Preview build — Pull Request #46
SymprexDocumentation

Signature 365 required permissions

Review the Microsoft 365 and platform permissions required before you set up Signature 365 or enable optional features.

Review these permissions before you start How to setup Signature 365. This reference explains which Microsoft 365 permissions are requested for core setup and for optional server-side features.

If you plan to use SSO for management accounts, also review Enabling single sign-on (SSO) for Signature 365 management accounts.

Microsoft 365

To set up Signature 365 to integrate with Microsoft 365, the permissions below are required.

Required permissions for reading directory data

Warning
The permissions in this section are always required to integrate with Microsoft 365.

The permissions below are required to import directory, user, and group information:

Read directory data

This allows us to import your directory, including users, groups, and domains.

Read all users' full profile

This allows us to import your users and profiles for use in your signatures.

Read all user mailbox settings

This allows us to import your users' mailbox settings.

Sign in and read user profile

This is required to connect to your tenant.

This is a screenshot of the permissions request dialog:

When you click Accept, a Signature 365 enterprise application is created in your Entra ID tenant.

The request is for administrator-level access so Signature 365 can continuously import your directory information in the background. If you are not a Global Administrator when accepting the permissions, you will see a dialog requesting you to log in as a Global Administrator.

Required permissions for setting up integration with Exchange Online

Warning
The permissions in this section are only required if you want to use server-side signatures with Microsoft 365.

The permissions below are required to allow Signature 365 to add a domain to your Microsoft 365 tenant that matches the certificate we will use to communicate securely with Exchange Online.

Read and write domains

This allows us to add a domain to your Microsoft 365 tenant that matches the certificate we will use to communicate securely with Exchange Online.

Sign in and read user profile

This is required to connect to your tenant.

This is a screenshot of the permissions request dialog:

When you click Accept, a Signature 365 Setup enterprise application is created in your Entra ID tenant.

The request is for administrator-level access. If you are not a Global Administrator when accepting the permissions, you will see a dialog requesting you to log in as a Global Administrator.

Note
You may delete the Signature 365 Setup application from your Entra ID tenant after completing the setup.

Request to sign in to application to create connectors and transport rule

You will be asked to sign in to the application Microsoft Exchange REST API Based PowerShell. You must sign in as a Global Administrator and make sure to enter the credentials for the correct Microsoft 365 tenant.

Next steps

Signature 365 reliability and security

Explore Signature 365 security, certifications, availability, data protection, and Microsoft 365 integration safeguards.

Signature 365 SMTP host list and IP whitelist

Find regional SMTP hosts and IP addresses to whitelist for Signature 365 server-side mail flow.