FAQs: ACD emails

By default, CGR first checks whether the current queue is under stress. Therefore the first CGR rule is always the current queue and cannot be changed.

The SL % is calculated based on the interactions that are answered during the span of 30 minutes preceding the time the routing system calls the analytics API to run a CGR rule. If there are no interactions in the 30 minutes, the SL % cannot be calculated. As a result, the CGR rule evaluation will fail and routing will move to the next CGR rule evaluation, if available.

Ensure you add that groups that are required for CGR are as members to the queue. After you create the needed groups or work teams, add them as members to the queue.

The Graph integration I setup in Genesys Cloud is active and when I test the integration using the Test option, the integration is successful. Despite that, I am unable to send and receive emails through the integration.

If you still face issues, check for the following:

• Check that a valid license is assigned to the mailbox you are connecting to. Each mailbox should have a license associated with it.

• Ensure that you have no application policy that is preventing access to the mailbox. For more information, see Role Based Access Control for Applications in Exchange Online.

• Ensure that the registration is active on the Azure side. To restart the registration, disable and enable the Graph integration again.

• Every time you update your Azure configuration, disable/enable the Graph integration so that the registration is refreshed with the new settings.

What are the minimal Azure permissions required for the Genesys Cloud Graph integration to work?

At the minimum, you will need the following three permissions for the Graph integration to work:

• Mail.ReadWrite – type Application
• Mail.Send – type Application
• User.Read – type Delegated

Verify that you see a green check mark indicating Admin consent is applied.

How do I limit application permissions to specific mailboxes?

To limit app permissions to specific mailboxes, see Mircosoft documentation. 

Where do I obtain the OAuth 2.0 token endpoint (v2) value from?

The OAuth 2.0 token endpoint comes from your Azure configuration. Add the endpoint when you configure and activate the Microsoft Graph integration.

Is the User.Read permission required?

This permission is required for the integration to work. The Type is Delegated and is not Application. Therefore, verify that there is a green check mark indicating admin consent is applied as well.

Is there a range of IP addresses that we need to add to the Azure from our end?

That is not required. Azure will connect with our public endpoints for all notifications.

Is there any configuration to mark the emails as read in the Azure inbox as soon as they are transferred to Genesys Cloud?

Ensure that the Mail.ReadWrite permission is set up in the Azure application. The Microsoft Graph integration marks the email as read once they are transferred to Genesys Cloud. 

Can we create a Campaign/Agentless domain with the same name as the inbound domain being used by Microsoft Graph integration?

Yes. Although reuse of domain names is not supported in Genesys Cloud as of now, this particular use case is supported.

How often are emails retrieved from the mailboxes?

Genesys Cloud receives Microsoft async notifications on changes occurring on the Microsoft Exchange server. This includes receipt of new emails. Microsoft Graph integration pulls emails when it receives the notifications on new emails.

Emails are being marked as read in my mailbox, but we have not received the email in Genesys Cloud. What could be wrong?

If emails are marked as read, it means that the system was able to download them. Check the following:

1. Check the flow that is associated with the inbound route.

2. Open the associated inbound flow and check how emails are being handled.

3. Verify that you have have agents logged in the queue used by the workflow.

When an incoming email has multiple recipients from our domain, the email is routed only to one recipient and only one interaction is created in Genesys Cloud. Why?

By default, if an incoming email contains more than one email address that maps to more than one Genesys Cloud route, Genesys Cloud routes to only one of the email addresses. To route the email to all the destinations in the email, enable the Route to Multiple Destinations setting.

Why do we need to give the User.Read permission for the API in Azure?

The permission provides access to the user’s email address. If this permission is not granted, the Microsoft Graph integration is unable to read the related emails. The integration will not be able to process, encrypt, and scan emails. For more information, see Custom Microsoft Graph integration for inbound and outbound emails and Create subscription – Microsoft Graph v1.0.  Also note that the permission type is Delegated, and is not Application. For more information, see Microsoft Graph permissions reference – Microsoft Graph.

Is it mandatory to add Genesys Cloud IP addresses to connection filter policy? What is the impact if this step is not performed?

This is optional, but is strongly recommended. It avoids untrusted sources from reaching Microsoft email servers. If an IP is blocked, emails will bounce.

Will there be an authentication issue if the client secret that is set up in Azure and is used with the Graph integration expires?

Yes, when the client secret you used with the Graph integration has changed or expired, you will face authentication issues unless you make the change in the Genesys Cloud Graph integration too. Note that you cannot have a client secret in Azure without an expiry date. When you change the client secrets on the Azure side or the secrets expire, you must ensure you make the change in the Graph integration in Genesys Cloud as well. Otherwise, the integration will not work when the token from MS is refreshed. Because each time a request is sent, it includes the token’s validity. A best practice is to do changes at both ends with no delay. And if you make any changes with no delay, before the token is refreshed, emails will be pulled as expected.

You can configure a maximum of 100 SMTP connections in a pool. If there are not enough connections, Genesys Cloud queues the email and retries to deliver the message. If there is a delivery failure, Genesys will open a case to investigate the issue and intimate you via Support. 

For Amazon SES, query the SES’s SPF record for a list of IP addresses from which your email can be sent. For more information, see Amazon SES IP addresses.

For custom SMTP integration, to retrieve a list of IP addresses from which your email can be sent, go to the Genesys Developer Center and use the GET /api/v2/ipranges API.

By default, Genesys Cloud only routes to one email address even when multiple email addresses are included in the email. The email address that is chosen for routing is not predictable. To route to all email addresses specified in the email, enable the Route email to multiple destinations.

Genesys Cloud does not include parked/unparked emails and reconnected emails to calculate utilization. 

For recommendations and best practices from Genesys, see Malware and antispam protection best practices. 

For further information on SES and AWS’s approach to security, see the following:

• General information on SES, how it works, and use case examples: https://aws.amazon.com/ses/
• SES security breakdown: https://docs.aws.amazon.com/ses/latest/dg/security.html
• Overview of SES sending authorization: https://docs.aws.amazon.com/ses/latest/dg/sending-authorization-overview.html
• How email sending works in SES: https://docs.aws.amazon.com/ses/latest/dg/send-email-concepts-process.html
• AWS Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/

For outgoing emails, Genesys Cloud uses opportunistic TLS that Amazon Web Services (AWS) provides; you cannot set forced TLS. For inbound emails, Genesys Cloud uses TLS to receive emails. This means that Amazon SES always attempts to make a secure connection to the Genesys mail server, and Genesys Cloud accepts a message as secure if it is sent as secure. If Amazon SES cannot establish a secure connection, it sends the message unencrypted.