Setting up Modern Authentication in Office 365

TrueChem version 22.5.1+

Modern Authentication is the recommended method for connecting to Office 365. These instructions will help you configure Office365 to accept mail sent from TrueChem.

These changes must be performed by an Office 365 Administrator. TrueLogic is not your Office 365 Administrator and does not have the permissions to make these change for you.

1. Register an application in the Azure Portal

To use Microsoft/Office365 OAUTH to authenticate, you must create an “App registration” at https://portal.azure.com

• Sign into the Azure portal https://portal.azure.com using a Microsoft Account
• Click Azure Active Directory

• Click App Registrations then click New Registration

• Name the app registration TrueChemEmailOAuth
• In the Supported account types section, choose the option Accounts in this organizational directory only (Single tenant)
• Click the Register button

• Write down the Application (client) ID
• Write down the Directory (tenant) ID

2. Assign API permissions

Now you need to assign API permissions to the App Registration. TrueChem only needs the Mail.Send permission.

• Click API Permissions
• Click + Add a permission

• Choose Microsoft Graph

• Choose Application permissions

• Type mail.send into the search box
• Check the mail.send list item
• Click Add permissions

3. Granting consent to the API permission

The user right has been added but it cannot be used until it has been granted consent by an Office 365 administrator.

• Click on Grant admin consent for… next to the + Add a Permission
• If your option is greyed out like the screen shot below, your account does not have the authority to grant this option and you will need someone with the proper role to complete this portion:
• Global Administrator or Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.
OR
• Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Azure AD Graph or Microsoft Graph app roles (application permissions).
  OR
• A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application.
• You can move forward with the remaining steps in this document but you will NOT be able to send email via TrueChem until this step is completed by someone with the proper role.
• You can scroll the permissions list to the right to see the consent status
• The Mail.Send permission must have a green check

4. Authentication and Redirect URI

If this is the first mobile or desktop application to use OAuth 2.0 in your organization, you may need to add a redirect uri.

• Click on Authentication
• Look in the Mobile and desktop applications section
• If you don’t have this section, click + Add a platform and select Mobile and desktop applications
• Make sure you have the URI: https://login.microsoftonline.com/common/oauth2/nativeclient
• If you don’t have the URI, add it

5. Client ID and Client Secrets

The Client Secret is a password and should be treated as such. This secret should only be used with TrueChem and should not be shared or reused for other applications.

• Click Certificates & Secrets
• Click + New client secrets

• For the Description put TrueChemEmailSecret
• For Expires put 24 months (or the longest option available)

• The Client Secret is only shown one time. If you do not write it down now, you will need repeat these steps. Write it down in a temporary location. Once the secret has been stored in TrueChem, delete this temporary location. Do not store the secret in any other location


Microsoft removed the “Never expire” option and the current max is 24 months. You will need to repeat steps 5 and 6 before the expiration date to prevent an interruption in mail coming from TrueChem.

6. TrueChem settings

• In TrueChem, Go to the Email tab in System Setup
• For the Authentication Type Select OAuth 2.0
• Enter a valid O365 Logon name for your organization
• Enter the Client Secret from step 5. The client secret will be protected and will not be viewable after it is saved
• Enter the Tenant ID and ClientID from step 1
• Click the Test button and send a test email to a valid O365 email address in your organization


If you were unable to grant consent in step 3, the test email will fail. Grant consent and try again.