Configure client credential flow for SMTP OAuth2 using certificate-based authentication

  • Release version: Yokohama
  • Updated January 30, 2025
  • 1 minute to read

    • Configure an OAuth application profile to authenticate using certificates for outbound email.

    Before you begin

    Create an Microsoft Azure account to configure an OAuth profile.

    Complete the setup steps using your Microsoft Azure Developer account. See Microsoft Azure product documentation for instructions on creating and configuring custom applications.

    Role required: Microsoft Azure portal administrator and admin

    Procedure

    1. Log in to the Microsoft Azure registration profile with your organization credentials.
      For more information, see the Microsoft Azure registration portal documentation.
    2. Register a new custom application by filling in the application name, supported account type, and redirect URL, and then select Register.
      Note:
      Enter the redirect URL in the following format: https://<instance>/oauth_redirect.do.
      An overview of the application's basic information is displayed.
    3. Copy the client ID to a text file.
      You’ll use this client ID and the secret value generated in the next steps to register the app as a third-party OAuth provider on your ServiceNow instance. You use the application ID as the client ID when you connect the application to ServiceNow.
    4. Enable the SMTP.SendAsApp permission.
      1. In Microsoft Azure, navigate to Manage > API permissions.
      2. Select Add a permission.
      3. Select the Microsoft Office 365 tile.
      4. Select Application Permissions.
      5. In the Select permissions field, enter SMTP.SendAsApp.
      6. Select the SMTP.SendAsApp check box.
      7. Select Add permissions.
    5. Select Grant admin consent for <organization name>, then select Yes to confirm.
    6. Upload the certificate.
      1. In Microsoft Azure, navigate to Manage > Certificates & secrets.
      2. Select upload certificate.
      3. Provide a description, a start date, and an expiration date, then upload the certificate.
    7. Copy the client ID and directory ID to a text file.
    8. Register service principals in Microsoft Exchange using PowerShell.
      1. Run the following commands. 
        Install-Module -Name ExchangeOnlineManagement -allowprerelease
Import-module ExchangeOnlineManagement
Connect-ExchangeOnline -Organization <tenantId>
        For more information, see Authenticate SMTP connection using OAuth
      2. Register an Microsoft Entra ID application's service principal by running the following command. 
        New-ServicePrincipal -AppId <APPLICATION_ID> -ObjectId <OBJECT_ID>
        Important:
        For the OBJECT_ID value, go to Overview > Managed applications in local directory and copy the Object ID.
      3. Add permission to user email ID using the following command. 
        Add-MailboxPermission -Identity "<email_id>" -User <object_id> -AccessRights FullAccess
    9. Navigate to Overview > Endpoints and copy the OAuth 2.0 token endpoint (v2) to a text file.
      You use the OAuth 2.0 token endpoint (v2) when configuring a JWT provider. For more information, see Configure a JWT provider.

    What to do next

    Configure a JWT provider