Configure Client Credentials Flow for SMTP Auth in Exchange Online

DISCLAIMER

This page contains third-party references. We strive for our content to always be up-to-date, however, the content referring to external vendors may change independently of Omada. If you spot any inconsistency, please report it to our Helpdesk.

This page describes the steps to configure SMTP Auth in Exchange Online to use Client Credentials.

important

These configuration steps are based on Microsoft's documentation and are susceptible to change, following Microsoft updates. To have the latest updated version of the configuration, check Microsoft's documentation:

• Authenticate an IMAP, POP or SMTP connection using OAuth
• Enable or disable authenticated client SMTP submission (SMTP AUTH) in Exchange Online
• Connect to Exchange Online PowerShell

To configure SMTP Auth in Exchange Online to use Client Credentials:

1. Register an application in Microsoft Entra ID:

   1. Open the Azure Portal and select Microsoft Entra ID.
   2. Select App registrations, then click +New registration.
   
   

   3. To register the application:

   • Enter a name for the Omada Identity website, for example SMTP AUTH.
   • Select the supported account types.
   • Click Register.

2. Give the necessary permissions to the application:

   1. Inside the created application, go to Manage and select API permissions.
   2. Select +Add a permission.
   3. On the APIs my organization uses tab, filter by Office 365 Exchange Online and select Application permissions. While there, you can filter by SMTP.SendAsApp. Enable this permission and click on Add permissions.
   4. Once the permission is added, click on Grant admin consent for your organization. (It will contain the name of your organization.)
   
   

3. Create a client secret for the application:

   1. Inside the created application, go to Manage and select Certificates & secrets.
   2. Select +New client secret and set a description and expiration time.
   3. Click Add and copy the value of this secret to be used later in the configuration.

4. Register service principals in Exchange Online:

   1. Connect to Exchange Online:

   • Open a Powershell window as administrator.
   note

   The Powershell window can be opened at any Windows system. You will be requested for your credentials to connect to exchange online during the process.

   • Run the following commands:

   # Install the Exchange Online Management module
   Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser
   # Import the Exchange Online Management module
   Import-Module ExchangeOnlineManagement
   #Connect to Exchange Online (you will be requested to login in your account)      
   Connect-ExchangeOnline -UserPrincipalName your-email@domain.com -ShowProgress $true

   1. Once you are logged in, register the service principal in Exchange Online, executing the next command:

   New-ServicePrincipal -AppId <APPLICATION_ID> -ObjectId <OBJECT_ID>

   note

   • <APPLICATION_ID> is the Application ID of the application you created in step 1, and the <OBJECT_ID> is is the Object ID from the Overview page of the Enterprise Application node (Azure Portal) for the application registration. It is not the Object ID from the Overview page of the App Registrations node. Using an incorrect Object ID will cause an authentication failure.

   • If you get an error running the New-ServicePrincipal cmdlet after you perform these steps, it's likely because you don't have enough permissions in Exchange Online to perform the operation.

   • Global roles like Exchange Online Administrator or Global Administrator give permissions to perform this actions, but in case you need to limit permissions, you can also be a member of the Organization Management role group in Exchange Online. Specifically, the Role Management role in Exchange Online allows users to view, create, and modify Exchange Online role groups. By default, that role is assigned only to the Organization Management role group. For full information, see Permissions in Exchange Online.

   2. Grant the service principal full access to the mailbox. Execute the following command (where <MAILBOX> is the email that will be used as mailbox):

   Add-MailboxPermission -Identity <MAILBOX> -User <APPLICATION_ID> -AccessRights FullAccess

   3. Enable SMTP Client Authentication (if not enabled already). In the same Powershell window, execute the next command:

   Set-CASMailbox -Identity <MAILBOX> -SmtpClientAuthenticationDisabled $false

5. Configure sending emails by defining the host name, port, TLS configuration, and authentication method in Omada Identity:

   1. Go to Setup > System settings > Configuration objects.

   2. Open the configuration object notificationSettings.

   3. Set up the port and host name in the XML schema, using the client credentials authentication type:

<?xml version="1.0" encoding="utf-8">
<notificationSettings xmlns="http://schemas.omada.net/ois/2022/NotificationSettingsML">
          <smtp>
            <network
              host="smtp.office365.com"
              port="587">
              <azureAdClientCredentials>
                instance="https://login.microsoftonline.com"
                clientId="7A83471E-A8C7-4C06-8120-77B9AA56FA04"
                clientSecret="xxx"
                tenantId="2487ABFA-47FC-4F60-8AF4-2B857B17432C"
                userName="example@megamart.onmicrosoft.com"
                scopes="https://outlook.office365.com/.default"
              />
            </network>
          </smtp>
</notificationSettings>