What is Direct Message Injection?
The Direct Message Injection (DMI) feature eliminates the need to whitelist simulated phishing emails by bypassing email filtering rules and placing emails directly into your users’ inboxes. DMI works by creating a secure link between your KnowBe4 console and your Microsoft 365 account.
This secure connection is created by authorizing the DMI application in Azure. DMI will be connected to your Microsoft 365 account as an Enterprise Application. Once authorized, DMI uses the Microsoft Exchange Web Services (EWS) API to place simulated phishing emails directly into users’ inboxes.
Note:
At this time, DMI is only compatible with public instances of Microsoft Azure. Due to the permissions required, DMI cannot be used with Microsoft GCC High and DoD.
Use the links below to learn more about this feature. You can also watch our Direct Message Injection video for a visual overview.
Jump to:
Disconnect DMI from Microsoft 365
Connect DMI to Microsoft 365
To use DMI, you’ll first need to connect your KnowBe4 and Microsoft 365 accounts and then enable DMI for your domains. Follow these steps to securely connect your KnowBe4 console to your Microsoft 365 account:
- Log in to your KnowBe4 account and click your email in the top-right corner.
- Select Account Settings and navigate to the Direct Message Injection section.
- Click the Connect to Microsoft 365 button.
- You will be directed to a Microsoft login page. Log in to the Microsoft account that will be responsible for DMI authorization.
- Be sure the Required Admin Roles are assigned to the DMI authorization account.
- Carefully review the permissions requested to grant KnowBe4 access to your Microsoft 365.
- For more information, see the Requested Permissions section below.
- If you agree to these permissions, click Accept.
- You will be taken back to your Account Settings page where you can continue by enabling DMI.
Required Admin Roles
We recommend creating an admin account specifically for DMI authorization. Your DMI authorization account will need to be assigned the following roles:
- Application Impersonation found in your Microsoft 365 Exchange Admin Center.
- Application Administrator found in your Azure Portal.
Note:
If you use an existing account for DMI authorization you will still need to assign the permissions listed above, even if the account is already assigned a high-level role, such as Global Administrator.
Click on a tab below for instructions on how to enable these permissions in the respective Microsoft 365 tool.
To add and enable the Application Impersonation role, follow the steps below.
- Log in to your Microsoft 365 Exchange Admin Center.
- From the menu on the left, click Roles to expand the menu and then select Admin Roles.
- Click on the Add Role Group button at the top of the Admin Roles page.
- On the page that opens, enter a name and description for the new role group and then click Next.
- On the Add Permissions page, select Application Impersonation and then click Next.
- Select the user account that will be responsible for DMI authorization and then click Next.
- Review your selections, and then click Add Role Group.
To enable the Application Administrator role, follow the steps below.
- Log in to your Azure Portal.
- Under the Azure Services header, select Users.
- Click on the user account that will be responsible for DMI authorization.
- From the menu on the left, click Assigned Roles.
- On the Eligible Assignments tab, find Application Administrator and set the role to active.
If Application Administrator is not listed, follow the steps below.- Click on the Add Assignments button at the top of the page.
- From the drop-down menu, select the Application Administrator.
- For the scope type, select Directory and then click Next.
- For the assignment type, select Active.
- Click Assign to assign this role to the selected user.
Requested Permissions
After logging into your Microsoft 365 account, you will see the permissions request below:
To ensure a safe and secure connection, DMI must use EWS to connect to your users’ inboxes. While the permissions for an EWS connection include the ability to read, send, and delete emails as well as configure mailbox settings, DMI will only use this connection to place emails into your users’ inboxes.
Important:
DMI will never read emails, delete emails, or alter your organization’s mailbox settings in any way.
Accepting these permissions means that you understand and agree to KnowBe4’s terms of service and privacy statement.
Enable DMI
Once your KnowBe4 console is connected to your Microsoft 365 account, follow these steps to enable DMI:
-
- Start from the Direct Message Injection section of your Account Settings.
- Click on DMI Settings to expand the settings panel.
- Check the box labeled Enable DMI for the selected domains.
- Select one or more domains by either typing the domain name or selecting it from the drop-down list.
- DMI will only be enabled for Microsoft 365 users whose primary email address matches the selected domains.
- DMI will only be enabled for Microsoft 365 users whose primary email address matches the selected domains.
- In the box labeled If the DMI connection fails, send a notification to, enter the email addresses of anyone who should be notified in the event this connection fails.
- The email addresses entered here do not have to match the domains entered in step 4.
- Once you are satisfied with your settings, click the Save DMI Settings button.
Once enabled, DMI will be listed as an Enterprise Application in your Azure portal where you can view the granted permissions and usage logs.
Note:
If your admin email address matches the domains selected here, DMI will also be used to deliver emails sent using our Send Me a Test Email feature.
Troubleshooting
Failed Connection
If the Exchange Web Service token connecting your KnowBe4 console and your Microsoft 365 account becomes invalid, the DMI connection will fail.
Any phishing campaign emails that were scheduled to be delivered using DMI will not be sent.
Reconnect your Microsoft 365 account by following the instructions outlined in the Connect DMI to Microsoft 365 section above. If you have trouble reconnecting, please contact support.
DMI and Advanced Threat Protection
If you're using Microsoft 365's Advanced Threat Protection (ATP), your users may see an ATP warning page after clicking a simulated phishing link. To prevent this, edit the ATP Link Policy as outlined in this article.
Disconnect DMI from Microsoft 365
If you no longer wish to use DMI, we recommend removing the connection between your KnowBe4 console and your Microsoft 365 account by following the steps below:
-
- Log in to your KnowBe4 account and click your email in the top-right corner.
- Select Account Settings and navigate to the Direct Message Injection section.
- Click on the Remove Microsoft 365 Connection button.
- When the confirmation message opens, click Confirm.
Note:
If your Microsoft 365 connection is removed, active phishing campaigns will send emails using Standard Email Protocol (SMTP). Because the campaign was started using DMI, emails will still show as DMI Delivered on the campaign overview page.
If you choose to reenable DMI in the future, you will have to grant KnowBe4 access again as outlined in the Connect DMI to Microsoft 365 section above.
If you no longer have access to your KnowBe4 account and would like to disconnect DMI from your Microsoft 365 account, please contact support.
Comments
0 comments
Article is closed for comments.