Skip to main content

Tezi technical setup for Microsoft 365 organizations

Updated over a month ago

This article covers technical setup for Max, your new autonomous AI recruiting partner from Tezi. There are four main steps:

  1. Set up Max's sourcing email: Create an email address that Max will use to send sourcing emails to prospective candidates

    1. Must be completed by a DNS administrator

  2. Set up Max's Microsoft 365 account and email forwarding: Create a Microsoft 365 account that Max will use to email candidates and schedule interviews

    1. Must be completed by a Microsoft administrator with user and Exchange management permissions

  3. Approve the Tezi enterprise application: Grant Tezi's service the appropriate privileges to email candidates and schedule interviews

    1. Must be completed by a Microsoft administrator with app management permissions

  4. Inform the Tezi team that you have completed technical set-up

See below for detailed instructions on each step. Completing this process typically takes 30-45 minutes.

Part 1: Set up Max's sourcing email

Tezi will send outbound sourcing emails to prospective candidates on behalf of your company. While Tezi prioritizes high-quality matches in sourcing, some emails may be marked as spam by prospects. To safeguard your domain's email reputation and deliverability, this section describes how to set up a dedicated subdomain (hey.[yourdomain]) for Max's sourcing emails in your DNS provider. The steps below also enable Tezi to use SendGrid’s Email Platform to send these emails.

Before you begin, please ensure you have the CNAME records provided by your Tezi Customer Success Manager.

If helpful, here are links for how to update DNS records at common DNS providers:

For all steps below, please check that your new DNS records follow the format required by your DNS provider, e.g., MX record ends with a period if required.

1. Sign in to your DNS provider

2. Add CNAME records

Tezi uses Sendgrid’s automated security, which means SendGrid generates three CNAME records that, when added to a domain’s DNS provider, allow SendGrid to manage two main types of email authentication:

  • Sender Policy Framework (SPF): this is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain.

  • DomainKeys Identified Mail (DKIM): this is an email authentication method that allows the sender to sign their emails with a cryptographic signature, enabling the recipient's server to verify that the email was sent from an authorized source and that its content hasn't been altered in transit.

You should have received three SendGrid-generated CNAME records from your Tezi Customer Success Manager. Please add these CNAME records to your DNS provider. They will enable Tezi to use SendGrid to send fully authenticated emails from the subdomain (but not your company's main domain).

3. Add an MX record for the subdomain hey.[yourdomain]

When candidates respond to sourcing emails, Tezi has configured those replies to go to the Tezi email account that you will set up in Parts 2 and 3. However, in some cases, candidates might email Max's subdomain address (max.tezi@hey.[yourdomain]) directly. In order for Tezi to receive these emails, you will need to add a record to your DNS provider that signals that any inbound emails to Max's subdomain will be handled by Tezi (through Sendgrid’s email parsing infrastructure):

  1. Add an MX record for the hey.[yourdomain] subdomain with the following values:

    1. Priority: 10

    2. Mail server value: mx.sendgrid.net

Please ensure you add this record at the subdomain level, not at the top-level domain. Otherwise, this may interfere with emails for your overall company domain.

4. Create a DMARC record for your subdomain

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds on SPF and DKIM. It allows domain owners to specify what receiving mail servers should do with emails that do not pass SPF or DKIM checks, e.g., mark as spam, reject, etc.

If your subdomain does not have a DMARC record, Tezi will still work. However, we recommend creating one as a general security practice. A DMARC record will protect against unauthorized parties spoofing your subdomain. It will also improve email deliverability by giving email providers more confidence in the authenticity of emails from your subdomain.

To create a DMARC record:

  1. Add a TXT record with the name _dmarc.hey or _dmarc.hey.[your domain] (varies by DNS provider) and your desired DMARC options. We recommend the following values: v=DMARC1; p=none; rua=mailto:[any valid email address in your organization]

    1. The specified email address will receive summary reports of email traffic and authentication results.

    2. p=none means that no action will be taken on emails that fail SPF and DKIM; they will be delivered as usual. This is our recommended starting point for a DMARC policy. Over time, as you learn about email traffic on your domain from the summary reports, you can update your DMARC record to take different actions on unauthenticated emails.

    3. There are many options for configuring your DMARC policy/record. See Define your DMARC record by Google to learn more.

    4. Please ensure you add this record at the subdomain level, not at the top-level domain. Otherwise, this may interfere with emails for your overall company domain.

5. Verify that DNS updates were successful

To confirm that your DNS updates were successful, enter the sourcing subdomain you created into Tezi's DNS Validation tool (in beta). For example, Tezi's sourcing subdomain for Max is hey.tezi.ai:

If your DNS updates were entered correctly, the tool will confirm that MX, CNAME, and DMARC records all look as expected:

Please troubleshoot any DNS errors as needed. Feel free to reach out to the Tezi team for any help with troubleshooting.

Part 2: Set up Max's Microsoft 365 account and email forwarding

Max needs a calendar for scheduling interviews and an email address for emailing candidates. Max's emails need to be forwarded to [email protected] for processing, and Tezi Support needs access to Max's account in order to provide ongoing support.

1. Create an account for Max

Follow the steps below or see Microsoft's instructions for adding new users.

  1. Go to Microsoft Azure -> Microsoft Entra ID.

  2. In the sidebar, select Manage -> Users.

  3. Click New user -> Create new user.

  4. Use the following values for the new user:

    1. User principal name: max.tezi@[yourdomain].com

    2. Mail nickname: select Derive from user principal name

    3. Display name: Max AI Recruiter

    4. Password: select Auto-generate password

    5. Account enabled: check this box

  5. Save the password in a secure location.

  6. Click Review + create to create the user.

2. Send account access to Tezi

Tezi Support needs access to Max's account to complete Tezi-side technical setup and to occasionally debug and resolve candidate correspondence and interview scheduling issues.

  1. If your organization does not use an SSO provider (such as Okta or OneLogin), then email 1) the new username and 2) the password to [email protected].

    1. You can do this via an encrypted email if you prefer and if your organization's Outlook includes this capability.

  2. If your organization uses an SSO provider, then you’ll follow the steps below. The exact process will vary depending on which SSO provider you use.

    1. Create an account for max.tezi@[yourdomain].com in your SSO provider

    2. Grant Max’s account access to log in to Microsoft 365

    3. Send the account sign-in instructions to [email protected]

      1. You can do this via an encrypted email if you prefer and if your organization's Outlook includes this capability.

3. Assign a Microsoft 365 license to Max

Follow the steps below or see Microsoft's instructions for assigning licenses.

  1. Go to the Microsoft 365 admin center.

  2. Click on Max's new account -> open the Licenses and apps panel.

  3. Assign a Microsoft 365 license to Max. Max needs a license with access to 1) Outlook, 2) Calendar, and 3) Teams.

4. Enable email forwarding for Max's new email address

Automatic email forwarding is blocked by Microsoft's default outbound spam policies. To enable automatic email forwarding, configure a custom outbound spam policy in Microsoft Defender using these Microsoft instructions. If your organization already has a custom outbound spam policy that allows automatic email forwarding, you can also add Max's user to the existing policy instead of creating a new one.

If you choose to set up a new policy, we recommend the following configuration:

  • On the Name your policy page:

    • Policy name: Tezi AI Recruiter email forwarding

  • On the Users, groups, and domains page:

    • Affected users: only Max's new user, i.e., max.tezi@[yourdomain].com

  • On the Protection settings page, in the Forwarding rules section:

    • Select On - Forwarding is enabled

5. Set up email forwarding for Max's new email address

Forward emails received by max.tezi@[yourdomain].com to [email protected] for processing. You can follow the steps below or see Microsoft's instructions for configuring email forwarding.

  1. Go to the Microsoft 365 admin center.

  2. Click on Max's new account -> open the Mail panel.

  3. Set up email forwarding.

    1. Select Forward all emails sent to this mailbox

    2. Use [email protected] as the forwarding email address

    3. Select Keep a copy of forwarded email in this mailbox

Part 3: Approve the Tezi enterprise app

In order for the Tezi service to schedule interviews and correspond with candidates, it needs to be able to do the following:

  • Ask users at your company to grant Tezi read-only access to their Calendar.

    • Tezi will only request Calendar read-only access and only from interviewers. Our service uses this information to understand interviewer availability for scheduling.

  • Ask max.tezi@[yourdomain].com to grant Tezi full management access to its Calendar and email send permissions for Outlook.

    • Tezi Support will briefly log in as max.tezi@[yourdomain].com to grant the Tezi app’s requests for these permissions. Our service uses this access to send emails and interview calendar invites from max.tezi@[yourdomain].com.

If your organization's Microsoft 365 is set up to not allow user consent for apps, then an admin needs to grant consent to the Tezi app to access necessary calendar and email data:

  1. Go to Microsoft Azure -> Microsoft Entra ID.

  2. In Overview, copy your Tenant ID.

  3. Paste your Tenant ID into the <your_tenant_id> section of the following URL: https://login.microsoftonline.com/<your_tenant_id>/adminconsent?client_id=e1d5373a-be1f-4a78-b1ee-c782c5881913&redirect_uri=https://app.tezi.ai/handle-outlook-admin-consent

    1. Do not drop any characters or add any whitespace in your Tenant ID.

  4. Navigate to the URL.

  5. Log in with your Microsoft admin credentials.

  6. Grant consent for the requested permissions for the Tezi app.

Part 4: Inform the Tezi team via email that you have completed technical setup

Once you have configured your DNS records, created Max's Microsoft account with appropriate service access and email forwarding, and approved the Tezi enterprise app, you have completed all non-ATS technical setup for Tezi. The Tezi team will now complete additional, final setup in Tezi's system.

That's it! We look forward to making stellar hires with your team.

Did this answer your question?