Microsoft Azure Configuration Guide for Connecting to Selma

Overview

This guide will help IT administrators configure your organization's Microsoft Azure environment to allow your users to connect their email accounts to Selma. Selma has already registered the application that your users will connect to, but your Azure tenant may need specific configurations to allow this connection.

Step 1: Enable User Consent for the Selma Application

For your users to be able to connect their Microsoft accounts to Selma, you need to ensure that user consent is enabled in your Azure Active Directory:

Sign in to the Azure Portal as a Global Administrator
Navigate to Azure Active Directory
Select Enterprise applications from the menu
Click on User settings
Under Enterprise applications, review the Users can consent to apps accessing company data on their behalf setting
- If set to Yes, individual users can provide consent to Selma
- If set to No, you will need to provide admin consent (see Step 2)

Step 2: Configure Mail Flow Permissions

Ensure that your Microsoft Exchange Online settings allow Selma to connect:

Sign in to the Microsoft 365 admin center
Navigate to Settings > Org Settings
Select the Security & Privacy tab
Check that there are no mail flow rules that would block authentication to third-party applications

Step 3: Check Microsoft Defender for Cloud Apps Policies (if applicable)

If your organization uses Microsoft Defender for Cloud Apps:

Sign in to the Microsoft 365 security center
Navigate to Cloud Apps > Policies
Review your policies to ensure they don't block users from connecting to Selma
Consider adding Selma to your list of approved applications

Step 4: Set Up Modern Authentication (if not already enabled)

Modern authentication should be enabled for your Exchange Online tenant:

Sign in to Exchange admin center
Navigate to Settings > Organization
Ensure that Modern authentication is enabled

Step 5: Check Mail Access Policies

Ensure that your organization's Conditional Access policies don't inadvertently block Selma:

In the Azure Portal, navigate to Azure Active Directory
Select Security > Conditional Access
Review your policies to ensure they don't restrict access to mail APIs for third-party applications
If necessary, create exceptions for the Selma application (using the client ID provided by Selma support)

User Connection Process

Once you've completed the necessary configurations, your users will be able to connect to Selma by:

Logging into Selma
Selecting the Microsoft (Outlook/Office 365) option for connecting their email
Authenticating with their Microsoft credentials
If admin consent has not been pre-approved, they will need to approve the permissions requested by Selma
After successful authorization, their email account will be connected to Selma

Required Permissions

For your information, Selma requests the following permissions from Microsoft:

Read user mail
Send mail as the user
Read user profile
Maintain access through refresh tokens

These permissions are necessary for Selma to provide its service, which includes reading emails and sending emails on behalf of your users.

Troubleshooting Connection Issues

If your users encounter problems connecting their Microsoft accounts:

Authorization Failures

Ensure that consent settings are properly configured in your Azure AD tenant
Check for restrictive Conditional Access policies

Connection Timeouts

Verify that there are no network restrictions blocking connections to Microsoft authentication endpoints

"Admin Approval Required" Messages

This usually indicates that admin consent has not been granted and user consent is disabled
Follow Step 2 to provide admin consent for your organization

Other Issues

If users continue to experience connection problems, please contact Selma support with:

The specific error message the user is receiving
Your Azure AD tenant ID
Confirmation of which steps in this guide you have completed

Support

If you need assistance with these configurations, please contact Selma support or your Microsoft administrator.

‍