Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Română Русский svenska Kiswahili ไทย Türkçe Українська Tiếng Việt 简体中文 中文 (香港) 繁體中文

DMI Configuration Guide

Avatar
Anisi Rouleau
Updated
Follow

What is Direct Message Injection?

The Direct Message Injection (DMI) feature eliminates the need to whitelist simulated phishing emails by bypassing email filtering rules and placing emails directly into your users’ inboxes. DMI works by creating a secure link between your KnowBe4 console and your Microsoft 365 account.

This secure connection is created by authorizing the DMI application in Azure. DMI will be connected to your Microsoft 365 account as an Enterprise Application. Once authorized, DMI uses the Microsoft Exchange Web Services (EWS) API to place simulated phishing emails directly into users’ inboxes.

Note: If you are using a free KnowBe4 account, our DMI feature is not currently available. Please read the instructions in our Whitelisting by IP Address in Microsoft 365 article to find the right whitelisting information for your organization.

At this time, DMI is only compatible with public instances of Microsoft Azure. Due to the permissions required, DMI cannot be used with Microsoft GCC High and DoD. 

Use the links below to learn more about this feature. You can also watch our Direct Message Injection video for a visual overview.

Jump to:

Connect DMI to Microsoft 365

Enable DMI
 Troubleshooting

Disconnect DMI from Microsoft 365

 

Connect DMI to Microsoft 365

To use DMI, you’ll first need to connect your KnowBe4 and Microsoft 365 accounts and then enable DMI for your domains. If you're using Microsoft 365's Advanced Threat Protection (ATP), be sure to edit the ATP Link Policy as outlined in this article.

Follow the steps below to securely connect your KnowBe4 console to your Microsoft 365 account:

  1. Log in to your KnowBe4 account and click your email in the top-right corner.
  2. Select Account Settings and navigate to the Direct Message Injection section.
  3. Click the Connect to Microsoft 365 button.
  4. You will be directed to a Microsoft login page. Log in to the Microsoft account that will be responsible for DMI authorization.  
    • Be sure the Required Admin Roles are assigned to the DMI authorization account.

      Note: When using a Microsoft 365 account with two-factor authentication enabled, DMI will successfully connect. However, every email sent with DMI will show an impersonation error in the Bounced tab of your phishing campaign. In order to prevent these errors, we recommend connecting DMI to Microsoft 365 through a service account that does not have two-factor authentication enabled.

  5. Carefully review the permissions requested to grant KnowBe4 access to your Microsoft 365.
  6. If you agree to these permissions, click Accept.
  7. You will be taken back to your Account Settings page where you can continue by enabling DMI.

Back to Top

 

Required Admin Roles

We recommend creating an admin account specifically for DMI authorization. Your DMI authorization account will need to be assigned the following roles:

  • Application Impersonation found in your Microsoft 365 Exchange Admin Center.
  • Application Administrator found in your Azure Portal. 

Note:

If you use an existing account for DMI authorization you will still need to assign the permissions listed above, even if the account is already assigned a high-level role, such as Global Administrator.

Click on a tab below for instructions on how to enable these permissions in the respective Microsoft 365 tool.

To add and enable the Application Impersonation role, follow the steps below.

  1. Log in to your Microsoft 365 Exchange Admin Center.
  2. From the menu on the left, click Roles to expand the menu and then select Admin Roles.
  3. Click on the Add Role Group button at the top of the Admin Roles page.
  4. On the page that opens, enter a name and description for the new role group and then click Next
  5. On the Add Permissions page, select Application Impersonation and then click Next.
  6. Select the user account that will be responsible for DMI authorization and then click Next.
  7. Review your selections, and then click Add Role Group.

To enable the Application Administrator role, follow the steps below.

  1. Log in to your Azure Portal.
  2. Under the Azure Services header, select Users.
  3. Click on the user account that will be responsible for DMI authorization.
  4. From the menu on the left, click Assigned Roles.
  5. On the Eligible Assignments tab, find Application Administrator and set the role to active.
    If Application Administrator is not listed, follow the steps below.
    1. Click on the Add Assignments button at the top of the page.
    2. From the drop-down menu, select the Application Administrator.
    3. For the scope type, select Directory and then click Next.
    4. For the assignment type, select Active.
    5. Click Assign to assign this role to the selected user.

 

Back to Top

 

Requested Permissions

After logging into your Microsoft 365 account, you will see the permissions request below:

To ensure a safe and secure connection, DMI must use EWS to connect to your users’ inboxes. While the permissions for an EWS connection include the ability to read, send, and delete emails as well as configure mailbox settings, DMI will only use this connection to place emails into your users’ inboxes.

Important:

DMI will never read emails, delete emails, or alter your organization’s mailbox settings in any way.

Accepting these permissions means that you understand and agree to KnowBe4’s terms of service and privacy statement.

Back to Top

 

Enable DMI

Once your KnowBe4 console is connected to your Microsoft 365 account, follow these steps to enable DMI:

    1. Start from the Direct Message Injection section of your Account Settings.
    2. Click on DMI Settings to expand the settings panel.
    3. Check the box labeled Enable DMI for the selected domains.
    4. Select one or more domains by either typing the domain name or selecting it from the drop-down list. 
      • DMI will only be enabled for Microsoft 365 users whose primary email address matches the selected domains.
    5. In the box labeled If the DMI connection fails, send a notification to, enter the email addresses of anyone who should be notified in the event this connection fails.
      • The email addresses entered here do not have to match the domains entered in step 4. 
    6. Once you are satisfied with your settings, click the Save DMI Settings button.

Once enabled, DMI will be listed as an Enterprise Application in your Azure portal where you can view the granted permissions and usage logs.

Note:

If your admin email address matches the domains selected here, DMI will also be used to deliver emails sent using our Send Me a Test Email feature. This test email will contain @injector.psm.knowbe4.com in the Message ID for the original email headers.

Back to Top

 

Troubleshooting

Failed Connection

If the Exchange Web Service token connecting your KnowBe4 console and your Microsoft 365 account becomes invalid, the DMI connection will fail.

Any phishing campaign emails that were scheduled to be delivered using DMI will not be sent.

Reconnect your Microsoft 365 account by following the instructions outlined in the Connect DMI to Microsoft 365 section above. If you have trouble reconnecting, please contact support.   

Back to Top

 

DMI Emails in Other Mailbox

If your users are seeing DMI-sent emails appearing in their Other inbox, rather than their Focused inbox, follow the steps below to resolve this issue:

  1. In the KMSAT console, navigate to Account Settings.
  2. Go to the Phishing Settings subtab.
  3. Enable Add Custom Header.
  4. For Header Name (left box) enter the following text: "MS-Exchange-Organization-BypassFocusedInbox".
  5. For Header Value (right box) enter the following text: "true".
  6. Save your settings.

Back to Top

 

Disconnect DMI from Microsoft 365

If you no longer wish to use DMI, we recommend removing the connection between your KnowBe4 console and your Microsoft 365 account by following the steps below:

    1. Log in to your KnowBe4 account and click your email in the top-right corner.
    2. Select Account Settings and navigate to the Direct Message Injection section.
    3. Click on the Remove Microsoft 365 Connection button.
    4. When the confirmation message opens, click Confirm.

Note:

If your Microsoft 365 connection is removed, active phishing campaigns will send emails using Standard Email Protocol (SMTP). Because the campaign was started using DMI, emails will still show as DMI Delivered on the campaign overview page. 

If you choose to reenable DMI in the future, you will have to grant KnowBe4 access again as outlined in the Connect DMI to Microsoft 365 section above.

If you no longer have access to your KnowBe4 account and would like to disconnect DMI from your Microsoft 365 account, please contact support.

Back to Top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles