cancel
Showing results for 
Search instead for 
Did you mean: 
michaelbassem
Employee
Employee

Overview
This guide explains how to configure Microsoft 365 (Exchange Online) to allow Incorta to send emails using OAuth 2.0 authentication. Unlike Basic Authentication, OAuth 2.0 requires both Microsoft Entra ID (Azure AD) and Exchange Online to be configured. This guide walks through the complete setup, from registering an application to configuring Incorta.

Architecture Overview 

michaelbassem_2-1782829167451.png

Prerequisites

Before starting, ensure you have:

  • Microsoft 365 Global Administrator (or equivalent permissions)
  • Exchange Online Administrator
  • Access to Microsoft Entra ID
  • The mailbox that will be used for sending emails from Incorta.

Part 1 – Register an Application in Microsoft Entra ID

Step 1 – Create a New Application

  1. Sign in to the Azure Portal.
  2. Navigate to: Microsoft Entra ID → App registrations → New registration
  3. Configure the application:
Setting Value
Name Incorta SMTP
Supported account types Single tenant
Redirect URI Leave blank

After creating the application, record the following values:

  • Application (Client) ID
  • Directory (Tenant) ID.

These values will be required later when configuring Incorta.

Step 2 – Create a Client Secret
Navigate to: Certificates & secrets → New client secret
Create a client secret and copy its value immediately.

Important: The secret value is displayed only once. Store it securely, as it will be required when configuring Incorta.

Part 2 – Configure Exchange Online API Permissions
Navigate to: API permissions → Add a permission

Select:

  • APIs my organization uses 
  • Search for "Office 365 Exchange Online"
  • Choose Application permissions :
    Add the following permission: SMTP.SendAsApp
    Click:
  • Add permissions 
  • Grant admin consent
Why is this permission required?
SMTP.SendAsApp allows an OAuth application to authenticate and send emails using the Exchange Online SMTP service. Without this permission, SMTP authentication will fail even if OAuth token acquisition succeeds.

Part 3 – Register the Application in Exchange Online
Although the application is registered in Microsoft Entra ID, Exchange Online must also recognize it before mailbox permissions can be assigned.

Connect to Exchange Online:

 
Connect-ExchangeOnline

Register the service principal:

 
New-ServicePrincipal `
    -AppId "<Application Client ID>" `
    -ServiceId "<Enterprise Application Object ID>" `
    -DisplayName <App name>

Replace: <Application Client ID>, <Enterprise Application Object ID>, <App name> (e.g., "Incorta SMTP") with the values from your Azure application.

Note: Registering the service principal makes the Azure application available within Exchange Online so that mailbox permissions can be granted.

Part 4 – Grant Mailbox Permissions
The application requires two Exchange Online permissions on the sender mailbox.

FullAccess Permission — Allows the application to access the mailbox.

 
Add-MailboxPermission `
    -Identity "<sender-mailbox>" `
    -User "<Enterprise Application Object ID>" `
    -AccessRights FullAccess

SendAs Permission — Allows the application to send emails as the mailbox owner.

 
Add-RecipientPermission `
    -Identity "<sender-mailbox>" `
    -Trustee "<Enterprise Application Object ID>" `
    -AccessRights SendAs `
    -Confirm:$false
Important: Exchange Online permission changes may take 5–10 minutes to propagate. Wait a few minutes before testing email delivery.

Part 5 – Enable SMTP AUTH
SMTP AUTH must be enabled at both the organization level and the mailbox level. If it is disabled in either location, SMTP authentication will fail.

Organization Level
Navigate to: Microsoft 365 Admin Center → Settings → Org settings → Modern authentication
Verify that: Authenticated SMTP is enabled.

Alternatively, verify using PowerShell:

 
Get-TransportConfig | Select SmtpClientAuthenticationDisabled

Expected output:

 
False

Mailbox Level
Navigate to: Users → Active users → Select the sender mailbox
Open: Mail → Manage email apps
Verify that Authenticated SMTP is enabled.

Part 6 – Configure Incorta
After Microsoft 365 has been configured successfully, configure the SMTP server in Incorta.
Go to Tenant Config › Email › Email Server Protocol (SMTP)

SMTP Server Settings

Setting Value
SMTP Host smtp.office365.com
Port 587
System Email Address sender mailbox
Email Host Requires Authentication enabled
Sender's Username Auth disabled

OAuth Configuration

Setting Value
SMTP OAuth Enabled enabled
SMTP OAuth Client ID Azure Application (Client) ID
SMTP OAuth Client Secret Azure Client Secret
SMTP OAuth Token Endpoint <tenant-id>/oauth2/v2.0/token
SMTP OAuth Scope https://outlook.office365.com/.default

(Replace <tenant-id> with your Microsoft Entra Directory (Tenant) ID. Token endpoint is appended to https://login.microsoftonline.com/.)

Summary
Once all the above steps have been completed, Incorta will authenticate with Microsoft 365 using OAuth 2.0 and securely send emails through Exchange Online without requiring Basic Authentication.

a PDF version of this guide is attached.

Best Practices Index
Best Practices

Just here to browse knowledge? This might help!

Version history
Last update:
‎06-30-2026 07:30 AM
Updated by: