Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Managed Security Awareness


Managed Security Awareness Initial Setup - Step 5

Updated Mar 18, 2024

Step 5: Configure the Report Email button for Microsoft 365

Note: This step only applies if your organization uses Microsoft 365® as your email service and you want to deploy the Report Email button to report phishing emails.

The Arctic Wolf Managed Security Awareness® (MA) phishing features enable your organization to identify, search, and analyze phishing emails after installing a Report Email button in Microsoft Office 365. The Report Phishing feature is available to all MA customers that use Microsoft 365 as their email service. It includes:

If you are a standard MA customer, the Reported Phishing page includes Reported Emails and Phishing Button Settings. If you have MA+, the Reported Phishing page includes Reported Simulations, Reported Emails, and Phishing Button Settings.

Requirements

Note: Make sure all requirements are met or the Report Email button might not function as expected. See Unsupported Configurations for more information.

Email environment

Email client

The most current version of Microsoft 365 and Outlook is required for full support of the Outlook Add-in feature. See Deploy and manage Office Add-ins for more information.

Summary support table

This table lists the supported email environments:

Email Environment Supported
Microsoft Exchange Online Yes
Single tenant Yes
On-premises Exchange No
Hybrid Exchange No
Multi-tenancy No

This table lists the supported email clients:

Email Client Supported
Microsoft 365 Yes
Outlook on the web Yes
Outlook 2013 No
Outlook 2016 — non-MSI installed versions Yes
Outlook 2016 — MSI installed versions ending in .1000 No
Outlook 2019 - Retail license Yes
Outlook 2019 - Volume license No
Outlook 2021 Yes
Outlook for Mac Yes
Outlook mobile for iOS No
Outlook mobile for Android No

Before you begin

Steps

  1. Create a Microsoft Entra ID (formerly Azure AD) app registration to allow Microsoft Graph API access to Arctic Wolf.
  2. Deploy the Report Email button through Microsoft Entra admin center.

Step 1: Create a Microsoft Entra ID (formerly Azure AD) app registration to allow Microsoft Graph API access to Arctic Wolf

  1. Sign in to the Microsoft Entra admin center (formerly Azure AD).

  2. If you are using:

    • Microsoft Entra ID (formerly Azure AD) — In the navigation menu, in the Admin centers section, click Identity.
    • Microsoft 365 — Click Apps > Admin > Show all > Identity > Applications > App registrations.

      Tip: You can also access this from the Microsoft Admin Console.

  3. Register your Report Email button:

    1. In the navigation menu, click Identity > Applications > App registrations.

    2. Click + New registration.

    3. On the Register an application page, configure these settings:

      • Name — Enter AW Report Email Button. Do not enter Arctic Wolf.
      • Supported account types — Select Accounts in this organizational directory only (Single tenant).

        Note: Multi-tenancy is not supported.

    4. Click Register.

      The Overview page for the newly registered application opens.

  4. Assign permissions to your Report Email button:

    1. In the navigation menu, in the Manage section, click API permissions.

    2. In the Configured permissions table, expand Microsoft Graph, and then for the User.Read row, click > Remove permission.

      This is the default permission for all application registration, but it is not needed for this specific app registration.

    3. In the confirmation dialog, click Yes, remove.

    4. Click + Add a permission.

    5. Click Microsoft Graph.

    6. Click Application permissions.

      Note: Do not click Delegated permissions. This will not provide the API permissions required for MA setup and generates an insufficient permissions error message.

    7. In the Select permissions search bar, enter Mail.ReadWrite.

    8. Click Mail, and then select the Mail.ReadWrite checkbox.

    9. Click Add permissions.

    10. In the Configured permissions section, click Grant admin consent for <company_name>.

    11. On the Grant admin consent confirmation dialog, click Yes.

      Your Microsoft Graph permissions should look like this:

      • API / Permissions nameMail.ReadWrite.

      • TypeApplication.

      • DescriptionRead and write mail in all mailboxes.

        Note: This permission is required for phishing emails to be retrieved from the Microsoft Graph API, and then automatically moved to the junk folder after being reported.

      • Admin consent requested?Yes.

      • StatusNot granted for Arctic Wolf.

  5. Generate a client secret for your Email Report button:

    1. In the navigation menu, in the Manage section, click Certificates & secrets.

    2. Click the Client secrets tab, and then click + New client secret.

    3. On the Add a client secret page, configure these settings:

      • Description — Enter a description for the client secret. For example, Arctic Wolf Report Email Button Secret.
      • Expires — Select 730 days (24 months).
    4. Click Add.

      Your new client secret appears on the Client secrets tab.

    5. In the Value column, click Copy to clipboard, and then save it in a safe, encrypted location. You will provide it to Arctic Wolf later.

      Notes:

      • The client secret value is time-sensitive. It is only viewable during the application registration.
      • Do not share the client secret with anyone outside of authorized personnel.
      • If Arctic Wolf requires a copy of the client secret, we will provide you with a secure transfer link. For example, Egnyte.
  6. Obtain the ID values for your Email Report button:

    1. In the navigation menu, click Overview.
    2. For these fields, copy the associated values, and then save them in a safe, encrypted location:
      • Application (client) ID
      • Directory (tenant) ID
  7. Integrate your Report Email button credentials with MA and test your connection:

    1. In a new browser tab, sign in to the MA Portal.
    2. In the menu, click Reported Phishing.
    3. On the Phishing Button Settings tab, configure these settings:
      • Application (Client) ID — Enter the Application (client) ID.
      • Directory (Tenant) ID — Enter the Directory (tenant) ID.
      • Client Secret Value — Enter the Value of the client secret.
      • Client Secret Value Expiration Date — Enter the Expires value.
    4. Click Test Connection, and then do one of these actions:
      • If the "Connection Successful" message appears, click Acknowledge, and then click Save Credentials.
      • If errors persist, submit a ticket in the Arctic Wolf Unified Portal.
    5. In the Grant Permissions section, click the Automatically move emails to junk toggle to the on position.

Step 2: Deploy the Report Email button through Microsoft Entra admin center

  1. Download the Arctic Wolf Report Email Button Manifest file:

    1. Sign in to the MA Portal.
    2. Click Settings > Administrator Toolkit.
    3. In the Search field, enter Arctic Wolf Report Email Button Manifest File, and then click Download.
    4. (Optional) To validate the checksum value for the Arctic Wolf Report Email Button Manifest File, you can download a checksum file for SHA-256 or MD5:
      • In the Search field, enter Checksums, and then download the file corresponding to the checksum value generator you use.
      • Generate the hash value for the manifest file. The value should match the checksum file.

        Note: If the checksum value does not match, consider the file corrupt, delete it from your computer, and re-download the manifest file from the Administrator Toolkit. If the issue persists, submit a ticket in the Arctic Wolf Unified Portal.

  2. In a new browser tab, sign in to the Microsoft Entra admin center (formerly Azure AD).

  3. Click Show all > Settings > Integrated apps.

  4. Click the Upload custom apps tab.

  5. On the Upload Apps to deploy page, in the App Type list, select Office Add-in, and then select Upload manifest file (.xml) from device.

  6. Click Choose File, and then upload the manifest file that you downloaded from the Administrator Toolkit.

    The Manifest file validated confirmation message appears.

  7. Click Next.

  8. On the Add users page, in the Assign users section, complete these steps:

    1. Select Specific users/groups option.
    2. In the Specific users/groups field, enter the names of users or a user groups that will receive the Report Email button.

      Note: Arctic Wolf recommends that you:

      • Use the same MA User group that you used when you enrolled users into MA.

        See Enroll users to your MA program for more information. You can experience unexpected results if you use a nested group because Outlook add-ins do not always support nested groups. If the Report Email button does not appear within 48 hours, add individual groups or users.

      • Add a group with limited users if you want a phased approach for rolling out the Report Email button. For example, add your IT team only.

        See Get started with Integrated apps for more information.

      • Only select Entire organization if all users in the tenant are MA users. If non-MA users exist in the tenant, they will experience errors when reporting an email.

    3. Click Next.
  9. On the Accept permissions requests page, review the App Permissions and Capabilities, and then click Next.

    Note: These permissions are different than the permissions set in the Entra ID (formerly Azure AD) app registration.

  10. On the Review and finish deployment page, review your settings, and then click Finish deployment.

    Note: The deployment can take a few minutes to complete. Do not refresh or close the page.

  11. When the deployment is complete, on the Deployment completed page, click View this deployment to see details of the completed add-in.

    Note: It can take up to 24 hours for the Report Email button to appear in Outlook desktop app.

  12. When the Report Email button is visible in Outlook, create a test email with these values. You will use this email later to make sure the Report Email button works as expected:

    • To — Enter your email address.

      Tip: Arctic Wolf recommends only sending the test email to yourself.

    • Subject — Enter Test Report Email Button for Managed Security Awareness.

    • Body — Enter Testing the Report Email button for Managed Security Awareness.

    • Signature — (Optional) If you have an email signature, remove it from the body of the email.

  13. Click Send.

    The test email is sent to your email address.

  14. Verify that the deployment of the Report Email button works as expected:

    1. In your email inbox, click the test email, and then click Report Email.
    2. In the MA Portal menu, click Reported Phishing.
    3. Click the Reported Emails tab.
    4. Find your test email in the Reported Emails table. If you are:
      • Successful — The Report Email button was successfully installed.
      • Not successful — Submit a ticket in the Arctic Wolf Unified Portal.

Next steps