Using Microsoft Graph API for sending email communications

To use the Microsoft Graph API for Legal Hold email communications, you need to register the RelativityOne Legal Hold application in Entra ID and set your processor type to Graph API in RelativityOne. For more information on setting your processor type, see Adding email settings.


When leveraging the Graph API, you must use a Microsoft user email address and licensed mailbox. For more information, see Registering an Azure application and credentials.


This email requires an individual user license to authenticate with the Graph API. You cannot use emails from shared or group mailboxes because application permissions cannot be authenticated with those account types.

Registering an Azure application and credentials

To use the Microsoft Graph API, you need to register the RelativityOne Legal Hold application in Entra ID. Authentication requires a reference to a dedicate Azure application that has the appropriate permission. This needs to be done on the client side by an Azure user with sufficient rights.

Start with registering your app by following the steps below:

Note: The person completing the application registration process needs to be an Azure Administrator with sufficient privileges.

  1. Open your Azure Portal.

  2. Click More Services.

  3. Search for and select Microsoft Entra ID (formerly known as Azure AD).

  4. In the left-navigation menu, click App registrations.

  5. Click New Registration.
    This will open the Register an application page.

  6. Enter an application name in the Name field.

  7. Select Accounts in this organizational directory only as the supported account type.

  8. Enter the redirect URL, http://localhost/, as the sign-on URL.

  9. Click Register.

For more information on registering an application in Azure, see Microsoft's documentation or Microsoft's authentication documentation.

Adding permissions

Next, from the application's page, add permissions to the web API by following the steps below:

  1. Click API Permissions.
  2. Click Add a permission.
  3. Click Microsoft Graph.
  4. Select Delegated Permissions.
  5. Select the following options from the Delegated Permissions section:
    • Mail – Mail.Send, Mail.ReadWrite

    • User – User.Read
  6. Click Add Permission.

  7. Click Grant Permission.

Configuring the redirect URL

In Azure Portal, navigate to the application's Overview page you are using for the integration. Follow the steps below.

  1. Using the left navigation column, click into the Authentication page.

  2. Click the Add a platform button.

  3. Click the Web drop-down text.

  4. Paste in your Redirect URL.

      Notes: Replace the bold part of the URL with your organization's subdomain, domain, and top-level domain.
    • Format: https://{RelativityURL}/Relativity.Rest/API/kCura.LegalHold.Services.ILegalHoldModule/Graph%20Authorization%20Manager/graph-auth-response
    • Example:

  5. Click the Configure button.

For more information on adding a redirect URL to Azure, see Microsoft’s documentation.

Creating a client secret

A client secret from Microsoft Azure AD is needed to integrate Microsoft and Relativity.

To create a client secret:

  1. In the left-navigation menu, click Certificates & secrets.

  2. Navigate to the Client secrets tab.

  3. Click the New Client Secret button.

    Note: Do not navigate away from the page once the client secret is created.

  4. Populate the Description and Expires fields. You can leave the default, or recommended, values.

  5. Click the Add button.
    If the client secret was successfully created, you will see the Client Secret displayed on the table and the Value field should be displayed in plain text.

  6. Copy the Value field and store it safely.

If you leave the page and comeback to get the value the Value field will be masked and you will not be able to copy it

You can repeat steps 4-5 to generate a new client secret.

After you complete registering your app and have your client secret, you need to add this information to your email settings. For more information, see Adding email settings.

Authenticating with Microsoft

After registering the Relativity app in Microsoft, you must authenticate your application ID and password in Relativity, and your user email inbox. For example, To authenticate with Microsoft, follow the steps below.

  1. Open your Relativity instance.

  2. Navigate to the Legal Hold Settings page.

  3. Enter the required email settings fields. For more information, see Fields and Adding email settings.

  4. In the Settings console on the right side of the Legal Hold Settings page, click one of the Authenticate with Microsoft buttons. Click Authenticate with Microsoft (Outgoing) if using the Graph API for outgoing emails or Authenticate with Microsoft (Incoming) if using the Graph API for incoming emails. For more information, see Testing the Outgoing Email settings or Testing your Incoming Email settings.
    Clicking either of these buttons opens a Microsoft login screen.

  5. Authenticate with the user you would like to send or receive communications through.

  6. Click Sign in.

Note: Once set up, if Graph API is not used within 90 days for sending emails, you must authenticate again in RelativityOne. Additionally, if the password for the account you authenticate with changes at any time, you must authenticate again in RelativityOne.

After signing in, Relativity Legal Hold displays a confirmation message telling you that the authentication is complete and that you can close the current tab. At this point, authentication with Microsoft is complete.


  • Application Client ID—enter the Application Client ID created during registering the Legal Hold application in Microsoft 365.

  • Application Client Secret—enter the Application Client Secret created during registering the Legal Hold application in Microsoft 365.

  • Tenant ID/Domain—enter the Domain name of the Microsoft 365 tenant the collection is intended for.

  • From Email Address—leave empty, as Relativity will use the email inbox that you authenticated with.
  • Reply to Email Address—leave empty, as Relativity will use the email inbox that you authenticated with.