Configure OAuth Login with Microsoft 365/Exchange Online
Configure OAuth authentication for SMTP mail transmission with Microsoft 365 and Exchange Online in InLoox Self-Hosted.
This guide is only relevant for InLoox Self-Hosted. InLoox Cloud editions do not require Azure App creation.
- InLoox Self-Hosted Server must be installed in at least version 11.17
- This guide applies only to customers sending automated emails via Exchange Online
- You need your own Entra ID Tenant with administrator rights
- Basic knowledge of Microsoft 365/Microsoft Entra ID administration and PowerShell is required
Background
Starting in December 2026, Microsoft will begin phasing out support for Basic Authentication (SMTP AUTH) for Exchange Online. Mail sending with username and password will no longer be possible or will require configuration adjustments. We recommend switching to modern/secure authentication now.
Details: Microsoft Tech Community: Exchange Online to Retire Basic Auth
General Requirements
To ensure successful configuration, the Security Defaults of your Tenant must be disabled. More information: Microsoft Learn: Security Defaults
We recommend using additional security measures such as 2-factor authentication and Conditional Access (Microsoft Learn: Conditional Access). Especially for the Entra ID app to be created, conditional access with IP blocking or similar is recommended.
Configuration Overview
The configuration process includes four steps:
- Creating an Entra ID App (formerly Azure App)
- Creating a Service Principal and linking it to a mailbox
- Enabling SMTP Auth for the mailbox
- Configuring OAuth login in the InLoox Self-Hosted Server setup wizard
You need a Microsoft 365 user with an email mailbox in Exchange Online for automated email sending. Emails will be sent on behalf of this user.
Reference: Microsoft Learn: Authenticate SMTP with OAuth
Step 1: Create an Entra ID App
If you have already set up an Entra ID app for InLoox (used for SSO, SharePoint Online, etc.), you can generally reuse it. However, due to security concerns, we recommend using a separate app for email sending.
- Sign in to your Azure portal.
- Go to the Microsoft Entra ID service.
- In the side panel, go to App registrations.
- Click + New registration.
- Enter a name (e.g., "InLoox SMTP via OAuth").
- Under Supported account types, select Accounts in this organizational directory only (Single tenant).
- Click Register.
The other account types are compatible but not relevant in most scenarios.
- In the side panel, go to API permissions.
- Click + Add a permission and select APIs my organization uses.
- Search for Office 365 Exchange Online and select it.
- Select Application permissions.
- Search for SMTP and select SMTP.SendAsApp.
- Click Add permissions.
- Click Grant admin consent for [Your Entra ID Domain] and confirm with YES.
The result should show the permission with a green checkmark indicating admin consent granted.
- Go to Certificates & secrets via the side panel.
- Under Client secrets, click + New client secret.
- Enter a name and validity period, then click Add.
Be sure to save the value of the key immediately. This is only displayed once. If you do not save it, you must create a new key. The value will be needed later in this guide.
Note the validity period of the key. After expiration, email sending will no longer be possible, and the secret must be updated.
Step 2: Create Service Principal and Link to Mailbox
The following steps require Windows PowerShell.
For Windows Server 2016, first execute these commands:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet
Install ExchangeOnlineManagement module:
Install-Module -Name ExchangeOnlineManagement
Import-module ExchangeOnlineManagement
Connect-ExchangeOnline -Organization <tenantId>
Replace <tenantId> with your Tenant ID. You may encounter security prompts — agree to them.
Get Application ID and Object ID:
- Open the Enterprise applications pane in Azure.
- For
<APPLICATION_ID>, use the Application ID (client) from the third column. - For
<OBJECT_ID>, use the Object ID from the second column. Do NOT use the object ID from App Registrations — the command will fail.
Create the Service Principal:
New-ServicePrincipal -AppId <APPLICATION_ID> -ObjectId <OBJECT_ID>
Replace the placeholders with the values from above.
Link Service Principal to mailbox:
Get the Service Principal ID:
Get-ServicePrincipal | fl
Note the ID value, then run:
Add-MailboxPermission -Identity "john.smith@contoso.com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess
Replace john.smith@contoso.com with the mailbox from which emails should be sent.
Step 3: Enable SMTP Auth for the Mailbox
By default, SMTP Auth is disabled for all mailboxes. Enable it for your sending mailbox:
Set-CASMailbox -Identity john.smith@contoso.com -SmtpClientAuthenticationDisabled $false
Replace john.smith@contoso.com with your sending mailbox.
Details: Microsoft Learn: Authenticated Client SMTP Submission
If a completely new mailbox has been set up, it may take up to one day before email sending is possible.
Step 4: Configure OAuth in InLoox Self-Hosted
In the InLoox Self-Hosted Server setup, select OAuth with Microsoft 365. Enter the following values:
- SMTP Server name:
smtp.office365.com - Sender email address: The email address of the mailbox selected in Step 2
- Sender email name: The display name for the sender
- Username: The username of the mailbox selected in Step 2
- TenantId: Your Entra ID Tenant/Client ID
- ClientId: The Client/Application ID of the Azure App you created
- Client Secret: The Client Secret created in Step 1
- Port: 587 (default for SMTP)
- Encryption: Start TLS (default)
Send a test email to any mailbox. If successful, you can proceed.
In some cases, the configurations from Steps 2 and 3 take time to become effective in Exchange Online. If you encounter error messages, first check the configuration. If correct, wait 15-30 minutes and try sending the test email again.
After setting up a new user, it can take up to 24 hours before email sending is successful.