Leverage Azure AD (Active Directory) as identity provider for MS Exchange Online

Question

Alteryx 2022.3 release introduced Azure Active Directory (Azure AD) authentication support, Single Sign-On (SSO), for Microsoft ExchangeOnline. This update allows users to authenticate to ExchangeOnline with Azure AD accounts. This Designer release enables users leverage two types of Azure AD application configurations to access your ExchangeOnline account: single-tenant and multi-tenant application. This post covers single-tenant application configuration, whereas the multi-tenant configuration is captured in this post.

To access ExchangeOnline with Azure AD accounts, users are require to have the following configuration in place:

* Azure Active Directory account linked with Microsoft ExchangeOnline service - make sure your ExchangeOnline service has been deployed for the tenant user;

Single-tenant application setup

In this post we will cover how to:

* Register and configure single-tenant OAuth application in Azure AD tenant;

* Obtain required Azure AD application details;

* Access ExchangeOnline using Azure AD identity from Alteryx Designer;

Please note, the following example is intended for demonstration purposes only. We recommend engaging your systems team to help you with configuration. This example covers single-tenant OAuth implementation that is only intended for authentication of users existing within same Azure tenant.

Now that we’re clear about what we need, let’s focus on what we need to do to access above details.

Register and configure single-tenant OAuth application in Azure AD tenantGo to your Azure AD portal, select Active Directory which you want to use with ExchangeOnline, and click on App registrations tab

* Click on New registration and provide a descriptive name e.g. MS Exchange. 
* Select single-tenant as supported account types that can use this application;
* Set type to web, Redirect url to http://localhost and click register;
* On the overview page, copy and save the id of the client application. This will be known as your “client id”.

Next, go to Certificates and Secrets and generate a new secret for this application. Save the value of the secret, you will need it later. This value will be known as “client secret”

Now that we created our client secret, go to “API permissions” tab, available on your left hand side.

Click on Add permission, select “APIs my organisation uses” and add type in the following value: Office 365 Exchange Online. At this step, you should see Office 365 Exchange Online on the list of available apis. Set type to Delegated Permissions

Next, scroll down to mail section and set scope to Mail.Send.All. This will entitle the app to issue tokens with permissions to send emails on behalf of users. Click add permission.

Grant admin consent for Default directory

Now that we configured our OAuth application and assign it with right permissions, make sure to verify you’ve collected the following details:

* Azure AD tenant ID

* MS Exchange client ID

* MS Exchange client secret

Additionally, you will need the following ExchangeOnline details:

* SMTP server address: smtp.office365.com 
* Port: 587

Access ExchangeOnline with Azure AD accountYou can now access your data in ExchangeOnline from Alteryx Designer using your Azure AD account. Simply drag and drop Email tool, check “Use Data Connection Manager (DCM)” box and fill out required details. Set encryption to STARTTLS. Click Save.

Next, select Azure AD authentication method and provide the details we collected earlier to configure connection with your OAuth application. Create and link your credentials with connection.

After filling out above details and clicking connect, you will be redirected to the Azure AD login page. You will be prompted to login with your Azure AD account and grant this application required permissions. Once done, you will successfully obtain access to your ExchangeOnline service.

Grog_S · Answer

Hello, I spent a good amount of time trying to understand why we couldn't you the Azure tokens linked to an app.

This is the response I had from Alteryx tech support.

'The Email Tool in Alteryx Designer is an SMTP-based sender only. Even in the latest Designer 2025.x releases, it supports:

* SMTP server and port
* TLS / SSL
* SMTP authentication using:* username and password
* app passwords
* SMTP relay credentials

* Authentication managed through DCM (Data Connection Manager)

However, it does not currently support:

* SASL XOAUTH2
* OAuth access token injection
* refresh token lifecycle handling
* Microsoft or Google OAuth flows directly within the Email Tool'

Essentially, the email tool use is now quite limited in scope since Microsoft are adding more restrictions to using SMTP workflows.

I am now looking at using Python Script to call the credentials and token, and pass the rendered HTML email into the emails, but isn't ideal, as it doesn't use Alteryx's DCM for secure secret, key and token storage.

It would be great if Alteryx can support XOauth credentials, token retrieval (and storage) and token lifecycles utilize Alteryx DCM functionality.

Grog_S · Answer

Followed the process above, and access granted for credentials, but seems I am unable to send emails from a Share email, linked to the delegated credentials. I get a  'Login Denied' error. But I can send emails for my person email using the same credentials for the shared email address.

Any tips on what may be causing this?

renat_isch · Answer

Hi @elliottwood , thanks for your message. Microsoft announced deprecation of basic authentication support for SMTP, please refer to this page.

SMTP AUTH will still be available when Basic authentication is permanently disabled on October 1, 2022. The reason SMTP will still be available is that many multi-function devices such as printers and scanners can't be updated to use modern authentication. However, we strongly encourage customers to move away from using Basic authentication with SMTP AUTH when possible. Other options for sending authenticated mail include using alternative protocols, such as the Microsoft Graph API.

Therefore, to allow our users continue using ExchangeOnline service, our 22.3 release introduced support for token based authentication for ExchangeOnline leveraging MS GraphAPI.

@elliottwood, feel free to share with us the sender issue you're referring to.