| At line 1 added 3 lines |
| !Microsoft Mail integration\\ |
| ---- |
| !1. Microsoft App Passwords\\ |
| At line 2 changed one line |
| About OAUTH2 for authentication: [https://docs.microsoft.com/en-us/graph/auth-v2-user]\\ |
| __⚠️ Constraints__: __It is only supported for accounts with 2-Step Verification enabled.__\\ |
| At line 4 changed one line |
| !!!Microsoft Graph Application Registration |
| Microsoft App Passwords are special 16-character passwords used for apps that don’t support two-factor authentication (2FA). They are required when 2FA is enabled on your Microsoft account and you’re using legacy applications (like old email clients). You can generate and manage them from your Microsoft security settings at __account.microsoft.com/security__.\\ |
| At line 6 changed 2 lines |
| It requires Microsoft Graph Application registration. Start at the Microsoft Azure portal:\\ |
| [https://azure.microsoft.com/en-us/features/azure-portal/]\\ |
| Service can use __App Passwords__:\\ |
| __SMTP__: smtp.office365.com\\ |
| __IMAP__: imap-mail.outlook.com\\ |
| __POP3__: pop-mail.outlook.com\\ |
| ---- |
| At line 9 changed one line |
| __Application registration: __Go to the App registrations and click on New registration:\\ |
| __1.1 Microsoft Personal Accounts__ (@outlook.com, @hotmail.com, etc.):\\ |
| 🔴 App Passwords do not work with SMTP/IMAP/POP for these accounts anymore. __⚠️ Microsoft has deprecated basic auth for personal accounts__.\\ |
| At line 18 added 2 lines |
| ---- |
| __1.2 Microsoft 365 (work or school) accounts__:\\ |
| At line 21 added 59 lines |
| For Microsoft 365 (work or school) accounts, __App Passwords__ and __Multi-Factor Authentication (MFA)__ are managed centrally by your organization through __Microsoft Entra ID (formerly Azure Active Directory)__ — not through the personal Microsoft account portal.\\ |
| \\ |
| __How to enable App Passwords:__:\\ |
| • Go to the legacy __MFA portal__: [MultifactorVerification Link|https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx] (Admin user)\\ |
| • Click on the __Service settings__ tab.\\ |
| • Enable the flag: __Allow users to create app passwords to sign in to non-browser apps__\\ |
| [SMTP Microsoft Graph XOAUTH 2 Integration/microsoft_enable_app_password.png]\\ |
| \\ |
| __Check App Password Availability:__\\ |
| a. Go to: [Security info Link| https://mysignins.microsoft.com/security-info]\\ |
| b. Sign in with your work or school email\\ |
| c. Follow the prompts to configure MFA using:\\ |
| • Microsoft Authenticator app (recommended)\\ |
| • Phone call or SMS (if permitted by your organization’s policy)\\ |
| d. If enabled by your admin, click on __+Add sign-in method__ button and you will see an __App passwords__ link in the menu to generate one:\\ |
| [SMTP Microsoft Graph XOAUTH 2 Integration|microsoft_app_password.png]\\ |
| e. If you don’t see the __App passwords__ option: |
| Check and enforce MFA:\\ |
| • Go to [MultifactorVerification Link|https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx] (Admin user)\\ |
| • Find the target user.\\ |
| • In the __MFA Status__ column, confirm it says: __Enforced__. Otherwise, enable __MFA__.\\ |
| \\ |
| __Check if Security Defaults are enabled:__\\ |
| __App Passwords__ will not work if __Microsoft Entra ID Security Defaults__ are __enabled__ for your __tenant__.\\ |
| To disable them:\\ |
| • Go to the Microsoft Entra admin portal [Microsoft EntraLink|https://entra.microsoft.com] (Admin user)\\ |
| • Navigate to: __Identity > Overview > Properties__ Scroll down to Security Defaults and click __Manage security defaults__\\ |
| •Select Disable, then click Save. __Changes may take 5–10 minutes to take effect.__\\ |
| [SMTP Microsoft Graph XOAUTH 2 Integration|microsoft_security_details.png]\\ |
| [SMTP Microsoft Graph XOAUTH 2 Integration|tenant_security_defaults.png]\\ |
| \\ |
| 🔴 __Error message__ like:\\ |
| {{{Authentication unsuccessful, user is locked by your organization's security defaults policy. Contact your administrator.}}} |
| This indicates that your Microsoft 365 tenant has __Security Defaults__ enabled, which blocks __App Passwords__ completely, even if they were created successfully. Disable Security Defaults (if you’re the admin) [Microsoft Entra Link|https://entra.microsoft.com]. __Identity -> Overview -> Properties -> Manage security defaults__ \\ |
| \\ |
| ---- |
| \\ |
| Usage:\\ |
| {{{ |
| Username: your_email@outlook.com |
| Password: [your generated app password] |
| }}}\\ |
| \\ |
| ---- |
| __⚠️ Note__: Microsoft strongly recommends modern authentication (__OAuth 2.0__) instead of app passwords. Some tenants block app passwords entirely for security reasons.\\ |
| ---- |
| \\ |
| !2. Microsoft Mail via OAuth 2.0 \\ |
| Traditionally, __SMTP__/__IMAP__ authentication with Microsoft services (like Outlook or Microsoft 365) used username and password. However, Microsoft now strongly recommends (and in many cases enforces) the use of __OAuth 2.0__ for authentication, especially for enhanced security and compliance.\\ |
| \\ |
| About OAuth 2.0 ([OAuth Wikipedia Link|https://en.wikipedia.org/wiki/OAuth]) for authentication: [Microsoft OAuth 2.0 : Get access on behalf of a user Link|https://docs.microsoft.com/en-us/graph/auth-v2-user]\\ |
| \\ |
| __⚠️ Proxy Configuration:__ If your server accesses the internet through a proxy, make sure to whitelist the following domains to allow authentication: __login.microsoftonline.com__\\ |
| This requires a __Microsoft Graph__ application registration.\\ |
| \\ |
| Start by visiting the __Microsoft Azure Portal__: [Link|https://azure.microsoft.com/en-us/features/azure-portal/]\\ |
| \\ |
| __Application registration:__ Navigate to App registrations in the Azure Portal. Click on __New registration__ to create a new application.\\ |
| \\ |
| At line 14 changed one line |
| Name it. Select the Multitenant and personal Microsoft accounts type. The redirect URL must end with: register_microsoft_graph_api/. Then click on register.\\ |
| In the Redirect URI section, for Platform configuration, select __Web__. The Redirect URL must end with __register_microsoft_graph_api/__.\\ |
| At line 16 changed one line |
| [attachments|register_app.png]\\ |
| {{{ |
| http://localhost:9090/register_microsoft_graph_api/ |
| or |
| https://your.crushftp.domain.com/register_microsoft_graph_api/ |
| }}}\\ |
| At line 18 changed one line |
| Under the redirect URL configuration enable the __Access Token__ to be issued by the authorization endpoint:\\ |
| __Secret key:__ A new client secret must be created. Go to __Certificates & secrets__, and generate a new client secret by clicking on __New client secret__. ⚠️ Ensure you copy over the __value__ immediately!\\ |
| At line 20 changed one line |
| [attachments|SMTP Microsoft Graph XOAUTH 2 Integration/enable_access_token.png]\\ |
| [SharePoint Integration/new_secret.png]\\ |
| At line 22 changed 2 lines |
| __API permission:__ You also need to provide permission for the Microsoft Graph. Go to the Api permission. Click on Add permission, and select Microsoft Graph. Choose Delegated permission and add the " |
| SMTP. Send" or/and "IMAP.AccessAsUser.All" permission:\\ |
| [attachments|ms_client_secet.png]\\ |
| At line 96 added 2 lines |
| __API permission:__ You also need to grant the appropriate permissions for Microsoft Graph. Go to __Api permission__. Click on __Add permission__, and select __Microsoft Graph__. Choose __Delegated Permission__, then add either __SMTP. Send__, __IMAP.AccessAsUser.All__ or both, depending on your requirements:\\ |
| \\ |
| At line 28 changed one line |
| __Client id: __ You can find it at Azure portal -> App Registration -> Overview:\\ |
| __Client id: __ See at App Registration -> Overview -> Application (client) ID\\ |
| At line 32 changed one line |
| __Secret key:__ A new client secret also needs to be created. Go to the "Certificate & secrets" and generate a new secret key. Click on New client secret:\\ |
| __⚠️ Warning__: Make sure that the user's __SMTP AUTH__ is enabled, otherwise SMTP authentication will fail. You can view the official documentation here: [Enable or disable authenticated client SMTP submission (SMTP AUTH) in Exchange Online|https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission].\\ |
| __Office 365__: Navigate to the Microsoft 365 Admin Center ([Link|https://admin.microsoft.com/Adminportal/Home?#/homepage]). Select the user and enable SMTP authentication. SMTP authentication will fail if this setting is not enabled.\\ |
| __Note__: OAuth 2.0 authentication requires user-delegated permissions, meaning the user must be a real, licensed user with authentication capabilities (i.e., they must have a valid product license and be able to sign in).\\ |
| [attachments|auth_smtp_office_365.png]\\ |
| At line 34 changed one line |
| [attachments|new_secret.png]\\ |
| ---- |
| !3. SMTP settings\\ |
| Navigate to __Server Admin__ -> __Preferences__ -> [General Settings] -> __SMTP Settings__:\\ |
| \\ |
| __SMTP Server Used for Emailing__: Enter the SMTP server address used for sending emails, such as __smtp.office365.com__, using the default port __587__.\\ |
| {{{ |
| smtp.office365.com:587 |
| }}}\\ |
| At line 36 changed one line |
| __!Warning__: Make sure that the user's __SMTP AUTH__ is enabled. See description: [https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission].\\ |
| __SMTP Server Username, Password__:\\ |
| ---- |
| __a.)__ __App passwords__: [Microsoft App Passwords Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SMTP%20Microsoft%20Graph%20XOAUTH%202%20Integration#section-SMTP+Microsoft+Graph+XOAUTH+2+Integration-1.MicrosoftAppPasswords]\\ |
| {{{ |
| SMTP Server Username: your_email@outlook.com |
| SMTP Server Password: [your generated app password] |
| }}}\\ |
| ---- |
| __b.)__ __OAuth 2.0__: [Microsoft Mail via OAuth 2.0 Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SMTP%20Microsoft%20Graph%20XOAUTH%202%20Integration#section-SMTP+Microsoft+Graph+XOAUTH+2+Integration-2.MicrosoftMailViaOAuth2.0]\\ |
| If the SMTP server address contains __office365__ or __outlook__, the corresponding __Get Refresh Token__ button will appear. Click that button to proceed.\\ |
| __⚠️ Note__: To obtain the __Refresh Token__, the CrushFTP WebInterface’s host and port must match the __Redirect URL__ specified in the __Azure App Registration__. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/\\ |
| At line 38 changed 6 lines |
| !!!SMTP settings\\ |
| \\ |
| Provide the SMTP server used for emailing (for example smtp.office365.com)\\ |
| Click on the "Get Refresh Token" button.\\ |
| __In order to get the Refresh token, CrushFTP WebInterface's host and port number must match with the redirect url specified at Azure Application Registration.__\\ |
| Put the Client Id and Secret (from Azure App Registration) and "common" for the tenant input field.\\ |
| Enter the __Client ID__ (See at App Registration -> Overview -> Application (client) ID), __Client Secret__ (See at App Registration -> Manage -> Certificates & secrets) make sure to copy the __value__ field, not the ID, and __Tenant ID__ (See at App Registration -> Overview -> Directory (tenant) ID). Proceed with the authentication and authorization process. This will automatically configure the __SMTP Server Username__ and __SMTP Server Password__.\\ |
| At line 47 changed 3 lines |
| Click on the OK button, and allow CrushFTP to have access to send Email. __You must sign in with the Microsoft Account which has permission to send email!!!__ (SMTP.send is user-specific permission) As the end of the result, the SMTP Username and Password will fill the Client ID and the Refresh Token.\\ |
| It is required to provide the from email address too.\\ |
| \\ |
| Click the __OK__ button, sign in with your Azure credentials, and grant access to CrushFTP.\\ |
| __⚠️ Note__: Be sure to sign in with the __Microsoft Account__ that has the __necessary permissions__, as configured in the Azure App Registration mentioned above.\\ |
| Once completed, the __SMTP Server Username__ and the __SMTP Server Password__ fields will be automatically populated with the Client ID and Refresh Token, respectively.\\ |
| \\ |
| __From email address__: You must also specify the __From__ email address. __⚠️ Important__ The __From__ address must exactly match __the signed-in Microsoft user’s email address__ (i.e., the account used to obtain the refresh token) or the account associated with the App Password. Otherwise, SMTP authentication will fail.\\ |
| \\ |
| Make sure to enable the __SSL/TLS__ flag to ensure a secure connection. |
| \\ |
| At line 52 changed one line |
| !!!PopImapTask |
| ---- |
| !4. PopImapTask\\ |
| At line 54 changed 4 lines |
| Provide the host and click on the Get Refresh Token button.\\ |
| __In order to get the Refresh token, CrushFTP WebInterface's host and port number must match with the redirect URL specified at Azure Application Registration.__\\ |
| Because the email address is essential after you got the refresh token, the Mail Username input field needs to be modified.\\ |
| Put your email address ended with a tilde(~) at the beginning of the Mail Username input field.\\ |
| Select the __IMAPS__ protocol.\\ |
| Ensure that the IMAP protocol is enabled for the user. See the description: [Managing email apps for user mailboxes Link|https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/enable-or-disable-pop3-or-imap4-access].\\ __Office 365__:Navigate to the Microsoft 365 Admin Center. [Link|https://admin.microsoft.com/Adminportal/Home?#/homepage]. Select the user and enable the IMAP protocol at __Manage email apps__.\\ |
| At line 151 added one line |
| __Host:__\\ |
| At line 153 added 23 lines |
| outlook.office365.com |
| }}} |
| __Port__: __993__\\ |
| If the __Host__ contains __office365__ or __outlook__, the corresponding __Get Refresh Token__ button will appear.\\ |
| __Mail Username, Password__:\\ |
| ---- |
| __a.)__ __App passwords__: __⚠️ Constraints__: __It is only supported for accounts with 2-Step Verification enabled.__\\ [Microsoft App Passwords Link|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SMTP%20Microsoft%20Graph%20XOAUTH%202%20Integration#section-SMTP+Microsoft+Graph+XOAUTH+2+Integration-1.MicrosoftAppPasswords]\\ |
| {{{ |
| Mail Username: your_email@outlook.com |
| Mail Password: [your generated app password] |
| }}}\\ |
| ---- |
| __b.)__ __OAuth 2.0__: Configure the __App registration__. See at [Microsoft Mail via OAuth 2.0|https://www.crushftp.com/crush11wiki/Wiki.jsp?page=SMTP%20Microsoft%20Graph%20XOAUTH%202%20Integration#section-SMTP+Microsoft+Graph+XOAUTH+2+Integration-1.MicrosoftMailViaOAuth2.0]\\ |
| \\ |
| __⚠️ Note__: To obtain the Refresh Token, the CrushFTP WebInterface’s host and port must match the Redirect URL specified in the Azure App Registration. In our example, it was: http://localhost:9090 or https://your.crushftp.domain.com/\\ |
| \\ |
| Click on __Get Refresh Token__ button. Enter the __Client ID__ (See at App Registration -> Overview -> Application (client) ID), __Client Secret__ (See at App Registration -> Manage -> Certificates & secrets) make sure to copy the __value__ field, not the ID, and __Tenant ID__ (See at App Registration -> Overview -> Directory (tenant) ID). Proceed with the authentication and authorization process. |
| \\ |
| __⚠️ Note__: Be sure to sign in with the __Microsoft Account__ that has the __necessary permissions__, as configured in the Azure App Registration mentioned above.\\ |
| Since the email address is required after obtaining the refresh token, the Mail Username field must be adjusted.\\ |
| Enter your email address followed by a tilde (~) at the beginning of the Mail Username field.\\ |
| \\ |
| {{{ |
| At line 181 added 4 lines |
| ---- |
| For more information, see the general POP/IMAP Task description: [POP/IMAP Task – CrushFTP Documentation Link| https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CrushTask#section-CrushTask-POP3IMAP]\\ |
| ---- |
| \\ |
