RAC/M Identity

English

Français

English

Français

Theme

Configuring Microsoft 365 as an email provider

To be able to use the Microsoft SMTP server, you need to configure it in several applications, and you need to have an administrator account in your Microsoft tenant.

Microsoft Azure

The following steps are performed in the Azure portal and require the necessary permissions to add a new "Enterprise Application".

Step 1 - Azure portal login

Log in to the Azure portal using your browser and login credentials.

Step 2 - Recover the tenant ID

The tenant ID is an identifier that will be required below in step 3 of the configuration with the Powershell command line interface and in the RAC/M Identity configuration.

To retrieve it, use the search bar on the Azure Portal home page to find the Tenant properties service. Once in the main screen of this service, copy the value of the Tenant ID field.

azure-tenant-id-copy

Step 3 - Authorized user creation

It is necessary to create a user in Azure who will have the necessary permissions to send emails applicatively via SMTP. The RAC/M Identity server will then use this user to connect to the SMTP server when it needs to send emails. The email address of this authorized user will be the one that appears as the sender address in emails sent by RAC/M Identity.

Use the search bar on the Azure Portal home page to find the Users service. Once in the Users screen, click on the New user button in the top bar, then choose the Create a user option to create a new user.

azure-user-new

Enter the required fields User principal name and Display name.

Copy the value of the User principal name field, which will be required below in step 7 of the Azure configuration, step 5 of the Powershell command line interface configuration, and the RAC/M Identity configuration.

Click on Next: Properties.

azure-user-info-base

Fill in the Usage location parameter, then click on Review + create.

azure-user-info-properties

Click on Create to create the authorized user.

azure-user-add

You will be redirected to the user list. Use the search box to find your authorized user and click on it.

azure-user-select

Next, you need to assign a Microsoft 365 license to your authorized user. Click on Licenses in the left-hand menu, then on Assignments.

azure-user-license

Select a Microsoft 365 license and click on Save.

azure-user-license-add

Step 4 - Creation of a new "Enterprise Application"

Use the search bar on the Azure Portal home page to find the Enterprise Application service. Once in the Enterprise Application screen, use the New application button in the top bar to create a new application.

azure-app-new

When the new page is presented, click on the Create your own application button, then enter a name identifying the OAuth2 SMTP application for RAC/M Identity. Click on Create.

azure-app-create

You will then be taken to the main page of your new enterprise application.

Copy the value of the Application ID field. It will be needed later in step 4 configuration with the Powershell command line interface and in the RAC/M Identity configuration.

Copy the value of the Object ID field. It will be needed later in step 4 and step 5 of the Powershell command line interface configuration.

azure-app-ids

Step 5 - API authorization

The following steps are required to enable your enterprise application to send email via SMTP as an application.

Select Permissions from the left-hand menu, then click on the App registration link.

azure-auth-app-inscription

This will take you to the Authorized APIs screen, where you will click on API permissions. In the Request API permissions box that will open on the right of the screen, click on APIs my organization uses. In the search box, enter Office 365 Exchange Online and select the only API that will appear in the list.

azure-auth-app-add

In the next screen, click on Application permissions.

azure-auth-app-request

Select the following item:

  • SMTP.SendAsApp

Click on Add permissions.

azure-auth-app-selection

Once the permission has been added, click on Grant admin consent for [Tenant ID].

azure-auth-app-consent

Finally, click Yes to confirm administrator consent.

azure-auth-app-consent-confirm

Step 6 - Creating a secret

This step consists in creating a secret. To do so, click on Certificates & secrets on the left of the menu. Go to the Client secrets tab and click on New client secret.

azure-secret-config

In the box that opens, enter the Description and Expires and click on Add.

azure-secret-config-add

Copy the secret value. It will be needed later in the RAC/M Identity configuration.

azure-secret-config-copy

Step 7 - Authorized user assignment

This step involves assigning the authorized user created in step 3 to the Enterprise Application. To do this, select Users and groups from the left-hand menu and click on Add user/group.

azure-assign-user

Select Users and groups and in the box that will open on the right of the screen, enter the User principal name of your authorized user in the search box. Check your authorized user in the list and click Select.

azure-assign-user-select

To confirm the assignment, click on the Assign button.

azure-assign-user-confirm

You have now completed the configurations that must be done in the Azure portal.

Microsoft 365 admin center

The following steps are performed in the Microsoft 365 admin center and require you to have the necessary permissions to modify user mailbox settings.

Step 1 - Microsoft 365 admin center login

Log in to the Microsoft 365 admin center using your browser and login credentials.

Step 2 - SMTP protocol activation

In the left-hand menu, open the Users drop-down list, click on the Active users link, search for your authorized user and finally, select it from the list.

m365admin-user-select

In the box that opens on the right of the screen, select the Mail tab and click on the Manage email apps link.

m365admin-user-mail-app

Activate the Authenticated SMTP application and click on Save changes.

m365admin-user-mail-app-save

You have now completed the configurations that must be done in the Microsoft 365 admin center.

Powershell command line interface

It is necessary to allow the enterprise application to access the mailbox of the authorized user, otherwise sending e-mails will not work. It is not possible to perform this step in other Microsoft applications, so you need to use the ExchangeOnlineManagement module in the PowerShell command line interface.

More details on the ExchangeOnlineManagement module can be found on the Microsoft official website.

The following steps must be performed in the Powershell console as an administrator.

Step 1 - Install the ExchangeOnlineManagement module

Install-Module -Name ExchangeOnlineManagement

Step 2 - Import the module in the PowerShell session

Import-Module ExchangeOnlineManagement

Step 3 - Connect to your Azure tenant

Connect-ExchangeOnline -Organization [Tenant_ID]

The Tenant_ID parameter corresponds to the value found in step 2 of the Azure configuration. A window will then appear to authenticate you in Azure. You must be logged in as a user with administrative rights.

Step 4 - Create a new "Service Principal"

New-ServicePrincipal -AppId [Application_ID] -ObjectID [Objet_ID]

The Application_ID parameter corresponds to the Application ID" of the enterprise application created in step 4 of the Azure configuration.

The Object_ID parameter corresponds to the Object ID of the enterprise application created in step 4 of the Azure configuration.

Step 5 - Allow the application to access the authorized user's mailbox

Add-MailboxPermission -Identity "[User_Name]" -User [Objet_ID] -AccessRights FullAccess

The User_Name parameter corresponds to the User principal name of the authorized user created in step 3 of the Azure configuration.

The Object_ID parameter corresponds to the Object ID of the enterprise application created in step 4 of the Azure configuration.

Step 6 - Disconnect from your Azure tenant

Disconnect-ExchangeOnline

You have now completed the configurations that must be done in the Powershell command line interface.

(Optional) Configure the authorized user to send emails from another email address

Step 1 - Create a new email address for the authorized user

In Microsoft 365 admin center, go to the Users section, search for the authorized user and click on it.

Select "Manage username and email".

You can then add aliases to the authorized user.

Step 2 - Configure the tenant to allow sending from aliases

In Echange Admin Center, select "Settings" and "Mail flow".

Select "Turn on sending from aliases" and save the changes.

Configure RAC/M Identity

This configuration is done in the RAC/M Identity configuration file: [Install path]/conf/config.properties.

Here are the values to set in the configuration file:

properties
# SMTP configuration
mail.auth.protocol=oauth2
mail.server.host=smtp.office365.com
mail.server.port=587
mail.server.starttls.enable=true
# User principal name from step 3 of the Azure configuration
# Example: notification@example.onmicrosoft.com
mail.server.user=[User principal name]
# TENANT_ID from step 2 of the Azure configuration
mail.oauth2.token.url=https://login.microsoftonline.com/[Tenant ID]/oauth2/v2.0/token
# Application ID from step 4 of the Azure configuration
mail.oauth2.client.id=[Application ID]
# Secret from step 6 of the Azure configuration
mail.oauth2.client.secret=[Secret]
mail.oauth2.scopes=https://outlook.office.com/.default
mail.option.sender=[User principal name]

To make the changes effective, the RAC/M Identity server must be restarted.

Copyright ©2011-2025 Okiok Data Ltd, All rights reserved.