ContactMonkey is significantly reducing its Microsoft Graph access from broad directory permissions (Directory.Read.All) to targeted group membership access (GroupMember.Read.All). This ensures ContactMonkey only accesses the specific data required for your distribution list expansions.
⚠️ Important: The Exchange Web Services (EWS) integration is also migrating to the Exchange Online Admin API. If your organization uses this expansion method, please follow the steps here to complete that update separately.
What is the GroupMember.Read.All Permission?
GroupMember.Read.All reduces the scope of the permissions required for our Microsoft Graph integration. By lowering this permission from Directory.Read.All to GroupMember.Read.All, you are ensuring that our presence in your Microsoft tenant is less intrusive, enhancing security for your organization while keeping ContactMonkey functionality the same.
For more information on API permissions, click here: API Permissions and Utility Account Access Explained
Actions Required to Prepare Your Tenant
To enable this transition, your IT team will need to grant a specific permission for the integration. A ContactMonkey Admin or Owner can go to Settings → Integrations to see which account is being used for the EWS and Exchange Admin Utility Account tiles. Note whether the connected account is an individual user account or a dedicated service account — this matters if you want to standardize on a service account (see below).
1. Update API Permissions (IT Admin)
| API Resource | Permission Type | Scope |
| Microsoft Graph | Delegated | GroupMember.Read.All |
Your IT Administrator must update the ContactMonkey-Utility enterprise app registration in Microsoft Entra ID (Azure AD) with the above scopes.
To enable the GroupMember.Read.All permission, please use the following Admin Consent URL:

You will be redirected to a login screen—you are not required to enter your credentials if you do not have a ContactMonkey account.
2. ContactMonkey "Flips the Switch"
Once administrative consent is granted, contact our Technical Support team at support@contactmonkey.com. They will manually disable the legacy Directory.Read.All permission for your account. This step must be completed before Step 3 can take place.
3. Account Reconnection
Once Support confirms the change from Step 2, a ContactMonkey Administrator must reconnect the integration:
- Click your name at the top right of the ContactMonkey dashboard
- Click Settings
- Click Integrations
- Sign out of the Graph Utility Account tile
- Sign back in with the same credentials that were originally connected
4. Run a Test Count
- Click Show Details in the Graph Utility Account tile
- In the Distribution List field, enter one or more distribution list email addresses (comma-separated)
- Click Test Count
- Results will be emailed to you
4.1 Interpret Results
✅ Success: The recipient count matches your expected number
- Your expansion is configured correctly
- All users in your organization can now send tracked emails to distribution lists
❌ Inaccurate Count: The number doesn't match expectations
- Click here for diagnostic steps
- You may need to modify the distribution list type
- Consider alternative approaches like CSV upload or List Management
⚠️ Account Shows "Inactive":
- This typically means OAuth tokens have expired
- Running a test count should reactivate the account
- If it remains inactive, sign out and sign back in
- Click here for more details
Replacing a User Account with a Service Account
If you go to Settings → Integrations and see that an individual user account is logged in for the Graph Utility Account, you can replace it with a dedicated service account. A service account avoids disruptions caused by employee turnover, password changes, or MFA prompts tied to a person.
- Confirm your service account meets the requirements for distribution list expansion (a working mailbox and the appropriate license).
- Ensure the IT Admin has granted
GroupMember.Read.Allconsent for the ContactMonkey-Utility app (Step 1 above). - In Settings → Integrations, click Sign out on the Graph Utility Account tile to disconnect the current user account.
- Click to sign in again and authenticate with the service account credentials.
- Run a Test Count (see Step 4 above) to confirm the service account expands distribution lists correctly.
Note: If you are unsure whether changing the underlying account requires any additional backend action, contact support@contactmonkey.com before reconnecting.
