Skip to main content

Configure SMTP with OAuth2 for Microsoft 365

Configure SecureAuth to send emails through Microsoft 365 using OAuth2 authentication instead of basic authentication. This method provides enhanced security and meets modern authentication requirements.

Prerequisites

  • Available in the following Identity Platform product releases:

    • Identity Platform release 24.04 with update 24.4.5 or later

    • Identity Platform release 23.07 with hotfix 23.07-13 or later

    • Identity Platform releaes 22.12 with hotfix 22.12-14 or later

    • Identity Platform release 21.04 with hotfix 21.04-16 or later

  • Microsoft 365 tenant administrator access

  • Azure Portal administrative permissions

  • PowerShell with ExchangeOnlineManagement module

  • SecureAuth administrator access

Register application in Azure Portal

Create and configure an Azure Active Directory application for SMTP authentication.

  1. Open the Azure Portal.

  2. Go to App registrations.

  3. Click New registration.

  4. Configure the application settings:

    • Name – Enter a descriptive name (example: "SMTP Mailer application")

    • Supported account types – Select Accounts in this organizational directory only

    • Redirect URI – Leave blank

  5. Click Register.

    smtp_ms365_001.png

  6. Record these values from the Overview page:

    • Application (client) ID

    • Directory (tenant) ID

Create client secret

Generate a client secret for application authentication.

  1. In your application, go to Certificates & secrets.

  2. Click New client secret.

  3. Add a description and set the expiration period.

  4. Click Add.

  5. Copy the secret value immediately and store it securely.

    Warning

    The secret value displays only once. You cannot retrieve it later.

Assign API permissions

Grant the application permission to send emails through Microsoft 365.

  1. Go to API permissions.

  2. Click Add a permission > APIs my organization uses.

  3. Search for and select Office 365 Exchange Online.

  4. Choose Application permissions.

  5. Add these permissions:

    • SMTP.SendAsApp

      smtp_ms365_002.png

    • Mail.Send

      smtp_ms365_003.png

  6. Click Add permissions.

  7. Click Grant admin consent to approve the permissions.

Register service principal in Exchange Online

Register the application's service principal in Exchange Online and configure mailbox permissions.

Install and connect to Exchange Online PowerShell

  1. Install the Exchange Online Management module:

    Install-Module -Name ExchangeOnlineManagement

  2. Import the module:

    Import-module ExchangeOnlineManagement

  3. Connect to your tenant (replace tenantId with your Directory tenant ID):

    Connect-ExchangeOnline -Organization <tenantId>

Register the service principal

  1. Register the service principal using the New-ServicePrincipal cmdlet:

    New-ServicePrincipal -AppId <APPLICATION_ID> -ObjectId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]

  2. Find the correct Object ID:

    1. In Azure Portal, go to Enterprise applications.

    2. Find your application in the list.

    3. Copy the Object ID (that begins with "6d" from the Overview page.

      smtp_ms365_004.png

    Important

    Use the Object ID from the Enterprise Application, not from App Registrations. Using the wrong Object ID causes authentication failure.

  3. Verify the registration:

    Get-ServicePrincipal | fl

Configure mailbox permissions

  1. Grant the service principal access to specific mailboxes using the Add-MailboxPermission cmdlet:

    Add-MailboxPermission -Identity "user@yourdomain.com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess

  2. Repeat for each mailbox that needs to send emails through the application.

Configure Identity Platform email settings

Update the SecureAuth Identity Platform to use OAuth2 authentication for email sending.

  1. Log in to the Identity Platform as an administrator.

  2. Go to the Overview tab > Advanced Settings section > click Email Settings.

    smtp_ms365_005.png

  3. Set Use modern SMTP Authentication to True.

    Result: A new SMTP section appears.

    smtp_ms365_006.png

  4. Configure the SMTP settings:

    Setting

    Value

    SMTP Client Server

    smtp.office365.com

    Port

    587

    Application (client) ID

    Your application ID from Azure Portal

    Client Secret

    Your client secret value

    Directory (tenant) ID

    Your tenant ID from Azure Portal

    Authorized from Address

    Email address configured in Exchange Online permissions

  5. Save your changes.

Test the configuration

Verify that email sending works correctly with the OAuth2 configuration.

  1. Trigger a test email from SecureAuth (such as a password reset or MFA notification).

  2. Check that the email arrives at the intended recipient.

  3. Monitor SecureAuth logs for any authentication errors.

Troubleshooting

Authentication fails

Verify you used the correct Object ID from Enterprise Applications, not App Registrations.

Check that admin consent was granted for the API permissions.

Permission denied errors

Confirm the service principal has FullAccess permissions to the sender mailbox.

Verify the "Authorized From Address" matches the configured mailbox.

Connection timeout

Check network connectivity to smtp.office365.com on port 587.

Verify firewall rules allow outbound SMTP traffic.

In this section: