In This Manual
This document describes the steps required to configure Collaboration to integrate with OAuth for sending email messages from a system account. The configuration process consists of three main phases:
Register Application: Register the application in the Azure Portal
Create Client Secret: Generate a client secret in the Azure Portal for OAuth authentication
API Permissions: Assign the required API permissions to allow email delivery
Prerequisites
The following prerequisites must be met before beginning the OAuth configuration:
OAuth configuration must be performed by a system administrator with sufficient permissions and familiarity with Azure and Office 365
An Exchange mailbox must be created in Office 365 prior to configuration (for example, noreply@Casepointtech.com). This mailbox is used as the sender address for all system-generated email messages from Collaboration and is required to complete the setup
Application Registration
The first step in the OAuth configuration process is to register the application in Azure. Complete the following steps:
Log in to the Azure Portal (https://portal.azure.com) using the Exchange mailbox created for the Collaboration system account.
Navigate to App registrations and select New registration. The Register an application page is displayed.
Enter a name for the application in the Name field.
Under Supported account types, the default option is selected automatically. Modify this selection if required based on your organization’s configuration.
In the Redirect URI section, enter the following value:
<Application Admin URL>/connectors/SMTP.aspx, where <Application Admin URL> represents your application’s administrative URL.
Click Register to create the application.
After registration is complete, the Application (client) ID and Directory (tenant) ID are displayed. Copy and save both values for later use.
Access the Mail Server Address section in System Settings
In the OAuth Client ID field, enter the Application (client) ID obtained in step
In the Tenant ID field, enter the Directory (tenant) ID obtained in step
In the Email Address field, enter the email address of the system account used for this configuration (for example, noreply@ains.com ).
Click Save to apply the changes.
Client Secret Creation
After registering the application, create a client secret by completing the following steps:
In the Azure Portal, open the registered application and navigate to Certificates & secrets.
Click New client secret.
On the Add a client secret page, enter a description for the secret. This description is for administrative reference only.
Use the Expires field to select an expiration date based on your organization’s security requirements (up to a maximum of 24 months).
NOTE: Record the expiration date. The client secret must be renewed before it expires to avoid service disruption.
Click Add to generate the client secret.
Once generated, the client secret is displayed.
Copy the Value field and store it securely.
NOTE: This value cannot be retrieved again after you leave the page.
Access Mail Server Configuration from General Settings.
Paste the copied value into the Secret Key field.
Click Save to apply the changes.
API Permissions Configuration
The final step in enabling OAuth authentication is configuring the required API permissions:
In the Azure Portal, open the registered application and select API permissions.
Click Add a permission.
On the Request API permissions page, select Microsoft Graph.
Choose Application permissions.
In the Select permissions field, enter mail.
Expand Mail permissions and select Mail.Send.
Click Add permissions to apply the selection.
An administrator must grant consent for the requested permissions. Once approval is granted, the system account mailbox is authorized to send email messages using OAuth authentication.
NOTE: Assigning the Mail.Send application permission allows the app to send emails on behalf of user configured explicitly in the application settings. This requires admin consent and should be granted only when necessary for your application's functionality. Ensure you follow organizational policies for access and security.
Restrict Application Access to Specific Users or Groups (Optional)
By default, granting the Mail.Send application permission allows the app to send emails on behalf of any user in the organization. To restrict access so that the application can only send emails on behalf of specific users or a group, you can configure an Application Access Policy using Exchange Online PowerShell.
Prerequisites
Windows PowerShell 5.1 or PowerShell 7.4+ (recommended)
Exchange Online PowerShell V3 module
Install the Exchange Online Module
1. Open PowerShell.
2. Run the following command: Install-Module -Name ExchangeOnlineManagement -Force
Create an Application Access Policy
Follow the steps below to restrict Graph API application access for the Collaboration system account:
1. Open PowerShell.
2. Type Connect-ExchangeOnline and press Enter.
.png?sv=2022-11-02&spr=https&st=2026-04-30T10%3A31%3A47Z&se=2026-04-30T10%3A45%3A47Z&sr=c&sp=r&sig=8zfYtzTCeclcPuOJoFSSuvd9os85QQa6qruUlomi5J0%3D)
3. Sign in using admin credentials when prompted.
.png?sv=2022-11-02&spr=https&st=2026-04-30T10%3A31%3A47Z&se=2026-04-30T10%3A45%3A47Z&sr=c&sp=r&sig=8zfYtzTCeclcPuOJoFSSuvd9os85QQa6qruUlomi5J0%3D)
4. Once connected, type New-ApplicationAccessPolicy and press Enter.
5. For AccessRights, type RestrictAccess and press Enter.
6. For AppId[0], enter the Application (client) ID obtained during the Application Registration step above and press Enter.
7. For AppId[1], leave blank and press Enter (this is required only when restricting multiple applications).
8. For PolicyScopeGroupId, enter the user account or a Mail-Enabled Security Group. Refer to the section below to create a Mail-Enabled Security Group if needed.
.png?sv=2022-11-02&spr=https&st=2026-04-30T10%3A31%3A47Z&se=2026-04-30T10%3A45%3A47Z&sr=c&sp=r&sig=8zfYtzTCeclcPuOJoFSSuvd9os85QQa6qruUlomi5J0%3D)
NOTE: If you want to restrict application access for more than one user account, you must use a Mail-Enabled Security Group.
Create a Mail-Enabled Security Group
To restrict application access for multiple users, create a Mail-Enabled Security Group in Exchange Online:
1. Log in to the Exchange Admin Center (EAC).
2. Navigate to Recipients > Groups > Add a group.
3. Select Mail-enabled security as the group type and click Next.
4. Enter a Name and Description, then click Next.
5. Assign owners, add members, and define the email address.
6. Review the details and click Create group.
Test the Application Access Policy
After creating the policy, verify that it is working correctly:
In PowerShell, type Test-ApplicationAccessPolicy and press Enter.
For AppId, enter the Application (client) ID used when creating the policy.
For Identity, enter the user account or group account to test. If the user or group has access, the test returns a result confirming access is granted.
.png?sv=2022-11-02&spr=https&st=2026-04-30T10%3A31%3A47Z&se=2026-04-30T10%3A45%3A47Z&sr=c&sp=r&sig=8zfYtzTCeclcPuOJoFSSuvd9os85QQa6qruUlomi5J0%3D)
If the user or group does not have access, the test returns a result indicating access is denied.
.png?sv=2022-11-02&spr=https&st=2026-04-30T10%3A31%3A47Z&se=2026-04-30T10%3A45%3A47Z&sr=c&sp=r&sig=8zfYtzTCeclcPuOJoFSSuvd9os85QQa6qruUlomi5J0%3D)