Shared Email Templates for Microsoft Outlook

Create the Shared Email Templates app consent policy

Heads up! We're moving the Shared Email Templates for Outlook documentation to our new site: email-templates.app. The new version will be ready soon, and we hope you'll love the fresh, improved experience. Thank you for your patience during this transition.

If you're an IT administrator and want to allow individual users or groups of users to consent to Shared Email Templates, this guide will help you create a custom app consent policy for the add-in using PowerShell.

Prerequisites

  1. PowerShell 7.0 or later must be installed.
  2. The Microsoft Graph PowerShell SDK must be installed. To install it, run the following script: 
    
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
  3. You must have the Global Administrator role.

Create a custom app consent policy for Shared Email Templates 2

  1. To create a custom app consent policy and a custom role, run the following script: 
    
# Connect to MS Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory"

# Get the MS Graph service principal
$msGraph = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# Variables for the custom app consent policy
$set2PolicyId = "custom-policy-shared-email-templates-2"
$set2PolicyName = "Shared Email Templates 2 custom consent policy"
$set2PolicyDescription = "This is custom consent policy for Shared Email Templates 2 app"
$set2ClientAppId = @(
    "e6f666d5-61ff-4582-8732-cedd9e55cef3"
)
$set2ScopeNames = @(
    "openid", "profile", "offline_access", "email", "User.Read", "User.ReadBasic.All", "Mail.Read", "Mail.Read.Shared", # mandatory
    "Sites.Read.All", "Files.ReadWrite.All", # attachments and images
    "Mail.Send", "Mail.Send.Shared" # mail merge campaigns
)
$set2ScopeIds = $msGraph.Oauth2PermissionScopes |
    Where-Object { $set2ScopeNames -contains $_.Value } |
    Select-Object -ExpandProperty Id

# Creating the custom app consent policy
New-MgPolicyPermissionGrantPolicy -Id $set2PolicyId -DisplayName $set2PolicyName -Description $set2PolicyDescription
New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId $set2PolicyId -PermissionType "delegated" -PermissionClassification "all" -ClientApplicationIds $set2ClientAppId -Permissions $set2ScopeIds -ResourceApplication $msGraph.AppId

# Variables for the custom role
$displayName = "Shared Email Templates 2 Users"
$description = "Allow users to grant consent to Shared Email Templates 2 on behalf of themselves (user consent)."
$templateId = (New-Guid).Guid
$rolePermissions = @{
    "allowedResourceActions" = @(
        "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.$set2PolicyId"
    )
}

# Creating the custom role in Microsoft Entra ID
New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled:$true
  2. Go to the Microsoft Entra admin center.
  3. Sign in as a Global Administrator.
  4. Go to Roles & admins.
  5. Search for the Shared Email Templates 2 Users role, open it, and select Add assignments.
  6. Go to Select member(s).
  7. Select users or groups.
  8. Select Next.
  9. Select Active as Assignment type.
  10. Provide a justification, and then select Assign.

Delete a custom app consent policy and a custom role for Shared Email Templates 2

  1. Run the following script: 
    
# Connect to MS Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory"

# Variables for the custom app consent policy
$set2PolicyId = "custom-policy-shared-email-templates-2"

# Delete the custom app consent policy by the ID
Remove-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId $set2PolicyId
  2. Go to the Microsoft Entra admin center.
  3. Sign in as a Global Administrator.
  4. Go to Roles & admins.
  5. Search for the Shared Email Templates 2 Users role.
  6. Select the checkbox next to the role, and then select Delete custom role.

Create a custom app consent policy for Shared Email Templates (version 1)

  1. To create a custom app consent policy and a custom role, run the following script: 
    
# Connect to MS Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory"

# Get the MS Graph service principal
$msGraph = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# Variables for the custom app consent policy
$setLegacyPolicyId = "custom-policy-shared-email-templates-legacy"
$setLegacyPolicyName = "Shared Email Templates (Legacy) custom consent policy"
$setLegacyPolicyDescription = "This is custom consent policy for Shared Email Templates (Legacy) app"
$setLegacyClientAppIds = @(
    "c1e89043-a87e-4168-9620-996b6174f9ce",
    "680093f8-3534-48f1-8dae-3a13343cc03c",
    "6e8e4d5c-1979-4b55-a2e8-a7531167af15",
    "e6f666d5-61ff-4582-8732-cedd9e55cef3"
)
$setLegacyScopeNames = @(
    "openid", "profile", "offline_access", "email", "User.Read", "User.ReadBasic.All", "Mail.Read", "Mail.Read.Shared", # mandatory
    "Sites.Read.All", "Files.ReadWrite.All", # attachments and images
    "Mail.Send", "Mail.Send.Shared" # mail merge campaigns
)
$setLegacyScopeIds = $msGraph.Oauth2PermissionScopes |
    Where-Object { $setLegacyScopeNames -contains $_.Value } |
    Select-Object -ExpandProperty Id

# Creating the custom app consent policy
New-MgPolicyPermissionGrantPolicy -Id $setLegacyPolicyId -DisplayName $setLegacyPolicyName -Description $setLegacyPolicyDescription
New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId $setLegacyPolicyId -PermissionType "delegated" -PermissionClassification "all" -ClientApplicationIds $setLegacyClientAppIds -Permissions $setLegacyScopeIds -ResourceApplication $msGraph.AppId

# Variables for the custom role
$displayName = "Shared Email Templates (Legacy) Users"
$description = "Allow users to grant consent to Shared Email Templates (Legacy) on behalf of themselves (user consent)."
$templateId = (New-Guid).Guid
$rolePermissions = @{
    "allowedResourceActions" = @(
        "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.$setLegacyPolicyId"
    )
}

# Creating the custom role in Microsoft Entra ID
New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled:$true
  2. Go to the Microsoft Entra admin center.
  3. Sign in as a Global Administrator.
  4. Go to Roles & admins.
  5. Search for the Shared Email Templates (Legacy) Users role, open it, and select Add assignments.
  6. Go to Select member(s)
  7. Select users or groups.
  8. Select Next.
  9. Select Active as Assignment type.
  10. Provide a justification, and then select Assign.

Delete a custom app consent policy and a custom role for Shared Email Templates (version 1)

  1. Run the following script: 
    
# Connect to MS Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory"

# Variables for the custom app consent policy
$setLegacyPolicyId = "custom-policy-shared-email-templates-legacy"

# Delete the custom app consent policy by the ID
Remove-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId $setLegacyPolicyId
  2. Go to the Microsoft Entra admin center.
  3. Sign in as a Global Administrator.
  4. Go to Roles & admins.
  5. Search for the Shared Email Templates (Legacy) Users role.
  6. Select the checkbox next to the role, and then select Delete custom role.

Please contact us here

Our working hours:
Pacific Time (PT) 11:00 PM (previous day) – 2:00 PM
Central European Time (CET) 08:00 - 23:00
Eastern Time (ET) 2:00 AM – 5:00 PM
Central Time (CT) 1:00 AM – 4:00 PM
Pacific Time (PT) 11:00 PM (previous day) – 2:00 PM
Australian Eastern Daylight Time (AEDT) 6:00 PM – 9:00 AM (next day)
If you want to attach files (e.g. screenshots or log files), it will be possible right after you send this form and we automatically create a support ticket for you.