Purpose
This Standard Operating Procedure (SOP) provides step-by-step instructions for registering an application in the Microsoft Azure Portal to send emails on behalf of users in FOIAXpress.
Prerequisites
Access to the Azure Portal.
Appropriate permissions in Azure AD
(e.g., Application Administrator or Global Administrator).
Registering Application in Azure Portal
Open a web browser and navigate to portal.azure.com.
Sign in using your organizational credentials.
Click App registrations and then select + New registration.
Enter the application details:
Name: Enter a descriptive name
Supported account types: Select Single tenant 5. Click Register at the bottom of the page.
After registration, you will be redirected to the Application’s Overview page.
Record the Application (client) ID and Directory (tenant) ID for future use.
Create Client Secrets
Navigate to your application’s Overview page in the Azure Portal.
Select Certificates & Secrets from the left panel.
Click + New client secret from the Client Secrets section.
Enter a Description for the client secret.
Select an expiration period (such as 6 months, 12 months, or 24 months).
Use the Expires field to select an expiration period based on your organization’s security requirements (up to a maximum of 24 months).
NOTE: Record the expiration date. The client secret must be renewed before it expires to avoid service disruption.
Click Add to create the client secret.
After the secret is created, copy the Value immediately (it will not be shown again after you leave the page).
Store the client secret value securely for use in your application configuration.
NOTE: Client secrets and value are used by applications to authenticate securely with Azure AD. Make sure to safeguard the secret and avoid sharing it publicly.
How to Set API Permissions for Sending Email
Navigate to your application’s Overview page in the Azure Portal.
Select API permissions from the left navigation.
Click Add a permission at the top of the API permissions page.
Under Microsoft Graph, select Application permissions.
Expand the Mail drop-down, then check Mail.Send.
Click Add permissions to confirm.
Click Grant admin consent for [Your Organization] to enable the permission for all users.
Verify that the status for Mail.Send permission shows as Granted.
Review the list of permissions to ensure Mail.Send (Application) is included.
Save your changes and proceed to configure your application’s email functionality.
NOTE: Assigning the Mail.Send application permission allows the app to send emails on behalf of user configured explicitly in the application settings as per below steps. This requires admin consent and should be granted only when necessary for your application's functionality. Ensure you follow organizational policies for access and security.
How to setup FOIAXpress application to use Microsoft OAuth to send emails
Navigate to the Mail Server Configuration page in FOIAXpress.
Under Mail Server Address, select Authentication Mode as Microsoft 365 Email.
Select the OAuth Credential.
Enter the Email Address you want to send emails on behalf of.
Enter the OAuth Client ID.
Enter the Secret Key (captured earlier).
Add the Client Secret Expiry Date.
This is the date on which the client secret becomes invalid and can no longer be used for authentication.
Enter the Tenant ID (captured earlier).
Enter the Recipient Limit
When the Recipient Limit is configured, the system ensures that outgoing emails are automatically divided into smaller batches based on that specified limit. This helps maintain controlled distribution and prevents exceeding the allowed number of recipients per batch.
Click Save.
If you encounter any issues, contact your CSM for assistance.
Restrict Application Access to Specific Users or Groups (Optional)
By default, granting the Mail.Send application permission allows the app to send emails on behalf of any user in the organization. To restrict access so that the application can only send emails on behalf of specific users or a group, you can configure an Application Access Policy using Exchange Online PowerShell.
Prerequisites
Windows PowerShell 5.1 or PowerShell 7.4+ (recommended)
Exchange Online PowerShell V3 module
Install the Exchange Online Module
1. Open PowerShell.
2. Run the following command: Install-Module -Name ExchangeOnlineManagement -Force
Create an Application Access Policy
Follow the steps below to restrict Graph API application access for the Collaboration system account:
1. Open PowerShell.
2. Type Connect-ExchangeOnline and press Enter.
.png?sv=2022-11-02&spr=https&st=2026-04-30T09%3A08%3A02Z&se=2026-04-30T09%3A22%3A02Z&sr=c&sp=r&sig=Bx8szbp4e6cPRALvldn8wxociypI%2BIqYPgeQh9FyrzY%3D)
3. Sign in using admin credentials when prompted.
.png?sv=2022-11-02&spr=https&st=2026-04-30T09%3A08%3A02Z&se=2026-04-30T09%3A22%3A02Z&sr=c&sp=r&sig=Bx8szbp4e6cPRALvldn8wxociypI%2BIqYPgeQh9FyrzY%3D)
4. Once connected, type New-ApplicationAccessPolicy and press Enter.
5. For AccessRights, type RestrictAccess and press Enter.
6. For AppId[0], enter the Application (client) ID obtained during the Application Registration step above and press Enter.
7. For AppId[1], leave blank and press Enter (this is required only when restricting multiple applications).
8. For PolicyScopeGroupId, enter the user account or a Mail-Enabled Security Group. Refer to the section below to create a Mail-Enabled Security Group if needed.
.png?sv=2022-11-02&spr=https&st=2026-04-30T09%3A08%3A02Z&se=2026-04-30T09%3A22%3A02Z&sr=c&sp=r&sig=Bx8szbp4e6cPRALvldn8wxociypI%2BIqYPgeQh9FyrzY%3D)
NOTE: If you want to restrict application access for more than one user account, you must use a Mail-Enabled Security Group.
Create a Mail-Enabled Security Group
To restrict application access for multiple users, create a Mail-Enabled Security Group in Exchange Online:
1. Log in to the Exchange Admin Center (EAC).
2. Navigate to Recipients > Groups > Add a group.
3. Select Mail-enabled security as the group type and click Next.
4. Enter a Name and Description, then click Next.
5. Assign owners, add members, and define the email address.
6. Review the details and click Create group.
Test the Application Access Policy
After creating the policy, verify that it is working correctly:
In PowerShell, type Test-ApplicationAccessPolicy and press Enter.
For AppId, enter the Application (client) ID used when creating the policy.
For Identity, enter the user account or group account to test. If the user or group has access, the test returns a result confirming access is granted.
.png?sv=2022-11-02&spr=https&st=2026-04-30T09%3A08%3A02Z&se=2026-04-30T09%3A22%3A02Z&sr=c&sp=r&sig=Bx8szbp4e6cPRALvldn8wxociypI%2BIqYPgeQh9FyrzY%3D)
If the user or group does not have access, the test returns a result indicating access is denied.
.png?sv=2022-11-02&spr=https&st=2026-04-30T09%3A08%3A02Z&se=2026-04-30T09%3A22%3A02Z&sr=c&sp=r&sig=Bx8szbp4e6cPRALvldn8wxociypI%2BIqYPgeQh9FyrzY%3D)