.png?width=200&height=50&name=cydarm%202024%20logo%20blue%20on%20transparent%201000x250%20(3).png)
Setting up a shared mailbox with service principal for Cydarm email poller
This article shows you how to create a shared mailbox that can be accessed using a service principal via the MS Graph API, enabling the Cydarm email poller to automatically create cases from security-related emails.
Overview
Use this setup when you have a shared inbox receiving security messages and want to
automatically create Cydarm cases from those emails.
Prerequisites
- Microsoft 365 admin access
- Entra ID admin permissions
- Cydarm system administrator access or at least "integration manager" attribute
Step 1: Create the shared mailbox
- Navigate to the Microsoft 365 admin center
- Go to
Teams & groups > Shared mailboxes - Click Add a shared mailbox
- Enter a name (e.g., "Alert Test 2")
- Add any description if needed
- Click Add
Note: The shared mailbox will appear as a user in your active users list, but it will have:
- Sign-in blocked
- No licenses assigned
- No group memberships
- Disabled account status
Step 2: Create a Service Principal
- Open the Microsoft Azure portal
- Navigate to
Microsoft Entra ID > App registrations - Click New registration
- Enter a suitable name
- Click Register
Step 3: Configure API Permissions
- In your new app registration, go to
API permissions - Click Add a permission
- Select Microsoft Graph
- Choose Application permissions (not delegated)
- Add the following permissions:
MailboxFolder.Read.All- to read all mailbox foldersMail.ReadWrite- to read emails and mark them as read after processing
- Click Grant admin consent for your organization
Important: Admin consent is required for these permissions to take effect.
Step 4: Create Client Secret
- In your app registration, go to
Certificates & secrets - Click New client secret
- Enter a description
- Select expiration period (default: 180 days)
- Click Add
- Copy the secret value immediately - you won't be able to see it again
Step 5: Gather Required Information
Collect the following details for the Cydarm configuration:- Tenant ID - from the app registration Overview page
- Client ID - from the app registration Overview page
- Client Secret - the value you just created
- Mailbox Object ID - from the shared mailbox user's profile in Entra ID
Step 6: Configure Cydarm Email Poller
Note: You must have the "integration manager" attribute on your Cydarm user profile to perform
these steps.
- In Cydarm, navigate to
Connectors - Click Create connector
- Select Email poller account
- Configure the following fields:
- Name: Descriptive name (e.g., "Alert Test 2 Poller")
- Type: MS Graph API
- Azure Tenant ID: Paste the tenant ID
- Username: Paste the client ID
- Password: Paste the client secret
- Mailbox: Enter {mailbox-object-id}:Inbox
- Set Organization to your organization, if there is more than one organization
- Set a severity for cases created from email (not mandatory)
- Configure an ACL if required - usually “YourOrg case data defaults”
- Activate the connector
Step 7: Test the Setup
- Send a test email to the shared mailbox address
- Check your Cydarm Case List for the new case
- Verify the case contains the correct email content and metadata
Troubleshooting Tips
- Ensure you have "integration manager" permissions in Cydarm to create connectors
- Ensure admin consent has been granted for API permissions
- Verify the mailbox Object ID is correct (not the email address)
- Check that the client secret hasn't expired
- Confirm the shared mailbox is receiving emails properly
- Review Cydarm connector logs for any error messages
Security Notes
- The service principal operates independently and doesn't require user sign-in
- Client secrets should be rotated regularly before expiration
- Monitor the connector's access and activities through Entra ID logs