Modern Authentication for Email

Modern Authentication for Email

Microsoft have made several announcements around changes to the supported authentication schemes for Office 365 email. The reason for this is to increase security, these changes may prevent emails from being sent and received by your Magma system.

Here is an article which gives some background: Basic Authentication Deprecation in Exchange Online

 

You can only setup Modern Auth if all the following are true:

  • You currently have Magma POP transports. These must be migrated to IMAP as part of a project.
  • You currently have Magma IMAP transports.

 

Before starting please note!

  • If you choose to setup Modern Auth, any issues that may occur that require a Cindercone consultant will be billable as consultancy work, as the setup of Modern auth is not a Support Issue.
  • Modern Auth only works for accounts not included in MFA access policy.
  • Magma only supports Modern Authentication for SMTP & IMAP in office365.com in the same tenant.
  • Messages are likely to go to spam.
  • The office 365 rate limits are lower, meaning Magma emails could get blocked.
  • You must whitelist your static IP address, which introduces risk if you change this.
  • After completing this setup the following information will need to be sent to Cindercone’s Support Team, therefore please ensure to make a note of the following information whilst working on the setup Details need to be clearly marked with the correct titles (see below in bold):

 

  • Modern Auth Client Secret: The “Value”
  • Modern Auth Client ID: The “Application (client) ID”
  • Modern Auth Tenant ID: The “Directory (tenant) ID”
  • Modern Auth Authorization Endpoint: The “OAuth 2.0authorization endpoint(v2)”
  • Modern Auth Token Endpoint: The “OAuth 2.0token endpoint(v2)”
  • From Account: The sending email address you are planning to use in Magma.
  • User: The user account login name for the email address.
  • Password: The password for the user account.
  • Send a screen shot of the page from Step 4 to show the permissions have been applied correctly.

Step 1

  • Login to https://portal.azure.com/
  • Go to Azure Active Directory (you can use any account with admin privileges to login).
  • Choose “App Registration” from the left column.
  • Choose “+ New registration” from the Tabs.

Register an application by filling in the page as follows:

 

  • Name: Any name can be used (we do recommend including Cindercone or Magma for future reference).
  • Supported account types: Choose Keep the default selection for Supported account type (Single tenant).
  • Redirect UDI: Leave this section blank.
  • Click the Register button for the next page:

Step 2

  • Select API Permissions from the left column on this page (see below).
  • Click on the + Add permissions
  • From the Request API Permissions screen section select Microsoft Graph and then
  • Select Delegated permissions (For OAuth authorization flow).

Step 3

From the list on the left select Request API Permissions list (see below) tick the following from the sub drop down lists (These can also be found by typing in the Search Bar):

  • SMPT: Tick the box for: SMTP.Send
  • IMAP: Tick the box for: IMAP.AccessAsUser.
  • POP: Tick the box for: POP.AccessAsUser.All
  • Open ID Permissions: Tick the box for: offline_access,
  • User:Read,

Step 4

Important Note! Ensure to allow (Tick) ‘’Grant Admin consent for ….’’ As per below:

Step 5

Select: “Certificates & secrets” from the left-hand column (as per below)

Select: + New Client Secret.

Important Note! Make sure to copy and store the SECRET VALUE in your notes before you refresh or close this page as you will not be able to see it again.

Step 6

App registrations

  • Go to “Endpoints” (located to the right of the “+ New registration” link.)

 

Take Note of your endpoints for the following:

  • OAuth 2.0 authorization endpoint (v2)
  • OAuth 2.0 token endpoint (v2)
  • Client ID
  • Tenant ID

NOTE! The ‘’Client Secret’’ will expire within of 2 years – Ensure to revisit renew on expiry.

To check this you can go to your Microsoft 365 admin centre (this is not Azure).

  • Go to your Active users. 
  • Click on the user account that is going to be used in Magma.
  • Find the “Manage email apps” link.
  • Click on “Manage email apps”. 
  • Then make sure the “Authenticated SMTP” checkbox is ticked.

Step 7

  • After completing this setup the please send the following information to Cindercone’s Support Team

NOTE: Details need to be clearly marked with the correct titles and in the correct order (see below in bold):

  • Modern Auth Client Secret: The “Value” .
  • Modern Auth Client ID: The “Application (client) ID”
  • Modern Auth Tenant ID: The “Directory (tenant) ID”
  • Modern Auth Authorization Endpoint: The “OAuth 2.0authorization endpoint(v2)”
  • Modern Auth Token Endpoint: The “OAuth 2.0token endpoint(v2)”
  • From Account: The sending email address you are planning to use in Magma.
  • User: The user account login name for the email address.
  • Password: The password for the user account.

Send a screen shot of the page from Step 5 to show the permissions have been applied correctly.