Admins now have the ability to enable and manage Indio's email integration for all their organization's users or a specific subset of agents in Indio on a bulk authentication basis. This is only available for agencies that use Microsoft for their email, and is not available for agencies that use Google.
Note that before October 2024 this feature required the agency create a Microsoft Service Account. As of October 2024 a service account is no longer required and simply a Microsoft User Administrator account is needed.
Setup
1. Indio uses the Microsoft Admin Consent Flow to enable admins to grant permissions to the other users at the agency. You'll also need to make sure your agency has a Microsoft Admin user set up who is on the same Microsoft 365 Tenant, and that the admin has sufficient permissions to enable cloud application access for your users. We recommend that your Microsoft admin be a "User Administrator" or higher.
You can check your admin users permissions within your Microsoft portal. For many organizations this information is at portal.azure.com, under the Microsoft Entra ID area.
2. Once you have the credentials for your Microsoft Admin account, login to Indio as and Indio admin user. Note that the email address for your Indio admin user can be the same or different from the email address of the Microsoft admin account.
3. Once logged in as an Indio admin, choose Admin → Integrations → Email Integration. Then click on the Login To Administer button.
4. Click the "Login to Administer" button
4. When you see a Microsoft login screen, please log in as the Microsoft admin user. You’ll see a screen labelled “Permissions Requested” with a list of permissions Indio requires and then click Accept.
5. You’ll then be returned to the Indio screen and Indio will begin the process of authorizing each agent at your agency. This process takes place behind the scenes, and can take minutes to hours, depending on the number of users being authorized.
6. AFTER NOVEMBER 2024 Once the process has finished and the system has attempted to authorize all the agents at your agency, and email will be sent to both the Indio admin and the Microsoft admin email addresses informing them that the process is complete. If any individual agents were not authorized, you'll see a list of those users alongside the specific Microsoft error that prevented their authorization. Common errors are that the user is not licenses for Outlook, or that the user is not part of the Microsoft tenant.
7. Once you resolve errors for one or more individual users, you can return to the email integration page and re-request authentication for them by checking the box next to their name and clicking Retry Integration. This will also trigger another notification email once the request process for all selected agents is finished.
8. As a final note, the integration is set by default to "Enabled for all agents" in Indio, but if you want to limit the integration to only specific agents you may do so by clicking "Enabled for selected agents only" and selecting specific agents. Make sure to click
You can select "Enabled for selected agents only" if you want to limit the integration to only specific agents. Doing so requires you to individually select the agents you want to have the email integration
Permissions Required
To function properly the integration requires the below permissions:
Maintain access to data you have given us access to
Sign and read user profiles
Ready and write mail in all mailboxes
Send mail as any user
Read all users' full profiles
If you are uncomfortable granting these permissions to all the users in your Microsoft tenant you can limit them to just a subset of users.
Microsoft allows you to limit permissions to a specific group of users once an Azure applications is created. To do so, please follow the below steps
Create a distribution group in Microsoft/Azure/Entra with the members you want to grant permission to
Initiate the V3 Bulk Authentication Process in Indio as detailed in the Setup section above EXCEPT
Only perform the admin consent portion of the flow, and do not click "Begin Integration" yet
This step will create our Indio email integration application (called "Indio Production" within your Microsoft tenant on Azure
Note that no authentication tokens will be requested without actively clicking on “Begin Integration.
Set Up an Access Policy for our Application: Once the application is created in your tenant, configure a Microsoft Application Access Policy that restricts the permissions granted to the Indio v3 email integration application ("Indio Production") to only the members of your distribution group. This will ensure that only the users in that distribution group can interact with our application.
Return to Indio, choose Enable All and click Begin Integration: this will trigger Indio to request authentication tokens for all users in Indio. If an Indio user is not part of the distribution group then we will receive an error when requesting their authentication token
As new users are created, Indio will request authentication tokens for them as well. Note that if Indio receives an error when auto-attempting to request authentication tokens for new users, our system will email that Indio user directly letting them know that the attempt failed, including the specific error so it can be corrected (likely by adding them to the distribution group)
FAQ
Can agents set up their own individual email integration if I have already authorized the integration for the agency?
Note that when bulk authentication is enabled for an agency, individual users are no longer able to setup or manage their own email integration. When the user navigates to the Email Integration section on their Account Settings page they will see the status of their email integration as either enabled or not enabled for their account.
I don't see the option to set up email integration as an administrator
Please contact support and let us know that you'd like to set up bulk authentication for email integration and we will enable the setting for you so this option shows up.
I thought I already had the integration set up and running, but when I open the Email Integration tab I don't see that it's running
In October 2024 Indio switched from V2 of our vendor's API to V3, and we updated our UI in Indio to show whether the V3-based integration is running. If you had set up an email integration before it is still running in the background and will continue to send emails until it is deprecated on December 31, 2024. To continue to use the email integration without interruption you must enable the new V3 integration before that date.
The Microsoft permission screen shows 'unverified'. What does that mean and is it safe?
You may see the word 'unverified' underneath Indio Production, which is the name of our application, but this is the real Applied Systems Indio. Microsoft manages a separate elaborate verified vendor program that Indio does not participate because it provides little benefit and is very costly.
I'm seeing a warning that says Need admin approval - unverified.
This warning occurs when your Microsoft user does not have the authority to grant Indio the permissions that it needs to send emails on your behalf. When setting up bulk authentication make sure that you're using a Microsoft Admin user with adequate permissions (we recommend User Administrator or higher) and not a regular user. We've also tested that "Could Application Administrator" and "Global Administrator" will also work.
Also make sure that you're not logging in with your Microsoft Service Account user if you previously used that for the Indio email integration, as service accounts are not the same as admin accounts.
Note: If you choose "Return to application without granting consent" then the integration will appear to be working (it will not show an error in Indio) but behind the scenes the individual authentications will fail and the feature will not work properly.
Why aren't we using Microsoft Service Accounts for this integration anymore?
Our email vendor recently updated their API to follow Microsoft's preferred Admin Consent Flow V1 instead of depending on service accounts. Service accounts can be difficult for organizations to track and manage, and also have more complexity that can lead to more unexpected behavior than simply having a trusted administrator make the decision. If you purchased a service account license from Microsoft just for use for Indio, you can cancel that license
Does this integration work if my agency user on-premises email, or only for hosted?
For the email integration to function your email needs need to be hosted (such as through Microsoft 365) instead of on-prem. Unfortunately on-prem does not meet the minimum requirements.
Can I use bulk authentication if I have multiple Microsoft Tenants?
No - if you have multiple tenants then bulk authentication will not work properly and will only authenticate users who are the same tenant as the administrator who granted the permissions. In this case we recommend users must sign into email integration individually instead.
Still have questions? Feel free to chat with our Support Team! The chat feature is located in the bottom, right-hand corner of the platform or email at support@useindio.com.