How to register an Azure application with mail-sending API permissions and restrict its access to specific mailboxes

To enable email sending from the Bold Report Server using a Microsoft Office 365 account with OAuth authentication, it is essential to register an Azure app. This app needs to be granted the required API permissions for accessing the email service. Additionally, you can also limit access to specific mailboxes if needed.

Steps to register an Azure application with mail-sending API permissions

  1. Go to Azure portal and select Microsoft Entra ID.

    Azure portal

  2. Click on App registrations in the side navigation menu and click New registration.

    App registrations

  3. Enter a meaningful name in the Name section for your application. Choose “Accounts in this organizational directory only” option under Supported account types. Click Register to create the application.

    Register app

  4. On the app Overview page, select and copy the Application (Client) ID & Directory (tenant) ID, which will be needed for our email settings configurations.

    App credentials

  5. Click on Certificates & Secrets option, select New client secret to generate a client secret for the app.

    Generate client secret

  6. Add the Description and select the Expires option as per your requirement. Click Add.

    Add client secret

  7. Copy the value which is the app client secret, and secure it for future purposes. You will not be able to see the value again once you reload the page.

    View client secret

  8. To add Mail.Send API permissions, select the API permissions tab and click on Add a permission.

    Mail send API permission

  9. Select Microsoft Graph from the permission list.

    Microsoft graph api

  10. Choose Application permissions, search for Mail in the search area, then check Mail.Send permission from the list and add permission using the Add Permissions button. Provide admin consent for Mail.Send permission for Microsoft Graph API.

    Mail send API permission

    Add API permission

  11. Make sure the permission is listed in the permissions grid as shown below.

    View API permission

Restricting app access to specific mailboxes:

Using a Microsoft Office 365 account with OAuth Authentication for email sending through the Microsoft Graph API requires the ‘Mail.Send’ permission. However, granting this permission to the entire application can pose a potential risk of other senders misusing someone’s email address. To address this concern, it is advisable to restrict app access. You can find instructions on configuring application access policies in the documentation at this link. Without such restrictions, there is a risk of unauthorized users sending emails from the application, which could present potential security concerns. Once you have configured the application access policy for a specific mailbox, other mailboxes will be restricted from sending emails using the app.

Sample to create access policy: Create an access policy to restrict app access to specific mailboxes.

Create access policy

Sample to test access policy: Test whether permission has been granted for the email address or not.

Test access policy