Configuration of OAuth login with MS 365 Exchange Online

Question:

How can an OAuth login for SMTP mail transmission be configured with MS 365/Exchange Online?

Answer:

IMPORTANT This guide is only relevant for InLoox OnPrem. InLoox Cloud does not require the creation of an Azure app.

IMPORTANT This guide is only relevant for customers who send the automated emails via Exchange Online.

IMPORTANT Please, make sure that the InLoox OnPrem Server is installed at least in version 11.17.

Background

Starting in September 2025, Microsoft will end support for Basic Authentication (SMTP AUTH) for Exchange Online. From then on, sending e-mails with username + password login is no longer possible. Details can be found in the following announcement from Microsoft: https://techcommunity.microsoft.com/blog/exchange/exchange-online-to-retire-basic-auth-for-client-submission-smtp-auth/4114750 

Requirements & General Recommendations

To perform the SMTP configuration according to this guide, you will need your own Entra ID Tenant. Administrator rights are required to configure the necessary settings.

Basic knowledge of administration within MS 365 / MS Entra ID, as well as the use of MS PowerShell is required.

PLEASE NOTE To ensure successful configuration, the "Security Defaults" of your Tenant must be disabled. Further information can be found under the following link:
https://learn.microsoft.com/de-de/entra/fundamentals/security-defaults

PLEASE NOTE Therefore we recommend using additional security measures such as 2-factor authentication and conditional access (https://learn.microsoft.com/de-de/entra/identity/conditional-access/overview). Especially for the Entra ID app to be created, conditional access with IP blocking or similar is recommended. 

Configuration Instructions

The steps mentioned below are based on the following Microsoft support article: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-smtp-imap-and-pop-connections

The instructions are divided into the following steps:

1. Creating an Entra ID App (formerly Azure App)
2. Creating a Service Principal and linking it to a mailbox
3. Enabling SMTP Auth for the mailbox
4. Configuration of the OAuth login in the InLoox OnPrem Server setup wizard

PLEASE NOTE You need an MS365 user with an email mailbox in Exchange Online for automated email sending. This user will be required during the setup process. Emails will then be sent on behalf of this user.

1. Creating an Entra ID App

PLEASE NOTE If you have already  set up an Entra ID app for InLoox (used for SSO, SharePoint Online, etc., see separate help article) you can generally also use it for sending e-mails. However, due to security concerns we recommend using a separate app.

1. Sign in to your Azure portal on the web.

2. Go to the Microsoft Entra ID service.

3. Within the side panel, go to App Registrations.

4. Click + New Registration at the top.

5. Give it a name (e.g. "InLoox SMTP via OAuth"), select „Accounts in this organizational directory only (MSFT only - Single tenant)" under Supported account types and then click on Register. Note: The other account types are generally compatible, but not relevant in most scenarios.

6. Now, in the side panel, go to API Permissions.

7. Click + Add permission and select APIs my organization uses.

8. Within the API permissions, search for "Office 365 Exchange Online" and then select this entry.

9. Here, select Application Permission.

10. Then search for SMTP and select the entry SMTP.SendAsApp.

11. Confirm this via Add permission.

12. Now select Grant admin consent for "Your Entra ID Domain" and confirm the security prompt with YES.

The result should then look like the following screenshot:

13. Now go to Certificates & secrets via the side panel. Under Client secrets, click + New Client secret. Enter a name and validity period here and click Add.

PLEASE NOTE Be sure to back up the value of the key. This is only displayed once. If you do not save the value of the key, you must create a new key. The value will be needed later in this tutorial.

PLEASE NOTE Please note the validity of the key. After the expiry of the validity, it is no longer possible to send e-mails. The secret must be updated afterwards. 

2. Create a Service Principal and Link It to a Mailbox

The following steps require Windows PowerShell.

(The detailed instructions with further explanations can be found here: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#register-service-principals-in-exchange )

• If you are using Windows Server 2016, the following commands must first be executed:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install-PackageProvider -Name NuGet

• The ExchangeOnlineManagement module is required.

Install this with the help of the following commands:

Install-Module -Name ExchangeOnlineManagement

Import-module ExchangeOnlineManagement

Connect-ExchangeOnline -Organization <tenantId>

The placeholder <tenantId> must be replaced by your TenantId.

Security questions may occur - you agree to them.

• For the following command, you need the values for <APPLICATION_ID> and <OBJECT_ID>. To do this, proceed as follows:
  • Open the Enterprise Applications pane

• For <APPLICATION_ID>, use the application ID (client) from the third column.
• For <OBJECT_ID>, use the object ID from the second column. The object ID from the App Registrations section must NOT be used. Otherwise, the subsequent command will fail.

• Then run the following command in PowerShell command line to create a ServicePrincipal

New-ServicePrincipal -AppId <APPLICATION_ID> -ObjectId <OBJECT_ID>

The placeholders <APPLICATION_ID> and <OBJECT_ID> must be replaced.

• Now the created ServicePrincipal must be linked to a mail account. To do this, you need the ID of the ServicePrincipal you just created.

To do this, run the following PowerShell command.

Get-ServicePrincipal | fl

• You need this ID for the <SERVICE_PRINCIPAL_ID> placeholder of the following command

Add-MailboxPermission -Identity "john.smith@contoso.com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess

Replace john.smith@contoso.com with the mailbox from which the emails are to be sent.

3. Enabling SMTP Auth for the mailbox

By default, SMTP Auth is disabled for all mailboxes. However, it can be enabled for individual mailboxes. Detailed information can be found under the following link:

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission

To enable SMTP Auth for a single mailbox, use the following PowerShell command. Use the PowerShell window from step 2). This is already logged in to Exchange Online.

Set-CASMailbox -Identity john.smith@contoso.com -SmtpClientAuthenticationDisabled $false

Replace john.smith@contoso.com with the mailbox from which the emails are to be sent.

PLEASE NOTE If a completely new mailbox has been set up, it may take up to one day before it is possible to send e-mails via this mailbox.

4. Configuration of the OAuth login in the InLoox OnPrem Server

Now you can store the created configuration in the InLoox OnPrem Server Setup.

Select "OAuth with MS365". The server name, port and encryption mode are automatically preselected if you start with a completely new configuration.

Now send a test email to any mailbox. If this is successful, you can continue.

If you receive an error message, check the error text.

PLEASE NOTE In some cases, the configurations in steps 2) and 3) take some time to be effective in Exchange Online. In case of any error messages, first check the configuration again. If this is correct, it is advisable to wait some time (15-30 minutes). You can then try to send the test email again.

After setting up a new user, it can take up to 24 hours to send an email successfully.