Authenticate SMTP using OAuth

Adding OAuth support to an application that uses an OAuth provider as the SMTP email server can enhance the security and convenience of email communication.

OAuth is an industry-standard protocol that enables secure authentication, allowing users to grant third-party apps access without sharing passwords. Users can grant the application access to send emails on their behalf with OAuth support, without revealing their email credentials.

For PEM, this means that the users can continue to sign in to the OAuth provider with their email account and credentials without sharing them with the PEM application. PEM can obtain an OAuth access token to authenticate and send emails on the user's behalf, reducing the risk of password theft and unauthorized access.

Note: PEM currently only supports Microsoft Exchange as an OAuth Provider.

Prerequisites

Generate the properties needed to generate the access token for the Microsoft OAuth provider by following the steps:

  1. Register the Azure Active Directory (Azure AD) tenant in the Microsoft identity platform. For more information, see Set up a tenant.
  2. Register the application with the Microsoft identity platform. For more information, see Register app or web API.
  3. Configure the application to expose a web API. For more information, see Expose scopes in web API registration.
  4. Configure the client application to access a web API. For more information, see Grant scoped permission to web API.

Configuring the generated OAuth properties in PEM

As a system administrator of PEM, configure the system properties required for Email OAuth. For more information, see System properties configured by System Administrators.

Limitations

Microsoft has the following limitations while using OAuth based authentication with identity provider:

  1. Microsoft currently only supports the Resource Owner Password Flow to obtain an access token for SMTP authentication. As a result, the value of the SMTP.OAUTH GRANT TYPE property should be password.
  2. Microsoft has a limitation of 30 messages/minute cap for authenticating SMTP using OAuth. For more information, see Limitations of SMTP AUTH client submission.
  3. For Microsoft, the username (email ID) requesting the OAuth access token must be the same as the email ID used to register the web API with the Microsoft service provider. As a result, the SMTP_AUTH_USERNAME property should be set with same Email ID, and the USE_NO_REPLY_EMAIL_ID_AS_SENDER_FOR_ALL_EMAILS system property should be set to true.
    Note: For support of high message volumes, Microsoft recommends configuring SMTP with Option 3 here: Configure a connector to send mail using Microsoft 365 or Office 365 SMTP relay.