Part 1: Register the Entra ID Application

To enable Cloudmersive Email Protection for selected users, and to limit permissions to only those users, follow these steps. The Cloudmersive Email Protection service will only have access to the emails of members of this security group.

• First, navigate to Entra ID, Manage, App Registrations and click on New Registration.
• Name the application CloudmersiveEmailProtect and under account type click on Single Tenant. Click on Register.
• Under this application, click on API permissions and Add a Permission, then Microsoft Graph, then Delegated permissions then select User.Read
• The following step is recommended - but not required; it is required to use the Sync From Group feature. Under this application, click on API permissions and Add a Permission, then Microsoft Graph, then Application permissions then select GroupMember.Read.All and User.Read.All.
• Click Grant admin consent for cloudmersive.com
• Under this application, click on Certificates and Secrets and Client Secrets and then New Client Secret. We recommend selecting a long expiration. Be sure to note down the expiration date of the expiration as the key will need to be rotated, and the settings for Cloudmersive Email Protection will need to be updated prior to this date.

Part 2: Create the Security Group and Scoped Permissions

• Open a new browser tab and navigate to the Exchange Admin Center. Click on Groups, and then Mail-enabled Security. Click on Add a group. Under group type, select Mail-enabled security. Name the group CloudmersiveEmailProtect. Assign at least one owner including yourself; note that an owner is not a member. Add the appropriate members; these are the users who will have email protection enabled. Note that you can also add Shared Mailboxes as members if needed. Select an appropriate alias. Enable Require owner approval to join the group. Click Create Group.
• At the top of the screen in Exchange Admin Center click on Cloud Shell. Execute this command:

Connect-ExchangeOnline

• Now execute this command:

$g = Get-Group -Identity "CloudmersiveEmailProtect"

• Now we will create the management scope that corresponds with this group:

New-ManagementScope -Name "Scope-CloudmersiveEmailProtect" `
  -RecipientRestrictionFilter "((RecipientTypeDetails -eq 'UserMailbox') -or (RecipientTypeDetails -eq 'SharedMailbox')) -and (MemberOfGroup -eq '$($g.DistinguishedName)')"

• Now run this command, but fill in the Client ID for the application we created previously:

$appId = "YOUR-APPLICATION-CLIENT-ID-HERE"

• In your other Entra ID tab go to the Entra ID home then Enterprise Applications then CloudmersiveEmailProtectProd and copy the Object ID. Now go back to your Exchange Admin Center, Cloud Shell tab, and paste in the following command filling in the Object ID:

$spObjectId = "YOUR-OBJECT-ID-HERE"

• Now execute this command:

New-ServicePrincipal -AppId $appId -ObjectId $spObjectId -DisplayName "CloudmersiveEmailProtectPrincipal"

• Now execute this command to grant mail read and write permissions to the application, but only to this user group scope:

New-ManagementRoleAssignment   -Name "AppMailReadWrite-AllowedGroup"   -App $spObjectId   -Role "Application Mail.ReadWrite"   -CustomResourceScope "Scope-CloudmersiveEmailProtect"

• Now execute this command to grant mail settings read and write (used to create and manage mail categories) to the application, but only to this user group scope:

New-ManagementRoleAssignment   -Name "AppMailSettingsReadWrite-AllowedGroup"   -App $spObjectId   -Role "Application MailboxSettings.ReadWrite"   -CustomResourceScope "Scope-CloudmersiveEmailProtect"

Part 3: Configure the Integration Server in the Cloudmersive Management Portal

Now that the Entra ID application is registered and scoped permissions are in place, configure the Integration Server to use these credentials and begin scanning email.

Step 1: Open the Integration Server Configuration Page

• Log in to the Cloudmersive Management Portal.
• Navigate to Email Protection and click on Manage... next to the appropriate endpoint.

Step 2: Configure Exchange Credentials

• On the Integration Server configuration page, click the Configure Exchange Credentials button.

• Fill in the following fields using the values from Part 1 and Part 2:

• Graph Tenant ID: In your Entra ID tab, go to App Registrations, click on CloudmersiveEmailProtect, and copy the Directory (tenant) ID from the Overview page.

• Graph Client ID: On the same Overview page, copy the Application (client) ID. This is the same Client ID you used in the $appId variable above.

• Graph Secret: The client secret Value you copied when you created the secret in Part 1. If you did not save it, you will need to create a new client secret under Certificates and Secrets.

• Email Domain: Your primary email domain name, e.g. yourdomain.com.

• Graph Base URL (Optional): Leave blank to use the default Microsoft Graph endpoint. Only set this if you are using a sovereign or government cloud (e.g. https://graph.microsoft.us/v1.0 for GCC High).

• (Optional) If you want to quarantine unsafe emails to Azure Blob Storage, fill in the Azure Blob Quarantine section:

• Connection String: In the Azure portal, open your Storage Account, go to Security + networking > Access keys, click Show next to key1 or key2, and copy the Connection string.

• Container Name: In the same Storage Account, go to Data storage > Containers and copy the name of the container you want to use for quarantine. Create one first if needed.

• Click Save Configuration. You will be redirected back to the main configuration page.

Step 3: Enable Exchange Online Integration

• Back on the main Integration Server configuration page, check the Enable Exchange Online Integration checkbox.

Step 4: Configure Virus Scanning Policy

• Under Scanning Policies > Virus Scanning, set the Scanning Mode dropdown:

  • Enabled - Advanced Virus Scan -- Scans all email attachments for viruses, malware, executables, macros, unsafe archives, and other file-based threats. (Recommended)
  • Disabled -- Skip virus scanning.

• (Optional) If you want to restrict attachments to specific verified file formats, enter a comma-separated list in the Restrict File Types field with no spaces, for example: .pdf,.docx,.xlsx,.png,.jpg

Step 5: Configure AI Spam and Phishing Detection Policy

• Under Scanning Policies > AI Spam and Phishing Detection, set the Scanning Mode dropdown:

  • Enabled - Advanced Phishing and Spam Scan -- Full AI-powered detection of phishing, spam, fraud, and social engineering. (Recommended)
  • Enabled - Advanced Spam Scan -- Scan for spam content only, without phishing detection.
  • Disabled -- Skip spam and phishing scanning.

Step 6: Configure User Experience

• Under User Experience, optionally check Show 'In Progress' tag while scanning is active.
• When enabled, users will see a purple "Scanning In Progress for Security" tag on an email while it is being scanned. The tag is automatically removed when scanning completes.

Step 7: Configure the Integration Server Connection

• Under Integration Server Connection, fill in the Inbound Endpoint field with the publicly-reachable HTTPS URL of your Integration Server, for example https://integration.yourdomain.com.
• This is the URL that Microsoft Graph will send webhook notifications to when new emails arrive. The Integration Server must be reachable from the public internet at this address.

Step 8: Configure the Cloudmersive API Connection

• Under Cloudmersive Connection, fill in the following fields:

• API Key: Your Cloudmersive API Key. You can find this on the API Keys page in the Cloudmersive Management Portal.

• API Basepath: Your Cloudmersive API endpoint URL. You can find this on the Managed Instance, Private Cloud, or API Endpoints page in the Cloudmersive Management Portal.

• API Timeout: The timeout in milliseconds for calls to the Cloudmersive API. Recommended: 300000 (5 minutes).

Step 9: Save and Push Configuration

• Click Save Configuration to save all settings.
• Navigate back to the deployment management page for your Integration Server node.
• Click Push Configuration to deploy the updated configuration to the running server.