INKY Enterprise Applications for Microsoft 365

Written By Matt Sywulak

Last updated 4 months ago

What This Is

INKY uses four Enterprise Applications in Microsoft Entra ID (formerly Azure AD) to protect your organization. Each application handles specific security and management functions, from email protection to directory synchronization.

Who Needs This

All INKY customers using Microsoft 365. Administrators who need to understand or troubleshoot INKY's access permissions should review this article. If you see unexpected permission requests or need to verify INKY's access, this guide explains what each application does.

How INKY Connects to Your Tenant

When you deploy INKY, it registers four Enterprise Applications in your Microsoft Entra ID tenant. You can view these in the Microsoft Entra admin center under Enterprise Applications.

Each application requests specific permissions to perform its security functions. These permissions are granted during initial setup and can be reviewed anytime in your Entra admin center.

The Four INKY Applications

INKY Dashboard SSO

Purpose: Enables single sign-on to the INKY Dashboard using your Microsoft 365 credentials.

When it's used: Every time an administrator logs into the INKY Dashboard using Microsoft SSO instead of username/password.

Required permissions:

  • Sign users in (Delegated)

  • View users' basic profile (Delegated)

  • View users' email address (Delegated)

INKY Phish Fence - Directory Synchronization

Purpose: Synchronizes your organization's user directory, groups, and domain information with INKY's protection engine.

Why it matters: INKY needs to know who's in your organization to detect spear phishing attacks that target specific users or impersonate internal personnel.

Required permissions:

  • Sign in and read user profile

  • Read directory data

  • Read domains

  • Read and write all groups

Special feature: Once this access is granted, you can use the "Check for Missing Domains" tool under Advanced Config > Domain Information. If you discover missing domains, contact INKY support to add them.

Important: This application requires authentication from an Office 365 or Exchange global administrator during initial setup.

INKY - Setup and Maintenance

Purpose: Handles initial deployment, quarantine management, message trace functionality, and ongoing tenant operations.

When it's used: During installation, when viewing quarantined messages, running message traces, and performing administrative tasks.

Required permissions:

  • Sign in and read user profile

  • Read and write all directory RBAC settings

  • Manage apps that this app creates or owns

  • Read and write domains

  • Read directory data

  • Manage Exchange As Application

Why these permissions: INKY needs elevated access to configure mail flow, manage quarantine, and perform administrative functions across your tenant.

Inky Phish Fence Remediation

Purpose: Enables automated threat remediation and graymail folder delivery.

Key capabilities:

  • Remove phishing emails from user mailboxes after delivery

  • Move bulk/promotional mail to users' Graymail folders

  • Remediate threats across your organization instantly

Required permissions:

  • Read and write all user mailbox settings

  • Read and write mail in all mailboxes

  • Sign in and read user profile

Note: This application is only active if you've enabled remediation features or graymail folder delivery in your INKY configuration.

Troubleshooting Permission Issues

"Admin Consent Required" Error

Problem: You see an admin consent prompt when accessing INKY features.

Solution: A global administrator must grant consent for the relevant Enterprise Application in the Microsoft Entra admin center. Navigate to Enterprise Applications, find the INKY app showing the error, and grant admin consent.

Application Not Appearing

Problem: One or more INKY applications aren't visible in your Entra admin center.

Possible causes:

  • The application wasn't configured during initial setup

  • The feature requiring that application isn't enabled in your INKY configuration

  • Application registration failed

Solution: Contact INKY support to verify your configuration and re-register missing applications if needed.

Permission Audit Flags

Problem: Your security team flagged INKY's "Read and write mail in all mailboxes" permission as excessive.

Explanation: This permission is required for remediation features. INKY uses it to remove phishing emails from user mailboxes after threats are identified. Without this permission, INKY can only prevent delivery—it cannot remove threats already in mailboxes.

Options:

  1. Keep remediation enabled and accept the permission (recommended)

  2. Disable remediation features to remove this permission requirement

  3. Implement manual remediation processes using INKY's threat intelligence

Expired or Revoked Credentials

Problem: INKY stops functioning properly, and you see authentication errors.

Symptoms:

  • Directory sync fails

  • Quarantine view doesn't load

  • Remediation stops working

Solution: Re-authenticate the affected Enterprise Application:

  1. Go to Microsoft Entra admin center

  2. Find the failing INKY application

  3. Remove and re-grant consent

  4. Test functionality in INKY Dashboard

Understanding Permission Scope

All permissions are carefully scoped to INKY's security functions:

Delegated permissions require a signed-in user and act on that user's behalf. These are used for Dashboard SSO and similar interactive features.

Application permissions allow INKY to act independently without a signed-in user. These are used for automated protection features like directory sync and remediation.

For detailed information about each Microsoft Graph permission, see Microsoft Graph permissions reference.