When users receive a simulated phishing email and click the "report this mail as phishing" button, you can see these reports in the CyberPilot app. In order to use this feature, you must have a Microsoft Entra ID (formerly Azure AD) integration and set some additional permissions.
Prerequisite: Set up the Microsoft Entra ID integration
If you have not already made the Microsoft Entra ID integration, then do that first. Follow the guide here.
When you have set up the Microsoft Entra ID integration, you are ready to set the additional permissions.
Please note that some Microsoft permissions take 24 hours to become active, so be patient 🙂
Will not work on hybrid or on-prem solutions
Microsoft Report Message Add-in is primarily designed to work with mailboxes hosted in Exchange Online. In a hybrid setup, if user mailboxes are still located on-premises (e.g., Exchange Server 2019), the add-in cannot send report data to Microsoft Defender or Microsoft 365 Security & Compliance. This limitation is what causes the Report Message button to appear grayed out or disabled in Outlook.
This is a technical limitation on Microsoft’s side.
Part 1: Enable Outlook's reporting feature
With the latest Outlook, the reporting button is enabled by default.
If you are working with an earlier version, you may need to enable the feature.
If you see the button in Outlook, then you're good to go. Otherwise, follow Microsoft's guide to enable it.
Part 2: Configure permissions for the report phishing button
Go to the CyberPilot enterprise application you created
- Go to https://portal.azure.com/
- Go to "App registrations"
.png?width=644&height=406&name=App%20registrations%20(2).png)
- Click "All applications"
- Search of the CyberPilot enterprise application you created
- Click on the CyberPilot enterprise application you created
Set permissions for the application
- Click "API permissions"
- Click "+Add a permission"
.png?width=644&height=395&name=Add%20permission%20(1).png)
- Click "Office 365 Management APIs"
- Click "Application permissions"
- Under ActivityFeed, select "ActivityFeed.Read
- This gives CyberPilot read access to submission activity feed"
- Save by clicking "Add permissions"
Set permissions for the application: Attack simulation
Navigate to Microsoft Graph
- Click "API permissions"
- Click "+Add a permission"
- Click "Microsoft Graph"
- Click "Application permissions
- Under AttackSimulation, select "AttackSimulation.Read.All"
- This gives CyberPilot read access to attack simulations"
- Save by clicking "Add permissions"
Grant admin consent
- Click "Grant admin consent for Company"
- In the popup, click "Yes" to confirm grant.
Part 3: Let your Customer Success Manager know
When you are finished, please let your Customer Success Manager know.
Troubleshooting
If the steps above don't work, here is what you should do next.
Check the user report type in Microsoft Defender
When reporting a test email in Outlook, you should find this report labeled as a phishing simulation in Microsoft Defender. If not, then you need to check your whitelisting again.
Check the "Unified Audit Log"
When unified auditing is not enabled in the tenant, the Management Activity API apparently returns the error:
“Microsoft.Office.Compliance.Audit.DataServiceException: Tenant <id> does not exist” during StartSubscription — even though the tenant actually exists.
The solution is to enable the Audit Log in Microsoft Purview (Compliance) and wait until the change takes effect. ⬇️
Enable the Audit Log:
Go to Microsoft Purview portal → Audit → Start recording user and admin activity (or similar).
After you make the change, please note that it may take up to approximately 60 minutes before it starts working.
Still have a question?
Contact us at support@cyberpilot.io