Microsoft 365 for Workflows

Your Dynatrace environment can integrate with Microsoft 365 in automation workflows. You can automate sending emails via Microsoft 365 based on the events and schedules defined for your workflows.

Set up Microsoft 365 integration

Install Microsoft 365 Connector

Allow Microsoft 365 outbound connections

Grant permissions to Workflows

Set up Microsoft Azure for integration with Dynatrace

Authorize connection to Microsoft Azure

Install Microsoft 365 Connector

To use Microsoft 365 actions, first install Microsoft 365 Connector from Dynatrace Hub.

To install Microsoft 365 Connector, you need the app-engine:apps:install permission.

In Dynatrace Hub , search for Microsoft 365 Connector.
Select Microsoft 365 Connector > Install.

After you install Microsoft 365 Connector, you need to perform some initial steps to set up the connection between Microsoft 365 and your Dynatrace environment.

Allow Microsoft 365 outbound connections

Open Settings and go to Preferences > Limit outbound connections.
Select Add item and add the login.microsoftonline.com and graph.microsoft.com domain names.
Select Save changes.

This way, you can granularly control the web services to which your Dynatrace environment can connect.

Grant permissions to Workflows

Some permissions are required by Workflows to run actions on your behalf. Other permissions are required by actions that come bundled with Microsoft 365 Connector itself.

To fine-tune permissions granted to Workflows

Open Workflows and go to Settings > Authorization settings.
Make sure the following permissions are selected.
- Permissions needed for Workflows
  - app-engine:functions:run
- Permissions needed for Microsoft 365 Connector workflow actions
  - app-settings:objects:read

Set up Microsoft Azure for integration with Dynatrace

Configure your Microsoft Azure tenant to establish a connection with your Dynatrace environment.

Open portal.azure.com to access your Microsoft Azure tenant and navigate to App registrations to set up a new app. For the necessary setup steps, see Register a client application in Azure Active Directory in Microsoft Azure documentation.
Grant your newly created Azure app the Microsoft Graph/Mail/Mail.Send permission.

For more information, see API permissions and Introduction to permissions and consent in Microsoft Azure documentation.

To be able to use the API to send emails in the background without a currently signed-in user, you need to select Application permissions. Delegated permissions aren't sufficient.
After registering the app, create a new client secret. For details, see Certificates & secrets in Microsoft Azure documentation.
- To create a client secret, make sure that you either have admin permissions or are part of the app owners.
- Make sure you store the client secret Value (not the Secret ID) after creation for establishing the connection to your Dynatrace environment in the next section.
Limit mailbox access through an application access policy
We strongly recommend using a technical email address as the sender used by the Dynatrace Workflows action and limiting the permissions of your Microsoft Azure app registration to these specific mailboxes by setting up an application access policy. This ensures that only specified email addresses can be used in the app registration and eventually in Dynatrace Workflows. This helps to reduce risks from impersonation.
For details on how to set up a new application access policy, see Limiting application permissions to specific Exchange Online mailboxes in Microsoft Azure documentation.
If you don't set up an application access policy for your Microsoft Azure tenant and restrict the possible email senders, any email address of your tenant can be used as the sender for your emails sent via Dynatrace Workflows.

Authorize connection to Microsoft Azure

Your Microsoft 365 Connector requires a client secret from Microsoft Azure for authorization.

Get the following credentials from your app registration in your Microsoft Azure tenant on portal.azure.com.
- Directory (tenant) ID: Available on the Overview menu.
- Application (client) ID: Available on the Overview menu.
- Client secret: Is the Value (not the Secret ID) of the client secret from the preceding Set up Microsoft Azure for integration with Dynatrace section.
Return to Dynatrace, open Settings , and go to Dynatrace Apps > Microsoft 365 Connector.
Select Add item and provide the following information.
- Connection name: Needs to be unique. Will be listed and selectable in the connection field in Microsoft 365 Connector.
- Directory (tenant) ID
- Application (client) ID
- "From" email address: See Limit mailbox access through application access policy in the Set up Microsoft Azure for integration with Dynatrace section.
- Type: Client secret
- Client Secret: This is the Value of the client secret from the Set up Microsoft Azure for integration with Dynatrace section.
Save your changes.

Additional notes

To add connection settings, you need the following permissions.

1ALLOW settings:objects:read, settings:objects:write, settings:schemas:read WHERE settings:schemaId = "app:dynatrace.microsoft365.connector:connection"

For details, see Permissions and access.

Be aware that connections are shared and can be used by all users with app-settings read permissions.

Send an email with workflows

Open Workflows and select to create a new workflow.
In the side panel, select the trigger best suited to your needs.
On the trigger node, select to browse available actions.
In the side panel, search the actions for Microsoft 365 and select Send email.
Select a preconfigured Microsoft 365 connection.
Enter the email addresses for the recipients.

The number of email addresses is currently restricted to 10 per field.
Enter a subject.
Enter a message.
To test your workflow, select Run.

Action result

The Send email action provides the following result.

Property Description

Property	Description
`requestId`	A unique identifier required for reporting issues to Microsoft Support that is returned by the Microsoft API in the response header field `request-id`
`clientRequestId`	A unique identifier required for reporting issues to Microsoft Support that is returned by the Microsoft API in the response header field `client-request-id` For sending emails, this is identical to `requestId`.

requestId

A unique identifier required for reporting issues to Microsoft Support that is returned by the Microsoft API in the response header field request-id

clientRequestId

A unique identifier required for reporting issues to Microsoft Support that is returned by the Microsoft API in the response header field client-request-id

For sending emails, this is identical to requestId.

Troubleshooting

These error messages are typically related to issues concerning the setup steps described above in Authorize connection to Microsoft Azure.

Make sure that you use the actual client secret and not the object ID that's linked to it. The object ID is public and shown for every client secret.

This message is related to "From" email address in the connection settings as described above in Authorize connection to Microsoft Azure.

Make sure that "From" email address contains the email address of a user in Azure. We recommend that you create a dedicated user for this purpose that's not directly related to a person. A group can't be used to send an email because groups use conversations instead of traditional emails.

This message is related to "From" email address in the connection settings as described above in Authorize connection to Microsoft Azure.

The error occurs because the email address in "From" email address is not allowed to be the sender, which is most likely related to the configuration described in Limiting application permissions to specific Exchange Online mailboxes.