SpamHero connects to Entra ID (Previously known as Azure Active Directory) via the Microsoft Graph API. For SpamHero to connect to Microsoft Graph API, you will need the following:

• Application (client) ID
• Directory (tenant) ID
• Application secret
• Correct permissions set for the API key

Creating the API key/application

1. Open the Entra ID portal.
2. Click Applications > App registrations on the left,
3. Click the New registration text near the top of the page that opens.
   
   

   If you are using the Azure portal, click the View button in the Manage Azure Active Directory box, scroll to bottom, and click Add application registration.

4. Pick a user facing name. If you are a reseller, do not include SpamHero in the name. For example, you could call it Spam Filter.
5. For the Supported account type, select Accounts in this organizational directory only (Single tenant)
6. Leave the Redirect URI blank, and click Register.

Getting the application ID and directory ID

On the Overview screen (shown immediately after finishing the steps above), you'll find the Application (client) ID & Directory (tenant) ID, copy these down.

Getting the application secret

1. Click Certificates & secrets on the left
2. Add a new secret
3. Set a name and expiration of your choosing
4. Copy the value, this is your Application secret. You won't be able to copy it later, so be sure to save it somewhere.

Adding the correct permissions

For SpamHero to be able to get data about your users, you will need to give this API key the User.Read.All permission (The default User.Read permission is not sufficient)

To add this permission:

1. Click Api permissions on the left.
2. Click add a permission
3. Select Microsoft Graph
4. Click Application permissions
5. Search User.Read.all
   
   
   
6. Click the little arrow to the left of User (the User text itself is not clickable)
7. Check the User.Read.All checkbox that appears
8. Click Add permissions
9. Click Grant admin consent for {your domain} (this doesn't look like clickable text, but it is.)
   
   
   

No other permissions are required, you can remove all other permissions.

Syncing a single group within Entra ID / Azure AD

If you want to sync a single group instead of all users, change the "sync URL" (in your sync settings in the SpamHero control panel) to this:

https://graph.microsoft.com/v1.0/groups/GROUP_ID_HERE/members?$select=displayName,mail,proxyAddresses,otherMails

Replacing GROUP_ID_HERE with the ID of the group you want to sync.

If you set the "Quarantine user sync url" to this (after checking the "Automatically create quarantine logins" and "Use a separate sync URL to..." checkboxes), you can also use this endpoint to sync only a single group to make quarantine users, while still syncing all found users as email recipients.