Menu

DMI Configuration Guide

Avatar
Anisi Rouleau
Updated
Follow

What is Direct Message Injection?

The Direct Message Injection (DMI) feature eliminates the need to whitelist simulated phishing emails by bypassing email filtering rules and placing emails directly into your users’ inboxes. DMI works by creating a secure link between your KnowBe4 console and your Microsoft 365 account.

This secure connection is created by authorizing the DMI application in Azure. DMI will be connected to your Microsoft 365 account as an Enterprise Application. Once authorized, DMI uses the Microsoft Exchange Web Services (EWS) API to place simulated phishing emails directly into users’ inboxes.

Use the links below to learn more about this feature. You can also watch our Direct Message Injection video for a visual overview.

Jump to:

Connect DMI to Microsoft 365

Enable DMI
 Troubleshoot a Failed Connection
 Disconnect DMI from Microsoft 365

 

Connect DMI to Microsoft 365

To use DMI, you’ll first need to connect your KnowBe4 and Microsoft 365 accounts and then enable DMI for your domains. Follow these steps to securely connect your KnowBe4 console to your Microsoft 365 account:

  1. Log in to your KnowBe4 account and click your email in the top-right corner.
  2. Select Account Settings and navigate to the Direct Message Injection section.
  3. Click the Connect to Microsoft 365 button.
  4. You will be directed to a Microsoft login page. Log in to your Microsoft account. 
  5. Carefully review the permissions requested to grant KnowBe4 access to your Microsoft 365.
  6. If you agree to these permissions, click Accept.
  7. You will be taken back to your Account Settings page where you can continue by enabling DMI.

Back to Top

 

Required Admin Roles

To authorize your DMI connection, your Microsoft 365 user will need to be assigned the following roles:

  • Application Impersonation found in your Microsoft 365 Exchange Admin Center.
  • Application Administrator found in your Azure Portal. 
  • Exchange Administrator also found in your Azure Portal.

Click on a tab below for instructions on how to enable these permissions in the respective Microsoft 365 tool.

To enable the Application Impersonation role, follow the steps below.

  1. Log in to your Microsoft 365 Exchange Admin Center.
  2. From the menu on the left, click Roles to expand the menu and then select Admin Roles.
  3. From the list of roles that displays, select Application Impersonation.
    • If this role is not listed, click here for instructions on how to add the role. 
  4. From the panel that displays on the right, click on the Assigned tab.
  5. Click the Add button and search for the users who should be assigned this role.
  6. Select your users and then click the Add button at the bottom of the page. 

To enable the Application Administrator and Exchange Administrator roles, follow the steps below.

  1. Log in to your Azure Portal.
  2. Under the Azure Services header, select Users.
  3. Click on the user who should be assigned these roles.
  4. From the menu on the left, click Assigned Roles.
  5. On the Active Assignments tab, find the Application Administrator and Exchange Administrator roles and set these to active. 
    If these roles are not listed, click here for instructions on how to add the roles. 

 

Back to Top

 

Requested Permissions

After logging into your Microsoft 365 account, you will see the permissions request below:

To ensure a safe and secure connection, DMI must use EWS to connect to your users’ inboxes. While the permissions for an EWS connection include the ability to read, send, and delete emails as well as configure mailbox settings, DMI will only use this connection to place emails into your users’ inboxes.

Important:

DMI will never read emails, delete emails, or alter your organization’s mailbox settings in any way.

Accepting these permissions means that you understand and agree to KnowBe4’s terms of service and privacy statement.

Back to Top

 

Enable DMI

Once your KnowBe4 console is connected to your Microsoft 365 account, follow these steps to enable DMI:

    1. Start from the Direct Message Injection section of your Account Settings.
    2. Click on DMI Settings to expand the settings panel.
    3. Check the box labeled Enable DMI for the selected domains.
    4. Select one or more domains by either typing the domain name or selecting it from the drop-down list. 
      • DMI will only be enabled for Microsoft 365 users whose primary email address matches the selected domains.
    5. In the box labeled If the DMI connection fails, send a notification to, enter the email addresses of anyone who should be notified in the event this connection fails.
      • The email addresses entered here do not have to match the domains entered in step 4. 
    6. Once you are satisfied with your settings, click the Save DMI Settings button.

Once enabled, DMI will be listed as an Enterprise Application in your Azure portal where you can view the granted permissions and usage logs.

Note:

If your admin email address matches the domains selected here, DMI will also be used to deliver emails sent using our Send Me a Test Email feature. 

Back to Top

 

Troubleshoot a Failed Connection

If the Exchange Web Service token connecting your KnowBe4 console and your Microsoft 365 account becomes invalid, the DMI connection will fail.

Any phishing campaign emails that were scheduled to be delivered using DMI will not be sent.

Reconnect your Microsoft 365 account by following the instructions outlined in the Connect DMI to Microsoft 365 section above. If you have trouble reconnecting, please contact support.   

Back to Top

 

Disconnect DMI from Microsoft 365

If you no longer wish to use DMI, we recommend removing the connection between your KnowBe4 console and your Microsoft 365 account by following the steps below:

    1. Log in to your KnowBe4 account and click your email in the top-right corner.
    2. Select Account Settings and navigate to the Direct Message Injection section.
    3. Click on the Remove Microsoft 365 Connection button.
    4. When the confirmation message opens, click Confirm.

If you choose to reenable DMI in the future, you will have to grant KnowBe4 access again as outlined in the Connect DMI to Microsoft 365 section above.

If you no longer have access to your KnowBe4 account and would like to disconnect DMI from your Microsoft 365 account, please contact support.

Back to Top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles