Enable email notifications inside DotAlign through Microsoft 365
Updated
by
Jaspreet Bakshi
DotAlign can be set up to send notification alerts to inform admins of system issues, and business alerts to end users, using Microsoft Graph.
This article describes the steps that IT admins must follow to enable those notifications from a single designated account such as [email protected] using Microsoft 365.
Pre-requisites
Before you begin, here are some pre-requisites.
- Prepare the sending mailbox
- Use a dedicated account such as
[email protected]. - It must be a licensed mailbox (using a license that allows for email message sending) or a licensed shared mailbox.
- Ensure it is active and not hidden from the global address list, and has an appropriate display name (e.g., "DotAlign Notifications").
- Optional: Disable interactive sign-in so the account is only used for automated purposes, by your DotAlign applications. See below for detailed instructions.
- Optional: Limit this mailbox to allow sending to only internal recipients. See below for detailed instructions.
- Verify administrative access
Verify that the individual doing these steps has the following access rights:
- Exchange Online Administrator rights to run PowerShell and create mail-flow rules.
- Entra ID Administrator or Application Administrator rights to grant API consent.
If you need help configuring Exchange Online PowerShell, please see Setting up Exchange Online PowerShell.
Steps
- Locate the Client ID for the DotAlign app registration
- In the Microsoft Entra ID portal, open App registrations > All applications.
- Search for the text
dotalign. - You should find an app registration named
dotalign-<some_unique_string>. This app registration is used by your DotAlign apps. - Copy the Application ID (or Client ID). You will need it for the next step.
- Restrict sending to only the specified mailbox
Use an Application Access Policy in Exchange Online to ensure DotAlign can send mail only from the designated mailbox.
Connect-ExchangeOnline -UserPrincipalName [email protected]
$appId = "<APP-CLIENT-ID-OF-THE-DOTALIGN-APP>"
$mailbox = "[email protected]"
New-ApplicationAccessPolicy `
-AppId $appId `
-PolicyScopeGroupId $mailbox `
-AccessRight RestrictAccess `
-Description "Allow DotAlign to send mail only from [email protected]"
- Grant the Microsoft Graph, "Mail.Send" permission
- In Microsoft Entra ID, open the same
dotalign-<some_unique_string>app registration. - Go to API permissions > Add a permission > Microsoft Graph > Application permissions.
- Add
Mail.Send, then click Grant admin consent for <your organization>.
Optional steps
- Disable interactive sign-in
Add a mail-flow rule that blocks any attempt to send mail from [email protected] unless it originates from the DotAlign application itself.
$appId = "<APP-CLIENT-ID-OF-THE-DOTALIGN-APP>"
New-TransportRule `
-Name "Restrict [email protected] to DotAlign app only" `
-From "[email protected]" `
-RejectMessageReasonText "Unauthorized sender: only DotAlign apps may send messages from this mailbox."`
-ExceptIfHeaderContainsMessageHeader "Authentication-Results" `
-ExceptIfHeaderContainsWords $appId
- Block external recipients
- Go to the Exchange Admin Center
- Go to Mail flow > Rules > Add a rule > Create a new rule.
- Configure:
- Name: Restrict DotAlign sender to internal recipients
- Apply this rule if… > The sender is >
[email protected] - And… > The recipient is external/internal > choose External
- Do the following… > Reject the message with the explanation: “This mailbox is restricted to internal recipients only.”
- Save and enable.
The same steps can be achieved via PowerShell usng the following command:
New-TransportRule `
-Name "Restrict [email protected] to send to internal recipients only" `
-From "[email protected]" `
-SentToScope NotInOrganization `
-RejectMessageReasonText "This mailbox can only send messages to internal recipients."
