FAQs: ACD emails

How do I limit application permissions to specific mailboxes?

To limit app permissions to specific mailboxes, see Mircosoft documentation. 

Where do I obtain the OAuth 2.0 token endpoint (v2) value from?

The OAuth 2.0 token endpoint comes from your Azure configuration. Add the endpoint when you configure and activate the Microsoft Graph integration.

Is the User.Read permission required?

This permission is required for the integration to work. The Type is Delegated and is not Application. Therefore, verify that there is a green check mark indicating admin consent is applied as well.

Is there a range of IP addresses that we need to add to the Azure from our end?

That is not required. Azure will connect with our public endpoints for all notifications.

Is there any configuration to mark the emails as read in the Azure inbox as soon as they are transferred to Genesys Cloud?

Ensure that the Mail.ReadWrite permission is set up in the Azure application. The Microsoft Graph integration marks the email as read once they are transferred to Genesys Cloud. 

Can we create a Campaign/Agentless domain with the same name as the inbound domain being used by Microsoft Graph integration?

Yes. Although reuse of domain names is not supported in Genesys Cloud as of now, this particular use case is supported.

How often are emails retrieved from the mailboxes?

Genesys Cloud receives Microsoft async notifications on changes occurring on the Microsoft Exchange server. This includes receipt of new emails. Microsoft Graph integration pulls emails when it receives the notifications on new emails.

Emails are being marked as read in my mailbox, but we have not received the email in Genesys Cloud. What could be wrong?

If emails are marked as read, it means that the system was able to download them. Check the following:

1. Check the flow that is associated with the inbound route.

2. Open the associated inbound flow and check how emails are being handled.

3. Verify that you have have agents logged in the queue used by the workflow.

When an incoming email has multiple recipients from our domain, the email is routed only to one recipient and only one interaction is created in Genesys Cloud. Why?

By default, if an incoming email contains more than one email address that maps to more than one Genesys Cloud route, Genesys Cloud routes to only one of the email addresses. To route the email to all the destinations in the email, enable the Route to Multiple Destinations setting.

Why do we need to give the User.Read permission for the API in Azure?

The permission provides access to the user’s email address. If this permission is not granted, the Microsoft Graph integration is unable to read the related emails. The integration will not be able to process, encrypt, and scan emails. For more information, see Custom Microsoft Graph integration for inbound and outbound emails and Create subscription – Microsoft Graph v1.0.  Also note that the permission type is Delegated, and is not Application. For more information, see Microsoft Graph permissions reference – Microsoft Graph.

Is it mandatory to add Genesys Cloud IP addresses to connection filter policy? What is the impact if this step is not performed?

This is optional, but is strongly recommended. It avoids untrusted sources from reaching Microsoft email servers. If an IP is blocked, emails will bounce.

Will there be an authentication issue if the client secret that is set up in Azure and is used with the Graph integration expires?

Yes, when the client secret you used with the Graph integration has changed or expired, you will face authentication issues unless you make the change in the Genesys Cloud Graph integration too. Note that you cannot have a client secret in Azure without an expiry date. When you change the client secrets on the Azure side or the secrets expire, you must ensure you make the change in the Graph integration in Genesys Cloud as well. Otherwise, the integration will not work when the token from MS is refreshed. Because each time a request is sent, it includes the token’s validity. A best practice is to do changes at both ends with no delay. And if you make any changes with no delay, before the token is refreshed, emails will be pulled as expected.

You can configure a maximum of 100 SMTP connections in a pool. If there are not enough connections, Genesys Cloud queues the email and retries to deliver the message. If there is a delivery failure, Genesys will open a case to investigate the issue and intimate you via Support. 

For Amazon SES, query the SES’s SPF record for a list of IP addresses from which your email can be sent. For more information, see Amazon SES IP addresses.

For custom SMTP integration, to retrieve a list of IP addresses from which your email can be sent, go to the Genesys Developer Center and use the GET /api/v2/ipranges API.

By default, Genesys Cloud only routes to one email address even when multiple email addresses are included in the email. The email address that is chosen for routing is not predictable. To route to all email addresses specified in the email, enable the Route email to multiple destinations.

Genesys Cloud does not include parked/unparked emails and reconnected emails to calculate utilization. 

For recommendations and best practices from Genesys, see Malware and antispam protection best practices. 

For further information on SES and AWS’s approach to security, see the following:

• General information on SES, how it works, and use case examples: https://aws.amazon.com/ses/
• SES security breakdown: https://docs.aws.amazon.com/ses/latest/dg/security.html
• Overview of SES sending authorization: https://docs.aws.amazon.com/ses/latest/dg/sending-authorization-overview.html
• How email sending works in SES: https://docs.aws.amazon.com/ses/latest/dg/send-email-concepts-process.html
• AWS Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/

For outgoing emails, Genesys Cloud uses opportunistic TLS that Amazon Web Services (AWS) provides; you cannot set forced TLS. For inbound emails, Genesys Cloud uses TLS to receive emails. This means that Amazon SES always attempts to make a secure connection to the Genesys mail server, and Genesys Cloud accepts a message as secure if it is sent as secure. If Amazon SES cannot establish a secure connection, it sends the message unencrypted.

Conversations are encrypted in transit and internally within the platform while at rest. When the conversation leaves Genesys Cloud, there is no guarantee for encryption. For email delivery that requires encryption or other security protocols, we recommend you use your own server for sending emails. For more information, see Configure and activate the custom SMTP server integration.

Administrators can enable multiple actions on a single email that allows agent to perform different actions on a single email such as replies and forwards before they disconnect and wrap-up the interaction. For more information, see Use the organization’s email domain name.

For more information on how the option appears on the agent desktop, see Reply to or forward an email message interaction.

Retraining fails due to insufficient data for certain media types, because of a reduced number of interactions on the queue since activation. For more information, see Predictive routing during KPI processing phase.