Skip to content

Email Capability

Features of SMTP AUTH client submission

  • SMTP AUTH client submission allows you to send emails to people inside and outside the organization.
  • This method bypasses most spam checks for emails sent to people in the organization. This bypass can help protect the organization's IP addresses from being blocked by a spam list.
  • With this method, Emails can be sent from any location or IP address, including the (on-premises) organization's network, or a third-party cloud-hosting service like Microsoft Azure.

Requirements for SMTP AUTH client submission

  • Authentication: We recommend using Modern Authentication in the form of OAuth, if possible. Otherwise, Basic Authentication (which is simply a username and password) is to be used to send emails from the device or application. For more information about OAuth, see Authenticate an IMAP, POP, or SMTP connection using OAuth. If SMTP AUTH is intentionally disabled for the organization or the mailbox being used, please use Option 2 or 3 below.
  • Mailbox: Licensed Microsoft 365 or Office 365 mailbox to send emails.
  • Transport Layer Security (TLS): Device must be able to use TLS version 1.2 and above.
  • Port: Port 587 (recommended) or port 25 is required and must be unblocked on the network. Some network firewalls or ISPs block ports, especially port 25, because that's the port that email servers use to send emails.
  • DNS: Use the DNS name smtp.office365.com. Don't use an IP address for the Microsoft 365 or Office 365 server, as IP Addresses aren't supported.

Register Service principal to access mailbox

  • Login to portal and open power shell
  • Execute below sequence of commands -
    Install and login to Exchange online

Install-Module -Name ExchangeOnlineManagement -allowprerelease

Import-module ExchangeOnlineManagement

Connect-ExchangeOnline

  • To register service principal

New-ServicePrincipal -AppId xxxxxx-17cc-4b26-b8dd-xxxxx -ObjectId xxxxx-2971-4706xxx-a114-18802bef0fc3

  • To check and validate the service principal

Get-ServicePrincipal | fl

  • Add Mailbox permission for service principal

Add-MailboxPermission -Identity "<UserId>@optumsgs.onmicrosoft.com" -User xxxxx-2971-4706xxx-a114-18802bef0fc3 -AccessRights FullAccess

Post above cmdlets execution service principal will become elegible to access mailbox.

Restrict Service principal for mailbox

  • Limit the Service principal for mailbox

New-ApplicationAccessPolicy -AppId xxxxx-d3e7-xxxx-af3c-xxxxxxx -PolicyScopeGroupId testEmailTier0@OptumSGS.onmicrosoft.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group testEmailTier0."

  • Validate and Test Service principal

Test-ApplicationAccessPolicy -Identity rrawat36@optumsgs.onmicrosoft.com -AppId xxxxx-d3e7-xxxx-af3c-xxxxxxx

  • Get application policy identity

get-applicationaccesspolicy | fl identity

  • Remove Application

Remove-ApplicationAccessPolicy -Identity "xxxx-ca09-xxxx-836a-xxxxxx\xxxxx-d3e7-xxxx-af3c-xxxxxxx:S-1-5-21-1973759730-xxxxx-267894462-xxxxx;xxxx-db0c-4967-a06e-xxxxxx"