CSSCurrent en:Microsoft Exchange Online with OAuth2 Authentication

Aus Cryptshare Documentation
Wechseln zu:Navigation, Suche

Introduction

The Cryptshare Server can send emails via Microsoft Exchange Online. Since Microsoft has discontinued basic authentication for connecting to the SMTP interface, the Cryptshare Server is now able to access this interface via OAuth 2.0 authentication.

App registration in the Microsoft Entra platform

The setup steps are subject to change at any time
Microsoft may change the exact application registration process without prior notice. We recommend that you familiarise yourself with the current process for registering an application with the Microsoft Identity Platform.
Cryptshare for OWA already configured? Separate configuration required!
If you are already using Cryptshare for OWA, it is necessary to create a separate configuration due to different permissions and processes.
  1. Log in to the Microsoft Entra Admin Centre. To do this, please use at least one account with the access rights of a cloud application administrator.
  2. If you have access to multiple tenants/directories, ensure that you have selected the tenant you wish to use with the Cryptshare Server by clicking on the settings cog at the top.
    EntraSettings.png
    CurrentEntraDirectory.png
  3. Use the sidebar to open 'Entra ID' -> 'App Registrations'
    EntraAppRegistrations.png
  4. Register a new application using the 'New Registration' button.
    EntraNewRegistration.png
  5. Create your new application with the following settings:
    OAuthEntraRegistering.png
    • The name of the application can be chosen freely.
    • Select the account type ‘Accounts in this organizational directory only (<your company name> only - Single tenant)’.
    • Do not set a redirect URI.
  6. Once the application has been registered, please copy the 'Application (client) ID' and the 'Directory (tenant) ID'.
    Application and tenant ids.png
  7. In the sidebar of the app registration, select the menu item ‘Certificates & Secrets’, then the tab ‘Client Secrets’ and then the button ‘New client secret’.
    • The description can be freely chosen.
    • Select the desired Expires value. The maximum duration that can be selected is two years. Please note that after this period has expired, you must create a new client secret and store it in the Cryptshare Server so that the Cryptshare Server will still be able to send emails after the expiry date. We recommend setting up a calendar entry or other reminder.
    • Then click on the ‘Add’ button.
    • On the next page, you will see the secret client key that has been created. Copy the string displayed in the 'Value' column (not the Secret ID). The secret client key is only displayed once and cannot be viewed again after leaving the page.
  8. Next, select the ‘API permissions’ menu item in the sidebar of the app registration.
  9. Use the ‘Add a permission’ button, then select the ‘APIs my organization uses’ tab, then choose 'Office 365 Exchange Online', then 'Application permissions' and add the 'SMTP.SendAsApp'so that they are displayed in the list.
    Application permissions.png
    Smtp sendasapp.png
  10. Then click 'Grant admin consent for <your company name>' and confirm with 'Yes'.
    Grant admin consent.png
  11. Go to the 'Enterprise apps' section and copy the value from the 'Object ID' column of your newly added application. (Please note: this object ID is different from the object ID found in the App registrations menu item. The object ID from the Enterprise App menu item is required for one of the subsequent steps.)
    Object id.png
  12. Now continue with the configuration in Exchange Online PowerShell.

App configuration in Exchange Online PowerShell

The setup steps are subject to change at any time
Microsoft may change the exact application registration process without prior notice. We recommend that you [https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-smtp-imap-and-pop-connections to familiarise yourself with the current process for registering an application with the Microsoft Identity Platform.
  1. Open a PowerShell console on your local Windows PC.
  2. Install and connect to Exchange Online PowerShell:
    1. The Exchange Online PowerShell scripts have not been digitally signed by Microsoft. Therefore, it is necessary to allow unsigned scripts to run: Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process .
    2. Install the ExchangeOnlineManagement modules: Install-Module -Name ExchangeOnlineManagement
    3. Make the installed modules available in the current PowerShell session: Import-module ExchangeOnlineManagement
    4. Connect to Exchange Online using your directory (tenant) ID from step 6 above: Connect-ExchangeOnline -Organisation <Directory ID>
    5. In the window that opens, log in to Microsoft Entra.
  3. Create a new service principal for the application using the application (client) ID from step 6 and the object ID from step 11: New-ServicePrincipal -AppId <application ID> -ObjectId <object ID>
  4. Then list all existing service principals with Get-ServicePrincipal | fl and find the entry whose AppId (application ID) and ObjectId (object ID) are identical to those used in the previous step. From this entry, you then need the value of the service principal ID specified under 'Sid'.
  5. Now assign the necessary permissions to the email address that will be used to send Cryptshare emails: Add-MailboxPermission -Identity "<sender email address>" -User <service principal ID> -AccessRights FullAccess.
  6. Now continue with the configuration on the Cryptshare server.

Configuration on the Cryptshare server

Oauth2 setting.png
  1. Connect to the Cryptshare administration interface.
  2. Navigate to the System Settings -> Mail Server menu.
  3. There, select the value 'Microsoft Exchange Online with OAuth2 authentication' as the 'SMTP server type'.
  4. Ensure that the email address for which the mailbox permission was previously created is entered in the 'Sender Address' field.
  5. Ensure that the checkbox next to 'Allow using individual sender addresses.' is unchecked.
  6. In the 'Directory (tenant) ID' field, enter the value of the 'Directory (tenant) ID' from step 6.
  7. In the 'Application (client) ID' field, enter the value of the 'Application (client) ID' from step 6.
  8. In the 'Client Secret' field, enter the value of the 'Client Secret' from step 7.
  9. Click 'Save changes'.
  10. You can send yourself a test email by entering any email address in the 'Test with address' field and clicking 'Send test message'.
  11. Then make sure that the same 'Sender Address' is also defined in the policy rules and that the 'Allow using individual sender addresses' checkbox is not selected.
Abgerufen von „https://documentation.cryptshare.com/w/index.php?title=CSSCurrent_en:Microsoft_Exchange_Online_with_OAuth2_Authentication&oldid=53178