Skip to main content

Setting Up Direct Mail Injection (DMI) for Microsoft Phishing Simulations

Jeff Lee
Updated

Improve deliverability and eliminate the need to configure Phishing Simulation and Advanced Delivery settings.

M365 Direct Mail Injection is a secure, efficient alternative to using SMTP for delivering phishing simulations directly to users' inboxes in Microsoft 365. By leveraging the Microsoft Graph API, this method improves deliverability and eliminates the need to configure Phishing Simulation and Advanced Delivery settings. This guide walks you through the steps required to enable M365 Direct Mail Injection via Azure's API credentials.
 
 
Step 1: Access the Azure Portal
 
  1. Navigate to the Azure Portal 
  2. Go to Microsoft Entra ID 
    • Under "Azure Services," click on Microsoft Entra ID or use the direct link:
      Entra ID Overview.
 
 
Step 2: Register a New Application
 
  1. App Registration
    • In the Entra ID menu, click on + Add dropdown box and select App registration
    • Click New Registration
    • Enter the application NameDuneSecurity Direct Mail Injection
    • For Supported account types, select: Multiple Entra ID tenants
    • Check Allow all tenants.
    • Click Register.
 
 
 
Step 3: Add Required API Permissions
 
  1. Navigate to View API permissions
    • In the newly created app, click on API Permissions under the Manage section.
    • Add Permissions
      • Click Add Permission
      • Select Microsoft Graph.
    • Under the Application Permissions tab, add the following permissions
      • User.Read.All
      • Mail.ReadWrite 
      • Mail.Send
    • Click Add Permissions to confirm.
    • Click Grant Admin Consent to apply the permissions to the app.
 
 
 
Step 4: Create a Client Secret
 
  1. Create a Client Secret 
    • In the Certificates & secrets section under Manage. 
    • Click on New client secret
    • Provide a description (e.g., "Direct Mail Injection Secret"). 
    • Set the expiration period to 12 months
    • Click Add to generate the secret.
    • Copy the value to provide Dune
  2. Click on the Overview menu to display your information
    • Application (client) ID
    • Directory (tenant) ID
(Note: You won't be able to view this again, so save it securely!)
 
 
 
Step 6: Share Credentials with Dune Security
 
  1. Share the following credentials securely with Dune Security
  • Value
  • Application (client) ID
  • Directory (tenant) ID
 
 
Step 7: Adding Your Credentials to the Dune Portal
 
  1. To complete the configuration, login into the Dune application and follow the directions to "Set up Direct Mail Injection". 
  • Login Into Dune
  • Click on this link to the onboarding checklist page  
  • Click on Set up Direct Mail Injection 
  • From the Setup Direct Main Injection page:
  • Click on Microsoft Entra ID tile
  • From the Setup DMI with Entra ID page:
    • Click the Next button to advance through the configuration
    • As you click through, be prepared to enter the following information:
      • Value
      • Application (client) ID
      • Directory (tenant) ID
    • Once configured, log into Dune platform to begin sending simulations

 

Optional: SMTP Setup for Microsoft Phishing Simulations

Direct Mail Injection is the recommended delivery method for Microsoft 365 phishing simulations. However, if your organization is unable to use DMI, Dune also supports SMTP-based delivery.

SMTP requires additional mail flow and allowlisting configuration in Microsoft 365 to ensure simulation emails are delivered successfully and are not blocked or filtered by Microsoft Defender, Exchange Online Protection, or other email security controls.

To configure SMTP for Microsoft phishing simulations, follow the setup guide here:

Setting Up Simple Mail Transfer Protocol (SMTP) for Microsoft Phishing Simulations

Once SMTP configuration is complete, log in to the Dune platform and send a test simulation to confirm delivery.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.