Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Română Русский svenska Kiswahili ไทย Türkçe Українська Tiếng Việt 简体中文 中文 (香港) 繁體中文

DMI Configuration Guide

Avatar
Anisi Rouleau
Updated
Follow

What is Direct Message Injection?

The Direct Message Injection (DMI) feature eliminates the need to whitelist simulated phishing emails. DMI bypasses email filtering rules and places emails directly into your users’ inboxes. This feature works by creating a secure link between your KnowBe4 console and your Microsoft 365 account.

This secure connection is created by authorizing the DMI application in Azure. DMI will be connected to your Microsoft 365 account as an Enterprise Application. Once authorized, DMI uses the Microsoft Exchange Web Services (EWS) API to place simulated phishing emails directly into your users’ inboxes.

Note: Our DMI feature is not currently available for free accounts. Please read the instructions in our Whitelisting by IP Address in Microsoft 365 article to learn how to whitelist KnowBe4.

DMI is only compatible with public instances of Microsoft Azure. Due to the permissions required, DMI cannot be used with Microsoft GCC High and DoD.

Use the links below to learn more about this feature. For a visual overview, watch our Direct Message Injection video.

Jump to:

Required Admin Roles

Requested Permissions

Connect DMI to Microsoft 365

Enable DMI

Troubleshooting

Disconnect DMI from Microsoft 365

Required Admin Roles

Before you set up DMI, we recommend creating an admin account specifically for DMI authorization. Your DMI authorization account will need to be assigned the following roles:

  • Application Impersonation found in your Microsoft 365 Exchange Admin Center.
  • Application Administrator found in your Azure Portal. 

Note:

You will still need to assign the permissions listed above, even if an existing account is already assigned a high-level role, such as Global Administrator.

Click on a tab below for instructions on how to enable these permissions in each Microsoft 365 application.

To add and enable the Application Impersonation role, follow the steps below.

  1. Log in to your Microsoft 365 Exchange Admin Center.
  2. From the menu on the left, click Roles and select Admin Roles.
  3. Click on the Add Role Group button.
  4. Enter a name and description for the new role group. Click Next.
  5. On the Add Permissions page, select Application Impersonation and then click Next.
  6. Select the user account that will be responsible for DMI authorization and then click Next.
  7. Review your selections and click Add Role Group.

To enable the Application Administrator role, follow the steps below.

  1. Log in to your Azure Portal.
  2. Under the Azure Services header, select Users.
  3. Click on the user account that will be responsible for DMI authorization.
  4. From the menu on the left, click Assigned Roles.
  5. On the Eligible Assignments tab, find Application Administrator and set the role to active.

If Application Administrator is not listed, follow the steps below.

    1. Click on the Add Assignments button at the top of the page.
    2. From the drop-down menu, select the Application Administrator.
    3. For the scope type, select Directory and then click Next.
    4. For the assignment type, select Active.
    5. Click Assign to assign this role to the selected user.

 

Back to Top

 

Requested Permissions

In your Microsoft 365 account, you will see the permissions request below:

To guarantee a safe and secure connection, DMI must use EWS to connect to your users’ inboxes. The permissions for an EWS connection include the ability to read, send, and delete emails. The EWS connection can also configure mailbox settings. DMI will only use these permissions to place emails into your users’ inboxes.

Important:

DMI will never read emails, delete emails, or alter your organization’s mailbox settings in any way.

Accepting these permissions means that you understand and agree to KnowBe4’s terms of service and privacy statement.

Back to Top

 

Connect DMI to Microsoft 365

To use DMI, you’ll need to connect your KnowBe4 and Microsoft 365 accounts and enable DMI for your domains. If you are using Microsoft 365's Advanced Threat Protection (ATP), you will need to edit the ATP Link Policy to prevent link rewriting. Please see our How to Prevent Microsoft 365 ATP from Rewriting KnowBe4 Phishing Links article.

Follow the steps below to securely connect your KnowBe4 console to your Microsoft 365 account:

  1. Log in to your KnowBe4 account and click your email in the top-right corner.
  2. Select Account Settings and navigate to the Direct Message Injection section.
  3. Click the Connect to Microsoft 365 button.
  4. You will be directed to a Microsoft login page. Log in to the Microsoft account that will be responsible for DMI authorization.  
    • Make sure to use the Microsoft account that has been assigned our Required Admin Roles. 

      Note: When using a Microsoft 365 account with two-factor authentication enabled, emails sent with DMI will show an impersonation error in the Bounced tab of your phishing campaigns. To prevent these errors, we recommend connecting DMI to Microsoft 365 through a service account that does not have two-factor authentication enabled.

  5. Review the permissions requested in order to give KnowBe4 access to your Microsoft 365 information.
  6. If you agree to these permissions, click Accept.
  7. Once the window closes, see the Enable DMI section below to continue.

Back to Top

 

Enable DMI

Once your KnowBe4 console is connected to your Microsoft 365 account, follow the steps below to enable DMI:

    1. Log in to your KnowBe4 account.
    2. Click your email address in the top-right corner and select Account Settings.
    3. Navigate to the Direct Message Injection section.
    4. Click DMI Settings to expand the settings panel.
    5. Check the box labeled Enable DMI for the selected domains.
    6. Select one or more domains by typing the domain name or selecting domains from the drop-down menu.
      • DMI will only be enabled for Microsoft 365 users whose primary email address matches the selected domains.
    7. In the field labeled If the DMI connection fails, send a notification to, enter the email addresses of anyone who should be notified if the DMI connection fails.
      • Email addresses entered here do not have to match the domains from Step 4.
    8. Click the Save DMI Settings button.

Once enabled, DMI will be listed as an Enterprise Application in your Azure portal. You can view any granted permissions and usage logs from your Azure portal.

Note:

If your admin email address matches the domains selected here, DMI will also be used to deliver emails sent using our Send Me a Test Email feature. This test email will contain @injector.psm.knowbe4.com in the Message ID for the original email headers.

Back to Top

 

Troubleshooting

See below for a variety of issues that can occur with DMI and how you can fix them.

How to Fix a Failed Connection

If the Exchange Web Service token connecting your KnowBe4 console and your Microsoft 365 account becomes invalid, the DMI connection will fail.

Any phishing campaign emails that were scheduled to be delivered using DMI will not be sent.

Reconnect your Microsoft 365 account by following the instructions outlined in the Connect DMI to Microsoft 365 section above. If you have trouble reconnecting, please contact support.  

Back to Top

 

How to Stop DMI Emails from Showing in the "Other" Inbox

If your users are seeing emails with DMI in their Other inbox instead of their Focused inbox, follow the steps below to resolve this issue:

  1. In your KnowBe4 account, navigate to Account Settings.
  2. Go to the Phishing Settings subtab.
  3. Enable Add Custom Header.
  4. In the Header Name (left box) enter the following text: "MS-Exchange-Organization-BypassFocusedInbox".
  5. In the Header Value (right box) enter the following text: "true".
  6. Click Save Settings.

Back to Top

 

Disconnect DMI from Microsoft 365

When disabling DMI, we recommend removing the connection between your KnowBe4 console and your Microsoft 365 account. Follow the steps below to disconnect the two accounts:

    1. Log in to your KnowBe4 account.
    2. Click your email in the top-right corner and select Account Settings.
    3. Navigate to the Direct Message Injection section.
    4. Click Remove Microsoft 365 Connection.
    5. When the confirmation message opens, click Confirm.

Note:

When your Microsoft 365 connection is removed, active phishing campaigns will send emails using Standard Email Protocol (SMTP). If the campaign was started using DMI, emails will still show as DMI Delivered on the campaign overview page.

If you re-enable DMI in the future, you will have to grant KnowBe4 access again. Follow the steps in the Connect DMI to Microsoft 365 section to re-enable DMI.

If you no longer have access to your KnowBe4 account and would like to disconnect DMI from your Microsoft 365 account, please contact support and we will be happy to help.

Back to Top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles