04-20-2022 11:50 AM - edited 04-20-2022 11:51 AM
Overview:
I was really struggling to configure SMTP with M365. We have a distribution list that our Operations team are all apart of and wanted to receive email notifications from Jamf for a variety of reasons.
Our environment has MFA enabled and I was continuously fighting with both Jamf/Azure to figure out a workaround to the authentication errors I was seeing in the Jamf Server Logs.
It wasn't until after creating a service account without MFA applied it(account being authenticated in Jamf SMTP) and enabling "Send As" and "Send on behalf" in the distribution list by adding the service account to the delegates list that mail was delivered.
Lets look at a couple server logs I was experiencing first.
Server Log Error generated from an account with MFA enabled:
With the error above I messed around in Azure quite a bit and got no where. I made exceptions with my user for MFA and I attempted trying to configure an "App Password" which doesn't seem to exist anymore? Or at least was not available within my users account settings for some reason.
Server log Error generated from authenticating with a service account created in M365 with no MFA enabled.
The "SendAsDenied" stuck out to me and I remembered in Exchange that you could configure an account to "Send As". It wasn't until after enabling the service account (account being authenticated in Jamf SMTP) to send as the distribution list that I was targeting mail was finally delivered.
Below is the configuration / solution which allowed for mail to be delivered successfully from Jamf Pro to our M365 Server using a service account without MFA.
Microsoft 365 Configuration:
Step 1: Navigate to admin.microsoft.com
Step 2: Users > Active Users > Add a User
Step 3: Navigate to Exchange Online Admin Center from M365 Admin Center.
Step 4: Navigate to Recipients > Groups > Distribution List and locate the Distribution List you want to target.
Step 5: Select the Distribution List > Settings > Manage Delegates > Edit Delegates > Add a delegate > Add the service account you created and choose the “send on behalf” option. Save changes.
Jamf Pro Configuration:
Step 1: Sign into your Jamf Cloud Instance
Step 2: Select the Settings cog in the top right
Step 3: Navigate to System Settings > SMTP Server
Step 4: Enter the following information:
Step 5: Save and Test. At this point I received an email.
Note: This is how I accomplished this, it may not work for your environment. If you think I skipped a step or didn't explain something clearly please let me know and I'll take a look.
Posted on 04-16-2024 09:42 AM
I just tried to set it up yet it failed to send. I guess I'll open a ticket to see what - if anything I did wrong in that extensive and annoying process...
Posted on 04-16-2024 11:55 AM
We WERE able to get it working, but the internal M365 tech I worked with did 98% of the work so I can't really offer any assistance with troubleshooting.
Posted on 05-29-2024 10:21 AM
Anyone have feedback on the Graph API solution working well (or not) before we dive into it?
Posted on 05-29-2024 01:42 PM
Its working. But it need to most power :(
Posted on 05-30-2024 06:41 AM
It works yet I'm not sure what the benefit is. We still use a basic MS license for the service account for email sends.
Posted on 07-25-2024 10:47 AM
@llitz123 the account sending the email doesn't need licensing in my test. The benefit is not having to exclude any account from MFA policies like the old way required.
For anyone else trying it, the directions I think are flawed and #6 should be modified for $ObjectID from enterprise apps, not secret like the directions say. Maybe jamf will correct it, I entered a ticket.
https://learn.jamf.com/en-US/bundle/technical-articles/page/Configuring_Jamf_Pro_to_Use_Microsoft_Gr...
Posted on 08-07-2024 06:14 PM
Can confirm the directions are wrong and your edit is spot on.