Configure SSO/OAuth with Microsoft 365

If using the Microsoft 365 Sync functionality, a lot of the below will be set automatically.

For general information on OAuth and how you can get your Single Sign-On (SSO) with working with Spam Experts, see Configure OAuth/Single Sign-On (SSO).

Step 1 - Spam Experts Configuration

  1. Log into your Spam Experts Control Panel using your branded URL (this is set up in the Hostname field in the Branding Management page. See Create a Custom Control Panel URL)
  2. In the Admin Level Control Panel, select Branding > Branding Management
  3. Ensure that SSO/OAuth login for email users is enabled
  4. Add the label text that will be displayed on the branded login button below the local credential login box e.g.:

  5. Click Save Settings
  6. Navigate to the domain, by selecting General > Domains Overview and click on the relevant domain
  7. Select Users & Permissions > OAuth Settings and make sure that OAuth login is toggled on

    Skip if Microsoft 365 sync was used.

  8. Copy the URL in the Login link field and keep a note of this for using in Step 2 - Configure Azure Active Directory Application Settings
  9. Click Save settings

Step 2 - Configure Azure Active Directory Application Settings

  1. Login to the Microsoft 365 Admin Center
  2. Go to the Azure Active Directory Admin Center and navigate to the Azure Active Directory:
  3. From there, select App registrations and create a New registration:
  4. In the Register an Application page, be sure to fill in the sections as follows:
    • Name: The display name for the App being registered e.g. Spam Experts Single Sign-On (SSO)
    • Supported Account Types: Who can use this application, set this as required, but we recommend Accounts in this organizational directory only
    • Redirect URI: Using the Platform dropdown, select Web, then enter the address in the format:

      https://<branded.fqdn>/rest/auth/openid/authorize/mailbox

      The address to enter here is found in Users & Permissions > OAuth Settings > Login Link

  5. Click Register
  6. In the Overview page, take a note of these two ID's as you will need them later:
    • Application (client) ID
    • Directory (tenant) ID

  7. Under Manage > Certificates & Secrets, generate the "Client Secret" by clicking New client secret
  8. Give the Client Secret a description and an expiry period for the key

    It is important that you save the Value now as it will not be visible once the page is refreshed or loaded again.

  9. Be sure you take a note of the Value, not the Secret ID, as this is what will be required in Step 3.3

  10. Keep your Azure Active Directory open as you will need to return to this screen in Step 3 - Configure Microsoft Details in Spam Experts

Step 3 - Configure Microsoft Details in Spam Experts

  1. In the Spam Experts Control Panel, return to the OAuth Settings page for the domain by selecting Users & Permissions > OAuth Settings
  2. If the page title does not display the Domain name after Private Brand Login/OAuth, you need to navigate to the domain level settings by selecting the domain in Domains Overview to complete the following steps.

  3. Ensure that OAuth Login is enabled
  4. The fields should be filled in as below:

    If Microsoft 365 sync was used, all of the fields given here will be automatically filled, except for Client Secret. This must be filled with the value taken from Step 2:7 - Client Secret

    • Login link: https://<yourbrandedhostname>/rest/auth/openid/authorize/mailbox

      This setting cannot be changed, and is will not impair SSO logins.

    • Provider URL: https://login.microsoftonline.com/<<<Directory (tenant) ID>>>
    • Client ID: <<<Application (client) ID>>>
    • Client secret:xxxxxxxxxxxxxxxxxxxxxxxxx - This is the Value generated in the "Certificates & secrets" section of Azure AD
    • Token Endpoint: https://login.microsoftonline.com/<<<Directory (tenant) ID>>>/oauth2/token
    • Authorization Endpoint: https://login.microsoftonline.com/<<<Directory (tenant) ID>>>/oauth2/authorize
    • User Info Endpoint: https://login.microsoftonline.com/<<<Directory (tenant) ID>>>/openid/userinfo
    • Jwks URL: https://login.microsoftonline.com/common/discovery/keys
    • Change Password URL: Not required
    • Logout URL: Not required
    • Use Nonce validation: yes
    • Identification Method: Unique name
  5. Click Save settings

Although we strive to provide the most up-to-date information, the instructions covered in the Microsoft configuration may change without our knowledge. To ensure you have the correct up-to-date information, please refer to Microsoft's website.

If you have any issues relating to SSO configuration or logging in with SSO, please .