Overview:
I was really struggling to configure SMTP with M365. We have a distribution list that our Operations team are all apart of and wanted to receive email notifications from Jamf for a variety of reasons.
Our environment has MFA enabled and I was continuously fighting with both Jamf/Azure to figure out a workaround to the authentication errors I was seeing in the Jamf Server Logs.
It wasn't until after creating a service account without MFA applied it(account being authenticated in Jamf SMTP) and enabling "Send As" and "Send on behalf" in the distribution list by adding the service account to the delegates list that mail was delivered.
Lets look at a couple server logs I was experiencing first.
Server Log Error generated from an account with MFA enabled:
- javax.mail.AuthenticationFailedException: Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator.
With the error above I messed around in Azure quite a bit and got no where. I made exceptions with my user for MFA and I attempted trying to configure an "App Password" which doesn't seem to exist anymore? Or at least was not available within my users account settings for some reason.
Server log Error generated from authenticating with a service account created in M365 with no MFA enabled.
- com.sun.mail.smtp.SMTPSendFailedException: SendAsDenied;
The "SendAsDenied" stuck out to me and I remembered in Exchange that you could configure an account to "Send As". It wasn't until after enabling the service account (account being authenticated in Jamf SMTP) to send as the distribution list that I was targeting mail was finally delivered.
Below is the configuration / solution which allowed for mail to be delivered successfully from Jamf Pro to our M365 Server using a service account without MFA.
Microsoft 365 Configuration:
Step 1: Navigate to admin.microsoft.com
Step 2: Users > Active Users > Add a User
- Enter all required information. I added Exchange Admin as Administrator credentials to this service account.
- Assign a license that will provide this service account a mailbox.
- In the User settings > Mail > Mail Apps > verify that Authenticated SMTP is enabled.
Step 3: Navigate to Exchange Online Admin Center from M365 Admin Center.
Step 4: Navigate to Recipients > Groups > Distribution List and locate the Distribution List you want to target.
Step 5: Select the Distribution List > Settings > Manage Delegates > Edit Delegates > Add a delegate > Add the service account you created and choose the “send on behalf” option. Save changes.
Jamf Pro Configuration:
Step 1: Sign into your Jamf Cloud Instance
Step 2: Select the Settings cog in the top right
Step 3: Navigate to System Settings > SMTP Server
Step 4: Enter the following information:
- Server and port: smtp.office365.com | 587
- Encryption: TLSv1.2
- Connection Timeout: 15 [You can play around with this depending on what you want/need]
- Sender Display Name: [Up to you]
- Sender Email Address: Enter the mailing address you want mail to be sent from. I sent mine from a distribution group.
- Requires Authentication: Enter the credentials of the service account you’ve created in M365.
Step 5: Save and Test. At this point I received an email.
Note: This is how I accomplished this, it may not work for your environment. If you think I skipped a step or didn't explain something clearly please let me know and I'll take a look.
