Crow Canyon Email Sync: Use Graph API to read emails

Applies to: SharePoint Online


Email Sync app is used to sync emails from a Microsoft Exchange mailbox to a list in SharePoint Online. SharePoint online doesn’t have built-in functionality similar to Announcements Lists in on-premises where emails sent to a particular address are automatically added to the list in SharePoint. You can read more about Email sync here and here.

To access the mailbox to read emails, there are two options:

  1. Specify the username and password to access the mailbox. UPDATE October 1, 2022 – This method is now deprecated by Microsoft and Graph API is the preferred option.
  2. Enable Microsoft Graph API access so that Crow Canyon App can access the mailbox using OAuth.

This article describes the steps to configure Graph API access for Email Sync. Before granting permissions, follow below steps so that API will have access only to the required mailboxes.

Steps to grant permissions only to required mailboxes

Performing these steps will ensure that Crow Canyon Email API will never have access to all mailboxes in your tenancy. API permission restrictions to specific mailboxes is done before granting permissions to the API.

API permissions can be scoped to specific mailboxes as per instructions in this Microsoft article. AppId to be used for this is “1c4f8870-3aab-4882-a733-f05081a17655”. Steps are also given below.

  • Create a mail enabled group in your O365 admin center . Note that this steps requires administrator privileges on your O365 subscription. E.g. “CrowCanyonEmailAPIAccess
  • Add the required mailboxes (one or more) to this group
  • Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell
  • Run below command, note that changes to application access policies can take up to 30 minutes. Replace below with the email Id of the group created above:
    • New-ApplicationAccessPolicy -AppId 1c4f8870-3aab-4882-a733-f05081a17655 -PolicyScopeGroupId -AccessRight RestrictAccess -Description "Restrict Crow Canyon Email API app access to members of distribution group CrowCanyonEmailAPIAccess."
  • Verify that mailbox accounts added to the group can be accessed by Graph API. Replace <mailbox email> below with email Id of the mailbox:
    • Test-ApplicationAccessPolicy -Identity <mailbox email> -AppId 1c4f8870-3aab-4882-a733-f05081a17655
  • Verify that any other mailbox account that is not in “CrowCanyonEmailAPIAccess” group cannot be accessed by Graph API.  Replace <mailbox email> below with email of mailbox that is not in the group:
    • Test-ApplicationAccessPolicy -Identity <mailbox email> -AppId 1c4f8870-3aab-4882-a733-f05081a17655

Steps to grant permissions

1. Navigate to Email Sync app

2. Create a new configuration or edit an existing one for which API access is to be configured

3. Select “Microsoft Graph API Access” in “Connection Settings for Microsoft Exchange Server” in Email Sync as shown below:

4. Click ‘Grant Access’ in “Connection Settings for Microsoft Exchange Server” section to allow API access to mailboxes.

5. “Grant permissions” link will open a pop-up. Please use an account with admin privileges to grant the required permissions. Click “Accept” button to grant permissions.

Note that the grant permissions dialog may still say that grant permissions to all mailboxes, but API is already restricted to only the mail enabled security group configured above.

6. Click ‘Test Connection’ to verify the access. Please wait for few minutes and try again if it doesn’t work immediately after granting the permissions:

Note: If permissions are not granted, test connection will result in following error:

7. Save the configuration and wait for about 15 minutes. Send a mail to verify that Email Sync is working. Note that only new emails will be moved to SharePoint, existing emails prior to the configurations are not moved

8. Existing configurations that are using mailbox credentials can be moved to new Graph API based access by editing the configuration