Login/Register
How to configure an app in azure portal for multiple email addresses, from the same O365 tenant, to use OAuth with SMTP without user interaction?
Asked Answered
oauthsmtpoffice365phpmailer
C

2

1

We use in our company email addresses for each employee and for 3 departments (service, support and reports) - for example <employee_name>@<company_name>.de or support@<company_name>.de ("<..._name>" is just a placholder for posting here). Our programs use PHPMailer for sending Emails from the 3 departments via SMTP without user interaction (Host: smtp.office365.com), that means the PHPMailer is called by programs/scripts that are started by the Microsoft Task Scheduler on a computer where none of our Microsoft-Users is logged in. Now we want to switch from Basic SMTP Auth to Oauth2.

So we registered in the main tenant (<boss_name>@<company_name>.de) in the azure portal a web app "PHPMailer" and received the refresh token with the file "get_oauth_token.php", which is included in PHPMailer. The mail order via OAuth is working now, but only when <boss_name>@<company_name>.de is the username and the email sender (From).

It's not working when both are for example reports@<company_name>.de (prefered way)

SMTP INBOUND: "535 5.7.3 Authentication unsuccessful [AM6PR10CA0036.EURPRD10.PROD.OUTLOOK.COM]"

And it's not working when <boss_name>@<company_name>.de is the username and From is for example reports@<company_name>.de (willy-nilly compromise)

SMTP INBOUND: "554 5.2.252 SendAsDenied; <boss_name>@<company_name>.de not allowed to send as reports@<company_name>.de

We tried to change the configuration for <boss_name>@<company_name>.de ("SendAs" parameter) and of the app in the azure portal (for example defining the department email addresses as owner of the app or adding Mail.Send in the Micrsoft Graph API as application permission) and waited 24 hours (synchronization delay) - but no change.

So i've read in the past weeks countless tutorials from Microsoft, PHPMailer and others, and forums like stackoverflow. But nowhere i could find the necessary information, how to change the configuration.

Examples:

Microsoft

Give mailbox permissions to another Microsoft 365 user - Admin help

Authenticate an IMAP, POP or SMTP connection using OAuth

Get access on behalf of a user

PHPMailer

Using Gmail with XOAUTH2 (unfortunately no explanation for Microsoft)

Basic Usage of the OAuth 2.0 Client from the PHP League

Microsoft Provider for OAuth 2.0 Client Microsoft OAuth 2.0 support for PHPMailer from Steven Maguire

But in this answer to my older question @ADyson wrote that the app just needs the appropriate permissions in the Graph API - so it must be possible. Unfortunately he didn't write, how to set the permissions...

So, how can i achieve my goal?

(Because the PHPMailer is working and i think it's just a configuration problem, i omitted code snippets. If you although need code or more information, please tell me...)

Update:

PHPMailer

Thanks to @greew i found a well made explanation with helpfull screenshots for delegated permissions:

Microsoft Azure and XOAUTH2 setup guide

Unfortunately it doesn't help for my case with application permissions, because it is made for the case, that the Microsoft user is logged in on the compauter where PHPMailer is working.

Not supported?

I found in the Microsoft page Authenticate an IMAP, POP or SMTP connection using OAuth the following hint:

Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.

Does this mean, that i'm trying it for nothing, because it is not supported???

Cadmar answered 28/9, 2022 at 10:19 Comment(10)
I'd like to see a definitive answer for this so I can add it to PHPMailer docs!Structure
You can read about how to assign permissions in various places, including here: msautomate.com/2022/06/15/…Tittletattle
@Tittletattle Thanks for the answer, but i know how to assign permissions. What i can't find (also not in your msautomate link) is, which permissions are needed for sending emails in the name of an email address, that is listed in our tenant, via SMTP (we don't use IMAP or POP3). For example is User.Read.All important or not - because in many examples this permission is included, but in other places is written, that you only need Mail.Send...Cadmar
Well if you can't find clear guidance, maybe the best way is to try it and find out.Tittletattle
I tried many scenarios and still try. I wouldn't have asked here before that. Because of all the failed attempts i call other developers and search the net, but i only can find conflicting statements. For example: Some people suggest to define single tenant for supported type, others suggest to define multitenant. I tried both - unsuccessfully. (We have only one tenant with many listed email addresses)Cadmar
Can you shift to sending the emails via HTTP requests instead of SMTP? Graph API permissions should be fairly straightforward then, I honestly don't know if the SMTP requirements are the same or not.Tittletattle
Oh, it's a pity. After your answer to my older question i thought, that you know, how to configure it. Than maybe @Structure is right after all...Cadmar
@Structure and @Tittletattle I updated my question after i found the following Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported. - Does this mean, that it's actually not possible?Cadmar
There has been a bit of a breakthrough today regarding getting Microsoft OAuth working in PHPMailer. It's unpleasant, confusing, inconsistent, and tedious, but what did you expect from MS and OAuth? 😜Structure
Thanks for the reply! But i'm not sure if that will help me, because we have no user iteraction, and if i understand it right, we then have to use application permission instead of the delegated one. Furthermore we couldn't find "SMTP.Send". Only "Mail.Send" was available in the APIs "Microsoft Graph" and "Office 365 Exchange Online"...Cadmar
C
0

After i found in the Microsoft page Authenticate an IMAP, POP or SMTP connection using OAuth the following hint:

Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.

i asked the same question in the Microsoft Q&A forum. There i received the following answer/comment:

Currently the Client Credentials flow isn't supported with SMTP Auth (it maybe in the future but there isn't a roadmap item that i know of) so you need to grant SendAS permissions to whatever account you trying to send as in the from or switch to using the Graph API eg one example https://katystech.blog/projects/php-graph-mailer that does support the client credentials flow.

I tried to solve the issue by letting the administrator grant the SendAs permission to all necessary mailboxes, but i still get the error SendAsDenied - maybe it doesn't work with modern authentication (OAuth).

At the end i used the graphMailer from the linked katystech.blog, which is a really slim solution compared to the PHPMailer. First i couldn't get it to work, because our administrator refused to grant the necessary Microsoft Graph permission Mail.ReadWrite (he has security concerns). But i changed the code, so that the email is "build" before sending it, instead of building the email step by step on the Microsoft server and then advising the server to send it (like in the original code).

Now the Mail.ReadWrite permission isn't necessary and i can send from different email addresses. To avoid rewriting the whole code, where the PHPMailer is used, i renamed the functions of Katys graphMailer (and adjusted the params), so that they are similar to the PHPMailer and i only need to replace = new PHPMailer( with = new graphMailer(...

Cadmar answered 7/10, 2022 at 14:34 Comment(0)
A
0

@biberman

I just tried setting up a new mailer with the correct permissions and also clicking the "Grant admin consent.." button.

This resulted in me being able to both get the refresh token and also send mail without user interaction on my behalf.

Note: I'm using the single tenant option in the App.

permissions

Antonomasia answered 8/10, 2022 at 6:10 Comment(3)
I think you can do it without direct user interaction, but you are logged in on that computer with that credentials. Am i right?Cadmar
@Cadmar Yes, that is correct...Antonomasia
Unfortunately this doesn't help me, because none of our Microsoft users is logged in on the computer where the programs are running that call the PHPMailer. So the delegated permissions won't fix the issue. I updated my question to make that clear...Cadmar

© 2022 - 2024 — McMap. All rights reserved.