Configure SSO/OAuth with Microsoft 365

For general information on OAuth and how you can get your Single Sign-On (SSO) with working with SpamExperts, see Configure OAuth/Single Sign-On (SSO).

Step 1 - SpamExperts Configuration

  1. Log into your SpamExperts Control Panel using your branded URL (this is set up in the Hostname field in the Branding Management page. See Create a Custom Control Panel URL)
  2. In the Admin Level Control Panel, select Branding > Branding Management
  3. Ensure that SSO/OAuth login for email users is enabled
  4. Add the label text that will be displayed on the branded login button below the local credential login box e.g.:

  5. Click Save Settings
  6. Navigate to the domain, by selecting General > Domains Overview and click on the relevant domain
  7. Select Users & Permissions > OAuth Settings and make sure that OAuth login is toggled on
  8. Manually format the URL using the following format to be used in Step 2 - Configure Entra ID Application Settings:

    https://<branded.fqdn>/rest/auth/openid/authorize/mailbox

    Do not copy the text displayed in the Login Link field as this may not be correct.

  9. Click Save settings

Step 2 - Configure Entra ID Application Settings

  1. Login to the Microsoft 365 Admin Center
  2. Navigate to entra.microsoft.com
  3. Or

  4. Using the left-hand menu, navigate to the Admin Centers section
    1. Select Identity to view the Microsoft Entra Admin Center

      Or

    2. By selecting Microsoft Entra from the All Admin Centers page

  5. Navigate to Applications > App Registrations
  6. Select New registration

  7. In the Register an Application page, be sure to fill in the sections as follows:
    • Name: The display name for the App being registered e.g. SpamExperts Single Sign-On (SSO)
    • Supported Account Types: Who can use this application, set this as required, but we recommend Accounts in this organizational directory only
    • Redirect URI: Using the Platform dropdown, select Web, then enter the address in the format:

      https://<branded.fqdn>/rest/auth/openid/authorize/mailbox

      The address to enter here is the one formatted in Step #1:8 above

  8. Click Register
  9. In the Overview page, take a note of these two ID's as you will need them later:
    • Application (client) ID
    • Directory (tenant) ID

  10. Under Manage > Certificates & Secrets, generate the "Client Secret" by clicking New client secret
  11. Give the Client Secret a description and an expiry period for the key

    It is important that you save the Value now as it will not be visible once the page is refreshed or loaded again.

  12. Be sure you take a note of the Value, not the Secret ID, as this is what will be required in Step 3.3

  13. Keep your Entra ID Admin Center open as you will need to return to this screen in Step 3 - Configure Microsoft Details in SpamExperts

Step 3 - Configure Microsoft Details in SpamExperts

  1. In the SpamExperts Control Panel, return to the OAuth Settings page for the domain by selecting Users & Permissions > OAuth Settings
  2. If the page title does not display the Domain name after Private Brand Login/OAuth, you need to navigate to the domain level settings by selecting the domain in Domains Overview to complete the following steps.

  3. Ensure that OAuth Login is enabled
  4. The fields should be filled in as below:
    • Login link: https://<branded.fqdn>/rest/auth/openid/authorize/mailbox

      This setting cannot be changed, and is will not impair SSO logins.

    • Provider URL: https://login.microsoftonline.com/<<<Directory (tenant) ID>>>
    • Client ID: <<<Application (client) ID>>>
    • Client secret:xxxxxxxxxxxxxxxxxxxxxxxxx - This is the Value generated in the "Certificates & secrets" section of Azure AD
    • Token Endpoint: https://login.microsoftonline.com/<<<Directory (tenant) ID>>>/oauth2/token
    • Authorization Endpoint: https://login.microsoftonline.com/<<<Directory (tenant) ID>>>/oauth2/authorize
    • User Info Endpoint: https://login.microsoftonline.com/<<<Directory (tenant) ID>>>/openid/userinfo
    • Jwks URL: https://login.microsoftonline.com/common/discovery/keys
    • Change Password URL: Not required
    • Logout URL: Not required
    • Use Nonce validation: yes
    • Identification Method: Unique name
  5. Click Save settings

Although we strive to provide the most up-to-date information, the instructions covered in the Microsoft configuration may change without our knowledge. To ensure you have the correct up-to-date information, please refer to Microsoft's website.

If you have any issues relating to SSO configuration or logging in with SSO, please contact our support team by through N-AbleMe.