Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

SMTP email configuration

asp
Regular Contributor II
Regular Contributor II

Hi,

We are attempting to use Azure OAUTH based SMTP email for outbound (EIC sending emails to end-users). As per the documentation -  https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter06-EIC-Configurations/Config... we need an 'Email Address' , which is the 'from address' for emails that EIC will send.  So, to clarify - this needs to be a mailbox that needs to be created by the Azure/Outlook resources first correct? Basically on their side - they need to create do 3 things:

1. Create App Registration in Azure.

2. Grant permissions to this App Registration as per documentation. https://docs.saviyntcloud.com/bundle/EIC-Admin-v24x/page/Content/Chapter06-EIC-Configurations/Settin...

3. Create or license a mailbox to be used with this app registration.

Is that correct? Thanks

4 REPLIES 4

stalluri
Valued Contributor II
Valued Contributor II

@asp 

Yes, you need to perform the above three steps.


Best Regards,
Sam Talluri
If you find this a helpful response, kindly consider selecting Accept As Solution and clicking on the kudos button.

rushikeshvartak
All-Star
All-Star

Yes, you are correct. For setting up Azure OAuth-based SMTP email for EIC (Enterprise Identity Cloud) outbound emails, the process involves multiple steps on the Azure/Outlook side, as you have outlined. Here’s the breakdown:

  1. Create an App Registration in Azure:
    The app registration is necessary to authenticate the application (EIC in this case) with Azure using OAuth. This registration will serve as the identity of the application when communicating with the Microsoft APIs.

  2. Grant the necessary permissions to the App Registration:
    The permissions required for this app registration will allow it to send emails on behalf of a user or the organization. As per the Saviynt documentation, you will likely need SMTP.Send and Mail.Send permissions. These permissions should be granted via the Azure portal, and admin consent may be required depending on your organization's security settings.

  3. Create or license a mailbox for sending emails:
    The "From Address" used in outbound emails (as mentioned in the EIC Admin documentation) must be a valid, licensed mailbox. This could be an existing mailbox or a new one specifically created for EIC notifications. This mailbox must have the appropriate licensing, such as an Office 365 license, to send emails.

Once all three steps are completed, you should be able to configure EIC to send emails using this mailbox with Azure OAuth.

Let me know if you need further clarification!


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.

asp
Regular Contributor II
Regular Contributor II

Thanks Rushikesh! Very well explained.

One follow up question - w.r.t to the App Registrations in Azure, can we re-use the registration for Dev and Prod? And just create 2 different mailboxes for dev and prod?  In the Azure app registration, there is a Reply URL that needs to be configured - if this needs to be the EIC instance URL , then we may need 2 different app registrations in Azure and the same registration cannot be re-used.  But don't think that is necessary and the same app registration can be used. Looking for best practice recommendations. Thanks!

You can indeed use a single Azure App Registration for both development (Dev) and production (Prod) environments with some considerations. However, there are best practices and specific configurations to be aware of:

Using a Single App Registration for Dev and Prod:

  1. Single App Registration:

    • You can use the same App Registration for both Dev and Prod if your application instances (EIC) are configured to handle multiple environments. This approach simplifies management and ensures that your OAuth credentials and permissions are consistently applied across environments.
    • Pros: Reduced overhead in managing multiple registrations, centralized management of permissions.
    • Cons: Potential risk of configuration conflicts between environments, and less clear separation between Dev and Prod environments.
  2. Separate App Registrations:

    • Alternatively, you can create separate App Registrations for Dev and Prod. This approach provides a clear separation of environments and ensures that changes or issues in one environment do not affect the other.
    • Pros: Clear separation of concerns, reduces risk of cross-environment issues, easier to manage environment-specific configurations.
    • Cons: Increased management overhead with multiple registrations, potentially duplicated configuration efforts.

Configuring Reply URLs:

  • Reply URL (Redirect URI): The Reply URL specified in the App Registration needs to match the URL where your application (EIC) will receive authentication responses. This URL is used during the OAuth flow to redirect the user back to the application after authentication.

    If you are using a single App Registration, you need to include both Reply URLs in the App Registration configuration. This allows the same App Registration to handle OAuth flows for both environments.

Best Practice Recommendations:

  1. Separate Environments: If possible, create separate App Registrations for Dev and Prod to maintain a clear separation between your environments. This separation helps to isolate changes, manage permissions, and troubleshoot issues effectively.

  2. Maintain Configuration Consistency: Ensure that both Dev and Prod configurations are consistent if using a single App Registration. Keep track of environment-specific settings to avoid misconfigurations.

  3. Monitor and Audit: Regularly monitor and audit the usage and permissions of your App Registrations. Ensure that permissions are granted according to the principle of least privilege.

  4. Update and Versioning: Consider versioning your App Registrations and permissions as your application evolves. This practice helps in managing changes and ensuring smooth transitions between different versions of your application.

  5. Security Considerations: Ensure that your App Registration credentials and permissions are securely managed and rotated periodically. Follow security best practices to protect your OAuth credentials.

In summary, while you can use a single App Registration for both environments with multiple Reply URLs, creating separate App Registrations for Dev and Prod provides better isolation and management. Choose the approach that best fits your organization's requirements and practices.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.