on 06-30-2026 07:30 AM
Overview
This guide explains how to configure Microsoft 365 (Exchange Online) to allow Incorta to send emails using OAuth 2.0 authentication. Unlike Basic Authentication, OAuth 2.0 requires both Microsoft Entra ID (Azure AD) and Exchange Online to be configured. This guide walks through the complete setup, from registering an application to configuring Incorta.
Architecture Overview
Prerequisites
Before starting, ensure you have:
Part 1 – Register an Application in Microsoft Entra ID
Step 1 – Create a New Application
| Setting | Value |
|---|---|
| Name | Incorta SMTP |
| Supported account types | Single tenant |
| Redirect URI | Leave blank |
After creating the application, record the following values:
These values will be required later when configuring Incorta.
Step 2 – Create a Client Secret
Navigate to: Certificates & secrets → New client secret
Create a client secret and copy its value immediately.
Important: The secret value is displayed only once. Store it securely, as it will be required when configuring Incorta.
Part 2 – Configure Exchange Online API Permissions
Navigate to: API permissions → Add a permission
Select:
Why is this permission required?
SMTP.SendAsApp allows an OAuth application to authenticate and send emails using the Exchange Online SMTP service. Without this permission, SMTP authentication will fail even if OAuth token acquisition succeeds.
Part 3 – Register the Application in Exchange Online
Although the application is registered in Microsoft Entra ID, Exchange Online must also recognize it before mailbox permissions can be assigned.
Connect to Exchange Online:
Connect-ExchangeOnline
Register the service principal:
New-ServicePrincipal `
-AppId "<Application Client ID>" `
-ServiceId "<Enterprise Application Object ID>" `
-DisplayName <App name>
Replace: <Application Client ID>, <Enterprise Application Object ID>, <App name> (e.g., "Incorta SMTP") with the values from your Azure application.
Note: Registering the service principal makes the Azure application available within Exchange Online so that mailbox permissions can be granted.
Part 4 – Grant Mailbox Permissions
The application requires two Exchange Online permissions on the sender mailbox.
FullAccess Permission — Allows the application to access the mailbox.
Add-MailboxPermission `
-Identity "<sender-mailbox>" `
-User "<Enterprise Application Object ID>" `
-AccessRights FullAccess
SendAs Permission — Allows the application to send emails as the mailbox owner.
Add-RecipientPermission `
-Identity "<sender-mailbox>" `
-Trustee "<Enterprise Application Object ID>" `
-AccessRights SendAs `
-Confirm:$false
Important: Exchange Online permission changes may take 5–10 minutes to propagate. Wait a few minutes before testing email delivery.
Part 5 – Enable SMTP AUTH
SMTP AUTH must be enabled at both the organization level and the mailbox level. If it is disabled in either location, SMTP authentication will fail.
Organization Level
Navigate to: Microsoft 365 Admin Center → Settings → Org settings → Modern authentication
Verify that: Authenticated SMTP is enabled.
Alternatively, verify using PowerShell:
Get-TransportConfig | Select SmtpClientAuthenticationDisabled
Expected output:
False
Mailbox Level
Navigate to: Users → Active users → Select the sender mailbox
Open: Mail → Manage email apps
Verify that Authenticated SMTP is enabled.
Part 6 – Configure Incorta
After Microsoft 365 has been configured successfully, configure the SMTP server in Incorta.
Go to Tenant Config › Email › Email Server Protocol (SMTP)
SMTP Server Settings
| Setting | Value |
|---|---|
| SMTP Host | smtp.office365.com |
| Port | 587 |
| System Email Address | sender mailbox |
| Email Host Requires Authentication | enabled |
| Sender's Username Auth | disabled |
OAuth Configuration
| Setting | Value |
|---|---|
| SMTP OAuth Enabled | enabled |
| SMTP OAuth Client ID | Azure Application (Client) ID |
| SMTP OAuth Client Secret | Azure Client Secret |
| SMTP OAuth Token Endpoint | <tenant-id>/oauth2/v2.0/token |
| SMTP OAuth Scope | https://outlook.office365.com/.default |
(Replace <tenant-id> with your Microsoft Entra Directory (Tenant) ID. Token endpoint is appended to https://login.microsoftonline.com/.)
Summary
Once all the above steps have been completed, Incorta will authenticate with Microsoft 365 using OAuth 2.0 and securely send emails through Exchange Online without requiring Basic Authentication.
a PDF version of this guide is attached.