2
Enter your own email address and click Send test.
3
Check your inbox. View the raw headers and confirm SPF: PASS, DKIM: PASS with your domain as signer, DMARC: PASS.
4
If the message does not arrive, check the spam folder and Microsoft 365 message trace (Exchange admin center > Mail flow > Message trace).
Sent items: C1 sends mail with saveToSentItems=false, so emails sent via this provider do not appear in the sender mailbox’s Sent folder. For an audit trail, use C1’s email activity log (Settings > Email provider > View activity) or Microsoft 365 message trace.