Redgate Monitor 14

OAuth Email Notifications for Exchange

Page last updated 16 September 2025

Our application can send email notifications through your organization’s Office 365 (Exchange Online) account.
This configuration uses Microsoft’s Send As App (SMTP.SendAsApp) feature, which allows the application to send email securely on behalf of a designated mailbox (e.g. noreply@yourdomain.com).

Benefits of this approach:

  • Secure - Uses OAuth2 authentication, no stored user passwords.
  • Consistent - Emails are sent from your own domain/mailboxes.
  • Flexible - Any shared or user mailbox can be used as the sender.

Prerequisites

You will need:

  • Access to the Azure Portal with admin rights.
  • Permission to configure mailboxes in Exchange Online.

Setup Steps

1. Register an App in Azure AD

  1. In the Azure Portal, go to Azure Active Directory → App registrations → New registration.
  2. Enter a name (e.g. Redgate Monitor).
  3. Choose Accounts in this organizational directory only.
  4. Click Register
  5. On the new application page, copy and retain:
    1. Application (client) ID
      1. From this point onward, this field will be referred to as <CLIENT_ID>
    2. Directory (tenant) ID for future steps when required.
      1. From this point onward, this field will be referred to as <TENANT_ID>

2. Create a Client Secret

  1. Open the app you just registered.
  2. Go to Manage → Certificates & secrets → New client secret.
  3. Add a description, select an expiry period, and save.
  4. Copy the secret value - it will not be shown again
  5. Retain this value to provide when client secret is required.
    1. From this point onward, this field will be referred to as <CLIENT_SECRET>

3. Add Permissions

  1. Go to Manage → API permissions → Add a permission.
  2. Select APIs my organization uses →  Office 365 Exchange Online → Application permissions.
  3. Add:
    • SMTP.SendAsApp
  4. Click Grant admin consent.

4. Enterprise Object ID

For the next steps, we need to keep track of the enterprise object ID to provide during configuration.

  1. In the Azure Portal, go to Microsoft Entra ID
  2. Navigate to Enterprise Applications
  3. Go to your configured application from step 1.
  4. Copy and retrain the Object ID.
    1. From this point onward, this field will be referred to as <ENTERPRISE_OBJECT_ID>

5. Configure Authenticated SMTP

To ensure mail can be sent using your mailbox, Authenticated SMTP must be configured.

  1. Go to Microsoft 365 Admin Center

  2. In the left menu, go to Users → Active users.

  3. Find and click the mailbox user you want to send Email Notifications as.

    1. From this point onward, this field will be referred to as <MAILBOX_ADDRESS>

  4. In the user pane, go to Mail → Manage email apps (sometimes called Email apps or Mail apps).

  5. You’ll see a list of check-boxes for different protocols (Outlook, IMAP, POP, etc.).

  6. Check Authenticated SMTP.

  7. Click Save changes.

6. Configuration of Mailbox Permissions with Powershell

To ensure mail can be sent using your mailbox, Authenticated SMTP must be configured.
This step requires an <ADMIN_ADDRESS> with rights and privileges to configure mailbox permissions.

  1. Run the following command in Powershell to have access to required commands. Ensure the selected principal has access to configure mailbox permissions.

    • Connect-ExchangeOnline -UserPrincipalName <ADMIN_ADDRESS>

  2. Once authenticated after the previous command, you should be able to configure a service principal with the following command:

    • New-ServicePrincipal -AppId <CLIENT_ID> -ObjectId <ENTERPRISE_OBJECT_ID>

  3. Finally, the selected mailbox can be configured to allow full access:

    • Add-MailboxPermission -Identity <MAILBOX_ADDRESS> -User <ENTERPRISE_OBJECT_ID> -AccessRights FullAccess

7. Configure in Redgate Monitor

In the email notifications settings in Redgate Monitor, you can select OAuth for Exchange:

  • SMTP server: smtp.office365.com (or your configured SMTP server)

  • Port: 587 (or your configured port)

  • Require a secure (SSL or TLS) connection

  • Tenant ID (from Azure app)

    • Your <TENANT_ID>

  • Client ID (from Azure app)

    • Your <CLIENT_ID>

  • Client Secret (from Azure app)

    • Your <CLIENT_SECRET>

  • Mailbox address (e.g. notifications@yourdomain.com)

    • Your <MAILBOX_ADDRESS>

The application will then authenticate securely with Microsoft and send notifications from this mailbox.

Common Issues

If you encounter an problems sending a test email, you can further identify issues in the Redgate Monitor logs.

  • Authentication failed - Verify the app has SMTP.SendAsApp permission and that admin consent was granted.
  • Not authorized to send as this user - Ensure the Add-MailboxPermission step has been applied for the mailbox.
  • Token expired - Regenerate the client secret if it has expired. When the token expires, a red banner will be visible in Redgate Monitor to indicate an issue with sending an email, at which point a client secret must be regenerated and notifications should be re-configured

Didn't find what you were looking for?

Product Articles

Tips and how-to guides for Redgate products

University

Easy to follow video courses

Community Forums

Ask, discuss, and solve questions about Redgate's tools

Events & Friends

Meet us at an event, get sponsored, and join our Friends of Redgate

Simple Talk

In-depth articles and opinion from Redgate's technical journal