Step 5: Configure the Report Email button for Microsoft 365

The Arctic Wolf Managed Security Awareness® (MA) Report Phishing feature enables your organization to identify, search, and analyze phishing emails after installing a Report Email button in Microsoft Office 365. The Report Phishing feature is available to all MA customers that use Microsoft 365 as their email service and includes:

• Report Email button — Reports an email as a phishing attempt in Microsoft Office 365. This button can be found in the Outlook application toolbar or added to the Outlook web app (OWA).
• Reported Phishing menu item — Provides access to the Reported Phishing dashboard that contains analytics and information.

  Tip: See Reported Phishing Dashboard for more information.

If you are a standard MA customer, the Reported Phishing page includes Reported Emails and Phishing Button Settings. If you have MA+, the Reported Phishing page includes Reported Simulations, Reported Emails, and Phishing Button Settings.

Requirements

• Microsoft 365 as your email service

• A custom email domain

  For example, @arcticwolf.com. You cannot use generic domains, such as @hotmail.com or @outlook.com.

• A compatible Microsoft Outlook version

  See the Outlook versions in Office Requirements for compatible versions.

  Note: These Microsoft Outlook versions are not supported:

  • On-premises Exchange
  • Hybrid Exchange
  • Outlook mobile for iOS
  • Outlook mobile for Android

• A version of Microsoft Exchange Online that supports OAuth authentication

  See Test and deploy Microsoft 365 Apps by partners Exchange requirements for more information.

• Single tenant account types

  Multi-tenancy is not supported.

Before you begin

• Complete Step 4: Configure browsers to autoplay MA sessions.

• Make sure you have Microsoft 365 admin center administrator privileges to install a custom line-of-business application for testing and full deployment.

  See Get started with Integrated apps for more information.

Steps

1. Create an Azure app registration to allow Microsoft Graph API access to Arctic Wolf.
2. Deploy the Report Email button through Microsoft 365 admin center.

Step 1: Create an Azure app registration to allow Microsoft Graph API access to Arctic Wolf

1. If you are using:

   • Microsoft Entra ID — Sign in to the Azure AD admin center, and then click Azure Active Directory.
   • Microsoft 365 — Click Apps > Admin, and then click Show all.

2. Register your Report Email button:

   1. In the navigation menu, under Identity, click Applications > App registrations.

   2. Click + New registration.

   3. On the Register an application page, do these actions:

      • Name — Enter the name that you want displayed for your application. We recommend naming it Arctic Wolf Report Email Button.
      • Supported account types — Select Accounts in this organizational directory only (Single tenant).

        Note: Multi-tenancy is not supported.

   4. Click Register.

      The Overview page for the newly registered application opens.

3. Assign permissions to your Report Email button:

   1. In the navigation menu, under Manage, click API permissions.

   2. Click + Add a permission.

   3. Click Microsoft Graph.

   4. Click Application permissions.

      Note: Do not click Delegated permissions. This will not provide the API permissions required for MA setup and generates an insufficient permissions error message.

   5. In the Select permissions search box, enter Mail.ReadWrite, expand Mail, and then select the Mail.ReadWrite checkbox.

   6. Click Add permissions.

   7. In the Configured permissions section, click Grant admin consent for <company_name>.

   8. On the Grant admin consent confirmation dialog, click Yes.

      Your Microsoft Graph permissions should look like this:

      

4. Generate a client secret for your Email Report button:

   1. In the navigation pane, under Manage, click Certificates & secrets.

   2. Click the Client secrets tab, and then click + New client secret.

   3. On the Add a client secret page, do these actions:

      • Description — Enter a meaningful description for the client secret. For example, Arctic Wolf Report Email Button Secret.
      • Expires — Select 730 days (24 months) from the list.

   4. Click Add. Your new client secret appears on the Client secrets tab.

   5. In the Value column, click Copy to clipboard to copy the client secret, and then save it in a safe encrypted location, such as a password manager.

      Notes:

      • The client secret Value is time-sensitive. It is only viewable during the application registration, so it must be saved now.
      • Do not share the client secret with anyone outside of authorized personnel.
      • If Arctic Wolf requires a copy of the client secret, we will provide you with a secure transfer link, such as Egnyte.

5. Obtain the ID values for your Email Report button:

   1. In the navigation pane, click Overview.
   2. Take note of these fields and their associated values:
      • Application (client) ID
      • Directory (tenant) ID

6. Integrate your Report Email button credentials with MA and test your connection:

   1. In a new browser tab, sign in to the MA Portal.
   2. In the menu, click Reported Phishing.
   3. On the Phishing Button Settings tab, enter these values that you copied earlier:
      • Application (Client) ID — Enter the Application (client) ID.
      • Directory (Tenant) ID — Enter the Directory (tenant) ID.
      • Client Secret Value — Enter the Value of the client secret.
      • Client Secret Value Expiration Date — Enter the Expires value.
   4. Click Test Connection, and then do one of these actions:
      • If the "Connection Successful" message appears, click Acknowledge, and then click Save Credentials.
      • If errors persist, submit a ticket in the Arctic Wolf portal.
   5. In the Grant Permissions section, turn on the Automatically move emails to junk toggle.

Step 2: Deploy the Report Email button through Microsoft 365 admin center

1. Download the Arctic Wolf Report Email Button Manifest file:

   1. In the MA Portal, click Settings > Administrator Toolkit.
   2. In the Search field, enter Arctic Wolf Report Email Button Manifest File, and then click Download.
   3. (Optional) To validate the checksum value for the Arctic Wolf Report Email Button Manifest File you can download a checksum file for SHA-256 or MD5:
      • In the Search field enter Checksums, and then download the file corresponding to the checksum value generator you use.
      • Generate the hash value for the manifest file. The value should match the checksum file.

        Note: If the checksum value does not match, consider the file corrupt, delete it from your computer, and re-download the manifest file from the Administrator Toolkit. If the issue persists, submit a ticket in the Arctic Wolf Portal.

2. In a separate browser tab, sign in to the Microsoft 365 admin center.

3. Click Settings > Integrated apps.

4. Click the Upload custom apps tab.

5. On the Upload Apps to deploy page, in the App Type list, select Office Add-in, and then select the Upload manifest file (.xml) from device option.

6. Click Choose File, and then upload the manifest file you downloaded from the Administrator Toolkit.

   The Manifest file validated confirmation message appears.

7. Click Next.

8. On the Add users page, in the Assign users section, do these steps:

   1. Select the Specific users/groups option.
   2. In the Specific users/groups field, enter the names of users or a user group to receive the Report Email button.

      Note: Arctic Wolf recommends that you:

      • Use the same MA User group you used when you enrolled users into MA.

        See Enroll users to your MA program for more information. Be aware that you may experience unexpected results if you use a nested group because Outlook Add-ins do not always support nested groups. If the Report Email button does not appear within 48 hours, add individual groups or users.

      • Add a group with limited users if you want a phased approach for rolling out the Report Email button. For example, add your IT team only.

        See Get started with Integrated apps for more information.

      • Only select Entire organization if all users in the tenant are MA users. If non-MA users exist in the tenant, they will experience errors when reporting an email.

   3. Click Next.

9. On the Accept permissions requests page, read the App Permissions and Capabilities, and then click Next.

   Note: These permissions are different than the permissions set in the Azure app.

10. On the Review and finish deployment page, review your settings, and then click Finish deployment.

    Note: The deployment may take a few minutes to complete. Do not refresh or close the page.

11. When the deployment is finished running, on the Deployment completed page, click View this deployment to see details of the completed add-in.

    Note: It may take up to 24 hours for the Report Email button to appear in Outlook desktop app.

12. After the Report Email button is visible in Outlook, create a test email with these values. You will use this email later to make sure the Report Email button works as expected:

    • To — Your email address.

      Tip: Arctic Wolf recommends only sending the test email to yourself.

    • Subject — Test Report Email Button for Managed Security Awareness.

    • Body — Testing the Report Email button for Managed Security Awareness.

    • (Optional) If you have an email signature, remove it from the body of the email to avoid any issues that could occur from filtering.

13. Click Send.

    The test email is sent to your email address.

14. Verify that the deployment of the Report Email button works as expected:

    1. Go to your email, click the test email, and then click Report Email.
    2. In the MA Portal menu, click Reported Phishing.
    3. Click the Reported Emails tab.
    4. Find your test email in the Reported Emails table. If you are:
       • Successful — The Report Email button was successfully installed.
       • Not successful — Submit a ticket from your Arctic Wolf Portal.

Next steps

• Do one these:
  • If this is your inital setup, complete Step 6: Notify users of the MA program.
  • If you have an existing MA program, complete Step 7: Notify users about the Report Email button.