How to use Graph API for sending mails from NITRO Workflow Manager

Applies to: SharePoint Online NITRO Workflows


NITRO Workflows by default uses SendGrid service for outgoing emails. This can sometimes cause mail delivery issues as SendGrid server IPs may not be trusted by receiving server. Also, mails originating outside of receiving server but with sender address of internal domain has chances of being considered a spam mail.

To avoid these issues, NITRO workflows now has the following options to send mails.

  1. Mailbox Settings: Refer instructions in this article for overall mail flow and mailbox configurations
  2. Microsoft Graph API: Described in current article

In case mail delivery by Mailbox / Graph API fails for any reason then SendGrid is used as backup. This can be configured at the site level in Workflow Manager. All workflows configured in the site will use the same settings for outgoing mails.


1.Navigate to NITRO Workflows app

2. Click gear icon next to the “New Workflow” button to bring up the site settings popup

3. Go to “Microsoft Graph API” tab and enable “Use Graph API” setting as shown below:

4. Click “Grant Permissions” in “Graph API Settings” section to allow API access to mailboxes.

5. “Grant Permissions” link will open a pop-up. Please use an account with administrator privileges for your Office 365 subscription to grant the required permissions. Click “Accept” button to grant permissions.

Note: Above step will initially grant permissions on all mailboxes. These permissions can be scoped to specific mailboxes as per instructions in this Microsoft article. AppId to be used for this is “1c4f8870-3aab-4882-a733-f05081a17655”. Please find the detailed steps from below.

  • Create a mail enabled group in your O365 admin center . Note that this steps requires administrator privileges on your O365 subscription. E.g. “CrowCanyonEmailAPIAccess
  • Add the required mailboxes (one or more) to this group
  • Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell
  • Run below command, note that changes to application access policies can take up to 30 minutes. Replace below with the email Id of the group created above:
    • New-ApplicationAccessPolicy -AppId 1c4f8870-3aab-4882-a733-f05081a17655 -PolicyScopeGroupId -AccessRight RestrictAccess -Description "Restrict Crow Canyon Email API app access to members of distribution group CrowCanyonEmailAPIAccess."
  • Verify that mailbox accounts added to the group can be accessed by Graph API. Replace <mailbox email> below with email Id of the mailbox:
    • Test-ApplicationAccessPolicy -Identity <mailbox email> -AppId 1c4f8870-3aab-4882-a733-f05081a17655
  • Verify that any other mailbox account that is not in “CrowCanyonEmailAPIAccess” group cannot be accessed by Graph API.  Replace <mailbox email> below with email of mailbox that is not in the group:
    • Test-ApplicationAccessPolicy -Identity <mailbox email> -AppId 1c4f8870-3aab-4882-a733-f05081a17655

6. Enter the email address and click “Test Mail” button. This will send a test mail using the configured email address. Next, click “Save” button to save the configurations.

Note: Graph API only supports emails up to about 3 MB size (mail content plus attachments size).  If email size is more than 3 MB, then mail will be sent via Mailbox / SendGrid. Due to this it is recommended to also have Mailbox and SendGrid enabled in the settings.