Skip to main content

Configure SMTP with OAuth Authentication

OAuth 2.0 lets SEI authenticate to your SMTP provider without storing an SMTP username and password. This setup requires configuration in Microsoft Entra ID and Exchange Online before you enter the OAuth settings in SEI.

Configure OAuth 2.0 for Exchange Online (Microsoft 365)

1. Register an app in Microsoft Entra ID

  1. Sign in to the Microsoft Entra admin center with an account that has at least the Application Developer role.
  2. If you manage multiple tenants, select Settings and switch to the tenant that hosts your Exchange Online environment.
  3. Go to Entra ID > App registrations, and then select New registration.
  4. Enter a name for the app, such as nectari-smtp-app.
  5. Under Supported account types, select Accounts in this organizational directory only (Single tenant).
  6. Select Register.
  7. On the app Overview page, copy the Application (client) ID and the Directory (tenant) ID for later use in SEI.

For a complete guidance, see Microsoft's guidance to Register an application with Microsoft Entra ID.

2. Add the SMTP permission

  1. In the app registration, select API permissions.
  2. Select Add a permission.
  3. Select APIs my organization uses, search for Office 365 Exchange Online, and then select it.
  4. Select Application permissions.
  5. Select SMTP.SendAsApp under SMTP, and then select Add permissions.
tip

Optionnally, you may also want to remove unused permissions granted by default to the app, such as User.Read for Microsoft Graph.

A tenant administrator must grant admin consent for the permissions assigned to the app. For background, see Permissions and consent. For Exchange Online SMTP, use the scope value https://outlook.office365.com/.default.

Single-tenant app registrations

If you registered the app as Accounts in this organizational directory only (Single tenant), grant consent from the app registration:

  1. In Microsoft Entra ID, open your app registration.
  2. Select API permissions.
  3. Select Grant admin consent for <tenant>.

Multi-tenant app registrations (partner/ISV)

If the app was registered as Accounts in any organizational directory (Multitenant), the tenant administrator can grant consent by using an admin consent URL:

https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=https://outlook.office365.com/.default

4. Create a client secret

  1. In the app registration, select Certificates & secrets.
  2. Select New client secret.
  3. Copy the secret value and store it securely because Microsoft shows it only once.

5. Register the service principal in Exchange Online

A tenant administrator must register your Microsoft Entra application’s service principal in Exchange Online so the app can authenticate by using the OAuth 2.0 client credentials flow. Run the commands in the order shown and replace values in <REQUIRED_VALUES> with your tenant information.

Required values

ValueWhere to find
<TENANT_ID>Directory (tenant) ID from Microsoft Entra ID app registration Overview page.
<APPLICATION_ID>Application (client) ID from Microsoft Entra ID app registration Overview page.
<ENTERPRISE_APP_OBJECT_ID>Azure Portal > Enterprise applications > your app > Overview (Object ID).
<SERVICE_PRINCIPAL_ID>Exchange Online PowerShell output from Get-ServicePrincipal | fl (the ID field).
important

Use the Object ID from Enterprise applications, not the one from App registrations.

1 — Connect to Exchange Online PowerShell

Sign in with an account that has the Exchange Administrator or Role Management role.

Install-Module -Name ExchangeOnlineManagement
Import-module ExchangeOnlineManagement 
Connect-ExchangeOnline -Organization <TENANT_ID>

2 — Register the service principal

Replace <ORGANIZATION_ID> with the Tenant ID from the app registration Overview page.

New-ServicePrincipal -AppId <APPLICATION_ID> -ObjectId <ENTERPRISE_APP_OBJECT_ID> [-Organization <ORGANIZATION_ID>] [-DisplayName <String> ]

3 — Retrieve the service principal ID

Use the ID field from this output as <SERVICE_PRINCIPAL_ID> in the next step.

Get-ServicePrincipal | fl

4 — Grant mailbox access

Grant the service principal access to each mailbox your application must use for sending email via SMTP OAuth. You must repeat this for every mailbox the application needs to access.

Add-MailboxPermission -Identity "john.smith@contoso.com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess
note

Mailbox access is required for each mailbox that can send email. If Use sender email is enabled in SEI, grant access only for the mailbox in Sender email; if Use sender email is disabled, grant access for every user mailbox that can send email.

For more information, see Permissions and consent in the Microsoft identity platform.

Configure SMTP in SEI

  1. From the naviation panel, click the gear icon. The Administration page opens.
  2. Select Manage SMTP.
  3. Enter the SMTP settings.
  4. Select Validate to test the connection, then select Save.

SMTP settings

SettingDescription
SMTP ServerEnter the SMTP host name. Example: smtp.office365.com.
Sender EmailEnter the email address used as the sender for messages.
PortEnter the SMTP port used by your SMTP provider. Example: 587.
Authentication TypeChoose OAuth 2.0.
Client IDEnter the Application (client) ID from Microsoft Entra ID.
Client SecretEnter the client secret value from Microsoft Entra ID.
Secret Expiration AlertEnables reminders before the client secret expires.
Secret Expiration DateThe expiration date of the configured client secret.
Token EndpointEnter the token endpoint using the Directory (tenant) ID as TENANT_ID. Example: https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token.
ScopesFor Exchange Online SMTP, enter https://outlook.office365.com/.default.
Use SSL/TLSEnable to encrypt the connection to the SMTP server and help protect credentials and message content in transit.
Use sender emailIf enabled, SEI uses Sender email as the From address for outgoing messages; if disabled, Exchange Online mailbox permissions must be granted for each user mailbox that can send email, not only the configured sender mailbox.
Use sender emailIf enabled, SEI uses Sender email as the From address for outgoing messages and mailbox access is required only for that mailbox; if disabled, mailbox access is required for each user mailbox that can send email.