Office 365 OAuth 2.0 Protocol
This guide analyzes the steps to setup an Office 365 (Azure) App to send mails (e.g., automatic notifications), combining OAuth 2.0 client credentials flow, without the user’s interaction. This setup is valid for Office 365 Accounts, with Exchange Online enabled.
Registering a New App
First, log in to https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade & create a new App Registration.
Give a name to your application and click “Register”.
Copy the Application ID & Tenant ID values from your new App Registration.
Then, click on the Certificates & secrets option and create a New client secret on your new app registration. Afterwards, please copy the secret value.
Navigate to API permissions > Add a permission > Microsoft Graph > Applications Permissions. Search for the Mail.Send permission, choose the permission as shown at the below screenshot and click the Add Permissions button.
You will notice that your permission is not granted at your Tenant, because consent from a Global Administrator is needed. Therefore, the API permission link must be sent to a user with appropriate rights, to grant consent for this application. Once granted, you will see the permission applied to the app registration.
Your App Registration is ready.
This specific workflow is documented also at this link: Get access without a user - Microsoft Graph.
BSS Email Preferences Setup
On BSS, navigate to BSS Setup > Administration > System Options > Organization settings, and under the Email Preferences, at the end of the page, select the Modern authentication mechanism. For the Office 365 (Azure) client fill in the ClientId, the TenantId, and the Secret, and the Email you used to create the application on Azure.
Afterwards, you need to Save your changes.
When all data are saved, the user can dispatch a test email (the receiver is the logged-in user email).
Lastly, once you have saved your changes, you can click the Send test email button in order to quickly test your configuration. The email will be dispatched to the logged-in BSS user.
Testing your App Registration
You can also test the Office 365 (Azure) App Registration on Postman → Use Postman with the Microsoft Graph API - Microsoft Graph
The information that are needed for the Headers are:
a) POST Request for the access Token:
Authorization Type: OAuth2.0
Access Token Url: https://login.microsoftonline.com/<your-tenant-id>/oauth2/v2.0/token
Client ID: <client-id-of-azure-app-reg>
Client Secret: <value-of-app-reg-secret>
Scope: https://graph.microsoft.com/.default
b) POST Request for sending the email:
URL: https://graph.microsoft.com/v1.0/users/<sender-mail>/sendMail
Authorization: Bearer <token>
Content-Type: application/json (or any other format)
The Sender Mail, must have Office365 License with Exchange Online activated, otherwise the POST Request will return “404, Resource Not Found”.
The Graph Application Permission “Mail.Send” for the App Registration is TENANT WIDE, so every valid mail user, with Office 365 License can be used to send mail through this app. This is required from the OAuth 2.0 Client Credentials flow, to avoid any user interaction.
You can limit the application permissions for a specific mailbox, if you follow this documentation: Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph