Microsoft Modern authentication
Microsoft's Modern Authentication is an identity management approach that provides enhanced security for user authentication and authorization. Modern authentication refers to a set of methods for managing both authentication and authorization between a client and a server. It also incorporates security measures based on access policies you may already be familiar with. As Microsoft have already phased out Basic Authentication in many of products referring to it as an obsolete industry standard due to the risks associated with it, there might be a necessity to use the Modern Authentication method instead to authenticate in OpenIAM.
This article includes the steps to integrate Microsoft Modern Authentication for Simple Mail Transfer Protocol (SMTP) with OpenIAM. By using Modern Authentication, you can securely connect to Microsoft Exchange Online using OAuth 2.0, enabling token-based authentication that enhances security.
Note that the process of setting up Modern Authentication for SMTP includes prerequisites like having an Azure account and configuring application settings in the Microsoft Entra admin centre.
Configuring the Microsoft part
For detailed instructions on Microsoft part, please, refer to the official documentation following the links provided.
Register an application using Quickstart: Register an app. Important note: You must register an Enterprise Application (EA) because only EA identifiers can be used for Service Principal registration in Exchange.
Add credentials following the Configure client secret instructions.
Add permissions, as noted in Add permissions for IMAP, POP, or SMTP document.
Important note: When granting your application's service principal access to a mailbox, make sure to include Read Permission in your command, like as follows.
[Text Wrapping Break]Add-MailboxPermission -Identity "john.smith@contoso.com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess, ReadPermission
Configuring SMTP in OpenIAM
The common steps for configuring SMTP in OpenIAM are given in this document. In the instructions below you can find the changes related to Modern Authentication.
Navigate to Mailbox configuration menu. Go to webconsole > Administration > Mailbox Configuration > Create Mailbox Configuration.
Go to the Mailbox configuration option and click on the create mailbox configuration option. If you want to send emails via old authentication flow, then fill the details and don’t check the Is modern auth checkbox, refer the screenshot below.
For sending emails via Modern Authentication, check the Is modern auth checkbox, and fill the following fields: client ID, tenant ID, Client Secret, Authority, and Scope, as shown below.
The fields description and possible values are given in the table below.
| Field | Description |
|---|---|
| Authority | The Authority URL refers to the endpoint responsible for issuing OAuth2 tokens. This URL is typically part of the Azure Active Directory (AAD) authentication flow, and it specifies the location where the application will send authentication requests to obtain access tokens (OAuth2 tokens). For example, https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token, where |
https://login.microsoftonline.com/ is the main Microsoft login endpoint for Azure Active Directory. | |
{tenant-id} represents the tenant ID for your Azure Active Directory instance. It could also be replaced with the string common, organizations, or consumers depending on the application type. | |
/oauth2/v2.0/token the path to the OAuth2 token endpoint, where clients request access tokens. | |
| Scope | The scope defines the specific permissions that your application is requesting access to when acquiring an OAuth2 token. It specifies what operations the token will allow the application to perform on behalf of the user or service. When using OAuth2 to authenticate with the Microsoft SMTP server (e.g., to send emails via Office 365/Exchange Online), the scope tells Azure Active Directory (AAD) what kind of access is needed. The most common scope for sending emails via Microsoft’s SMTP server is related to sending emails. For example, https://outlook.office365.com/.default, where |
https://outlook.office365.com/ refers to the resource you are trying to access, in this case, Exchange Online. | |
.default is special value tells Azure AD to use the permissions that are pre-configured for the application in the Azure AD app registration. It basically says, "Give me all the permissions this app is authorized for." | |
| Client ID | The Client ID is a unique identifier for your application that is registered in Azure Active Directory (Azure AD). It's also known as the Application ID. It tells Azure AD which app is requesting access when a token is requested for API calls. Example, 12345678-1234-1234-1234-123456789abc. |
| Tenant ID | The Tenant ID is a unique identifier for an Azure Active Directory instance or organization. Each Azure AD tenant represents a separate directory, and the Tenant ID identifies which directory the app or user belongs to. Example, 72f988bf-86f1-41af-91ab-2d7cd011db47. |
| Client Secret | The Client Secret is a confidential password or key associated with your application in Azure Active Directory. It is used along with the Client ID to authenticate the application itself, typically in non-interactive authentication flows (like the client credentials flow). Example, E8C679F2-2C94-4E0A-A45E-123456789abc. |
Once all the above fields are filled and saved, you are ready to send the email via SMTP with Modern Authentication that uses access token instead of username and password method.
To test this, create a test email form and click the Send test mail button as shown below.
