Microsoft 365 SMTP OAuth Configuration

Deprecation of Basic Authentication in Microsoft 365

As part of Microsoft’s ongoing security enhancements, Basic Authentication in Exchange Online (part of Microsoft 365) will be fully deprecated and disabled by March 2026. (See Microsoft’s official announcement.)

Impact on Tenable Identity Exposure

Tenable Identity Exposure includes a feature that delivers email reports and alerts. If you currently use Basic Authentication to connect to Microsoft 365 for SMTP, you will no longer receive email reports or alerts from Tenable Identity Exposure after Basic Authentication is disabled.

To prevent any disruption, Tenable Identity Exposure supports OAuth, Microsoft 365’s modern and secure authentication protocol. Tenable Identity Exposure strongly recommends that you prepare for this change to ensure continued access to email notifications.

Use the following procedures to configure SMTP OAuth authentication in Microsoft 365 to enable secure email sending capabilities in Tenable Identity Exposure.

Prerequisites

• Microsoft 365 Administrator access

• PowerShell with administrator privileges

• Active Microsoft 365 tenant

• Installed PowerShell module ExchangeOnlineManagement [see step 6]

• Installed PowerShell module ExchangePowerShell [see step 6]

OAuth Configuration

1. Create an App Registration in Entra ID

   1. Sign in to the Azure Portal.

   2. Navigate to Microsoft Entra ID > App registrations.

   3. Click + New registration.

   4. Enter a name for your application.

   5. Select the appropriate supported account types “Accounts in this organizational directory only”.

   6. Click Register.

      

      

   7. Copy the Tenant ID and keep for reference.

      

   8. Click on the link below "Managed application in local directory" to access the Entreprise application corresponding to this new App registration:

      

   9. Copy the Application ID (AppID) and Object ID (ObjectID) for use in the next steps.

2. Configure Exchange Online API Permissions

   1. In your newly created App Registration, select API permissions from the left menu.

   2. Click + Add a permission.

      

   3. Select the Office 365 Exchange Online API.

      

   4. Choose Application permissions.

      

   5. Scroll down and select SMTP.SendAsApp.

      

   6. Click Add permissions.

   7. Click Grant admin consent for [Your Organization].

      

3. Create a Client Secret

   1. In your App Registration, go to Certificates & Secrets in the left menu.

      

   2. Under Client secrets, click + New client secret.

   3. Enter a description for your secret.

      

   4. Select an expiration period based on your security policy.

      Important: Make sure to rotate the client secret before it expires by creating a new one and configuring it in Tenable Identity Exposure. If the credential is not updated in time, email sending in Tenable Identity Exposure will fail once the key expires.

   5. Click Add.

      

      Important: Copy and securely store the generated secret value, as it will not be shown again. You will need it in the next step, there is no way to retrieve it later.

4. Prepare the User Mailbox

   1. Go to the Microsoft 365 Admin Center.

   2. Navigate to Users > Active Users.

      

   3. Either select an existing user or create a new shared mailbox that will be used for SMTP sending.

      

   4. Ensure the mailbox has an appropriate Office 365 license assigned.

      

      

5. Enable Authenticated SMTP on the Mailbox

   1. Go to the Microsoft 365 Admin Center.

   2. Navigate to Users > Active Users.

      

   3. Select the user mailbox you're configuring.

   4. Click on Mail > Manage email Apps.

      

   5. Uncheck all options, then check only Authenticated SMTP.

   6. Click Save.

6. Install Required PowerShell Modules

   • Open PowerShell and run the following commands:

     Copy

     Install-Module -Name ExchangeOnlineManagement
     Import-Module ExchangeOnlineManagement
     Install-Module -Name ExchangePowershell
     Import-Module -Name ExchangePowershell
     # Connect to Exchange Online (replace <Tenant ID> with your actual Tenant ID)
     Connect-ExchangeOnline -Organization <Tenant ID>

7. Register Service Principal in Exchange

   • In your PowerShell session (still connected to Exchange Online), run after adapting with the values obtained at the beginning:

     Copy

     # Register the service principal
     New-ServicePrincipal -AppId "<AppID>" -ObjectId "<ObjectID>"

8. Add Mailbox Permissions

   • In the same PowerShell session, grant your application's service principal access to the desired mailbox:

     Copy

     Add-MailboxPermission -Identity "<[email protected]>" -User "<APPID>" -AccessRights FullAccess

     Note: Replace "<[email protected]>" with the actual email address of the mailbox you want to use, and <APPID> with the Application ID of your Service Principal.

     

9. Collect OAuth Configuration Information

   For Tenable Identity Exposure to use OAuth SMTP authentication, provide the following information gathered earlier:

   • Tenant ID: Your Microsoft 365 tenant ID

   • Client ID: The Application (client) ID of your app registration

   • Client Secret Value: The secret value you created and saved earlier

   • Sender Email: The email address of the mailbox you configured