 |
 |
|
|
Microsoft Graph API is a unified endpoint that provides secure access to various Microsoft services, including Outlook, OneDrive, Teams, and Azure AD. It simplifies application integration by offering a RESTful interface for managing user data and services.
A module has been introduced within IRIS Accountancy Suite that enables email sending through Microsoft Graph API.
Sending emails using Microsoft Graph API requires users to sign in with a Microsoft account.
Based on your role, follow the relevant guide below.
Are you a user who needs to send emails?
See the User Configuration section to sign in and send emails. If you need Admin approval , see the Admin Consent section.
If you have any login issues, see
the Troubleshooting section.
Are you an IT administrator managing multiple users?
See the Client Organisation Configuration section to configure access. Choose between Individual approvals or organisation wide consent.
Users from different organizations must follow specific configuration steps to start using Microsoft Graph API.
The setup process depends on whether administrator consent is required.
This option is best for users who need quick access and have permission to grant consent for their own accounts. This prompt will appear only once per user unless the consent is revoked.
Once consent is granted, the user can start using the application to send emails.
This option is best for organisations that require centralised security control over application access. Users will see this prompt only once unless access is revoked.
If the application requires organization-wide permissions, users must request approval from their IT administrator.
When signing in, users will be notified that administrator consent is needed
via the MSAL permissions request window.
The administrator must approve the request in the Azure AD portal before the user can proceed.
Once approved, the user can use Microsoft Graph API to send emails.
When a user authenticates, a token is issued and cached to prevent the need for re-authentication every time an email is sent. This improves user experience by allowing seamless email operations without frequent login prompts. However, in some cases, users may need to force re-authentication, such as when switching accounts or resolving authentication issues.
Note: Microsoft authentication tokens remain valid for up to 90 days with automatic renewal as long as the user remains active. If inactive for more than 1 hour, tokens expire, requiring users to re-authenticate.
Open Command Prompt (cmd) as an administrator.
Run the following commands to clear the authentication token:
setx CLEAR_TOKEN 1
For Windows PowerShell:
Open PowerShell as an administrator.
Run the following command:
[System.Environment]::SetEnvironmentVariable("CLEAR_TOKEN", "1", "User")
Note: Best for cases where users need to switch accounts or reset authentication. This ensure that a fresh authentication flow is triggered on the next login.
Client organizations (referred to as "Client Organizations") have multiple options for configuring the application based on their internal security policies and user management strategies.
Option |
Best For |
Requires Admin Approval? |
User Experience |
Individual Consent |
Single users who can grant access themselves |
❌ No |
One-time consent prompt |
Admin Consent |
Organizations managing multiple users |
✅ Yes |
Users don’t see prompts |
Role-Based Access |
Enterprises with strict security policies |
✅ Yes |
Controlled access per role |
This option is best for organisations that required fine-grained control over who can use the application but are comfortable with handling individual approvals.
Each user attempts to sign in, triggering an authentication request.
The organization's Azure AD administrator receives a request notification.
Below is a sample mail:
or they can check the requests by logging into Azure Admin Portal.
Sample screenshots:
The administrator can approve or deny access via the Azure AD admin portal.
Once approved, the user gains access to use Microsoft Graph API through IRIS Accountancy Suite.
This option is best for organisations that want a streamlined experience where all employees can use the app without requiring individual access requests. This setup ensures users will not see permission prompts when signing in.
The administrator grants consent for all users in the organization by visiting the following link:
The administrator logs in using their Azure AD credentials.
Microsoft Consent Prompt appears, listing required access levels.
The administrator selects “Consent on behalf of the organization” and clicks Accept.
Once granted, all users in the client organization can use IRIS Accountancy Suite to send email using Microsoft Graph API without needing individual approvals.
If you encounter any issues, refer to the following common problems and solutions:
Issue |
Solution |
Admin consent denied |
Contact IT administrator to check Azure AD permissions |
Login prompt appears repeatedly |
Ensure token is not being cleared or expired |
Unable to send emails after logging in |
Confirm that Mail.Send permission is granted |
Organization-wide consent granted, but some users still see prompts |
Check if Conditional Access Policies are restricting authentication |
By following the configuration guidelines outlined here, both individual users and client organizations can efficiently integrate this application into their workflows while maintaining security, compliance, and operational efficiency.
For further assistance, please contact your organization's IT administrator or refer to Microsoft’s official documentation on Microsoft Graph API authentication.