Share via

How to send Email from Azure PowerShell Function App Using Microsoft Graph API – Shared Mailbox (Certificate-Based Authentication)

Gudipudi, Sudheer (623-Extern-DELOITTE) 0 Reputation points
2026-04-08T04:17:57.7+00:00

I am trying to send emails from an Azure PowerShell Function App using Exchange Online via Microsoft Graph API, and the emails must be sent from a shared mailbox, not from an individual user mailbox.

Current Setup

Here is what I have already configured:

  1. Created an Azure App Registration in Microsoft Entra ID.
  2. Created a Resource Group and Azure Function App (PowerShell).
  3. Created a User‑Assigned Managed Identity and attached it to the Function App.
  4. Stored a certificate in Azure Key Vault and configured certificate‑based authentication.
  5. Configured the Function App to access the certificate from Key Vault.
  6. Granted Microsoft Graph application permissions:
    • Mail.Send
      • User.Read.All
        • Admin consent has been granted.
        1. I am able to successfully authenticate and fetch user details (mail IDs) using Microsoft Graph API.

Requirement

  • I do not want to send the email from my own user mailbox.
  • I need to send emails from a Shared Mailbox (for example: ******@contoso.com) using Microsoft Graph.
  • The solution must work using application permissions and certificate‑based authentication (no delegated permissions).

What I Need Help With

  1. What is the correct way to configure Exchange Online so that the application can send emails as a shared mailbox?
  2. Do I need to assign any Send As / Send On Behalf permissions to the app or managed identity for the shared mailbox?
    • If yes, how should this be done (Exchange Online PowerShell)?
    1. Which Microsoft Graph endpoint should be used for sending emails from a shared mailbox?
      • /me/sendMail vs /users/{sharedMailbox}/sendMail
      1. Is there any additional Exchange Online or Graph configuration required beyond Mail.Send application permission?
      2. Are there any best practices or common pitfalls when sending emails from a shared mailbox using Graph API in an Azure Function App?

Goal

I want a secure, enterprise‑ready solution where:

  • Azure Function App authenticates using a certificate
  • Uses Microsoft Graph API
  • Sends emails successfully from a shared mailbox
  • Works without user interaction

Any guidance, best practices, or sample PowerShell snippets would be greatly appreciated.

Thank you.

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dora-T 14,355 Reputation points Microsoft External Staff Moderator
    2026-04-08T06:49:56.1966667+00:00

    Hi Gudipudi, Sudheer (623-Extern-DELOITTE)

    First, I recommend taking a look at the response from Q&A Assist, as it provides a helpful overview of the scenario.

    From an Exchange Online perspective, no special configuration or additional licensing is required beyond having a valid shared mailbox. The key requirement is that the application uses Microsoft Graph application permissions and explicitly targets the shared mailbox in the Graph request. Exchange Online processes the message based on the mailbox specified in the request as part of the app‑only authorization flow.

    When using application permissions, Send As or Send on Behalf mailbox permissions are not evaluated. Those permissions apply only to delegated (user‑based) scenarios. With app‑only authentication, Exchange Online authorizes the request using the app’s permissions and the target mailbox in the Graph endpoint. 

    To send mail, the following endpoint should be used:  

    POST https://graph.microsoft.com/v1.0/users/{sharedMailboxUPN}/sendMail

     The /me/sendMail endpoint applies to delegated access and is not supported when there is no signed‑in user context.

    From a functionality perspective, Mail.Send (Application) with admin consent is sufficient to send mail. For security and governance, Microsoft recommends restricting the application’s mailbox access using RBAC for Applications, so the app can send mail only from the intended shared mailbox.

    References: 

    Send Outlook messages from another user – Microsoft Graph 

    Role‑based access control for applications in Exchange Online

    I hope this information helps. If you have any further questions or run into any issues, feel free to share more details and I’ll be happy to assist.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

  2. AI answer

    2026-04-08T04:18:31.62+00:00

    For an app-only, certificate-based Azure Function that sends mail from a shared mailbox via Microsoft Graph, configure Exchange Online and Graph so the app can send as that mailbox and call the correct Graph endpoint.

    1. Configure Exchange Online for app-only send from a shared mailbox

    With Microsoft Graph application permission Mail.Send, Exchange Online treats the app as being allowed to send mail as any user unless restricted. The app can then send mail from:

    • A dedicated mailbox, or
    • Any shared mailbox, by targeting that mailbox in the Graph call.

    The app-only access example shows that when Mail.Send is granted and consented, a POST to:

    POST /users/{id | userPrincipalName}/sendMail

    returns 200 – Access granted. Admin allowed the app to send mail as any user.

    This applies equally to a shared mailbox if it is an Exchange Online mailbox.

    If the organization wants to restrict which mailboxes the app can use, configure an application access policy for the app so it can only send as specific mailboxes (for example, only the shared mailbox). This is done in Exchange Online/Graph, but the details are outside the provided context.

    2. Send As / Send on Behalf permissions for the app

    For Graph application permission Mail.Send, Exchange Online checks whether the client app has that app role. If it does, the call succeeds for /users/{mailbox}/sendMail.

    No additional per-mailbox Send As or Send on Behalf assignment is required for the app itself when using Mail.Send application permission, because the permission already means “send mail as any user” at the service level. Traditional Send As / Send on Behalf assignments (for example, via Set-Mailbox -GrantSendOnBehalf) are for user or shared mailbox delegates, not for app-only Graph access.

    3. Correct Microsoft Graph endpoint for shared mailbox

    To send from a shared mailbox, use the user-specific endpoint and set the from address to the shared mailbox:

    POST /users/{sharedMailboxUPN}/sendMail

    The message body should specify the shared mailbox in the from property:

    {
  "message": {
    "subject": "Subject here",
    "body": {
      "contentType": "HTML",
      "content": "Body here"
    },
    "toRecipients": [
      {
        "emailAddress": {
          "address": "******@contoso.com"
        }
      }
    ],
    "from": {
      "emailAddress": {
        "address": "******@contoso.com"
      }
    }
  }
}

    The shared mailbox example in the documentation uses this pattern: set the from property to the address to send from; Graph sets sender automatically based on mailbox permissions.

    Do not use /me/sendMail in an app-only scenario, because there is no signed-in user; /me is for delegated permissions.

    4. Additional configuration beyond Mail.Send

    From the provided context:

    • Mail.Send application permission, with admin consent, allows the app to send mail as any user.
    • Optionally, use application access policies to limit which mailboxes the app can access, even with Mail.Send.

    No additional Graph permissions are required just to send mail from a shared mailbox. User.Read.All is not required for sending, but can be used if the app needs to look up users.

    5. Best practices and common pitfalls

    Best practices

    1. Use application access policies to restrict the app to only the shared mailbox (and any other required mailboxes) so it cannot send as every user.
    2. Use a dedicated shared mailbox for automated mail (for example, ******@contoso.com) to separate automation from human users.
    3. Use app-only authentication with certificate as already configured, and avoid storing secrets in code.
    4. Set the from address explicitly in the message to the shared mailbox address.

    Common pitfalls

    1. Calling /me/sendMail in an app-only context (fails because there is no delegated user).
    2. Forgetting to set the from property when sending from a group or shared mailbox.
    3. Granting Mail.Send application permission without restricting it via application access policies, which allows sending as any mailbox in the tenant.

    In summary:

    • Keep Mail.Send application permission with admin consent.
    • Optionally configure application access policies to restrict the app to the shared mailbox.
    • Use POST /users/{sharedMailboxUPN}/sendMail and set from to the shared mailbox address.
    • No additional Send As / Send on Behalf mailbox permissions are required for the app when using Mail.Send application permission.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.