SAM uses OAuth to authenticate with Google Workspace/GMail and Microsoft365/Outlook.
If you use another email provider, refer to SAM Guide: Email Setup using Basic Authentication.
What to Know
- SMTP Authentication must be enabled on Microsoft365.
- Email Sending must be entered to allow users or Auto Actions to Send Emails from SAM.
- Changing email passwords requires users to re-authenticate.
Setup Steps
- Connect a SAM Lead User's email account to their Person record in SAM.
- Setup the Default Email Account.
- Connect other User's email accounts, as needed.
You may choose to setup a generic Person record and email account, like hello@yourdomain.com email address to be the default.
Connect a User's Email Account to SAM
Need to onboard a new member of the team? Add them to SAM!
|
In SAM, the user will click their User Settings in the navigation bar > Edit Email Settings > check Send Emails Using Own Email Account > check Email Importing Enabled (if desired) > enter a different Display Name (if desired) OAuth section opens, click Sign in with Google or Sign in with Microsoft > choose your email account to connect > press Continue to Sign in with SAM > click Allow > Your Email Account has been successfully setup! |
Disconnect a User's Email Account from SAM
Need to remove a user from SAM because they are no longer at the organization? Disconnect/disable their account so they no longer have access.
|
In SAM, open the user's Person record > Advanced Options > Edit Email Settings > Uncheck Send Emails Using Own Email Account & Email Importing Enabled (optional) > Save |
Setup the Default and Backup Email Account
The Default Email account will send emails from SAM on behalf of your team as a default or primary email account to use. This email account will attempt to send emails when another specified email account is no longer authenticated. The backup email account will backup this default if there is a loss of authentication connection.
Setup Default
|
In SAM, click Settings (gear icon) > Email Settings Hub > Default Email Account (sidebar) > Email Account to use for Default Email Sending to choose dropdown option > Save |
Setup Backup
|
In SAM, click Settings (gear icon) > Email Settings Hub > Default Email Account (sidebar) > Enter Backup Email Account (sidebar) > Email Account to use for Default Email Sending - Backup to choose dropdown option > Save |
Default Email Notes
- Default email setup is crucial to proper functioning of Auto Action emails, so you should reauthenticate if you receive an alert that default email sending settings are not working.
- It's recommended for users to connect to their own email account. When users do not, the default email will be used.
- The User for default email account will receive pop-up alerts in SAM to confirm sending Auto Action emails unless another User is specified in the Auto Action setup.
- The default email address you choose to "send from" may receive replies from clients who get automated emails. You may not want an employee's direct email account to be the default, but rather a generic info@ or support@yourdomain.com email address. When setting up a new Auto Action, you will have the option to change the "reply to" settings at that time.
- Auto Actions sent from the Default email account, but triggered by another user are shown to both users (trigger person and Default user).
Remove the Default Email Account
|
In SAM, click Settings (gear icon) > Email Settings Hub > Default Email Account (sidebar) > change this to '-Enter New Account-' > Save |
Enabling SMTP in Microsoft
SAM uses the recommended OAuth2 protocol for passing the users credentials to the email server securely. SMTP AUTH is required to be enabled in order to send emails through SAM, and does not present a security concern as long as the “Basic Auth” option doesn’t become enabled.
Why You Need SMTP Auth for OAuth2
- SMTP Auth is simply the ability to authenticate over SMTP (to send emails).
- Even if you’re using OAuth2, Office 365 requires SMTP Auth to be enabled; otherwise, all authenticated SMTP, including secure token-based connections, will be blocked.
Why This Doesn’t Weaken Security
Separate Control Over Basic Authentication
-
- Basic Auth (username/password) can remain disabled even when SMTP Auth is on.
- This ensures older, less secure clients can’t fall back to Basic Auth.
Multi-Factor Authentication (MFA) & Conditional Access
-
- OAuth2 enforces Multi-Factor Authentication (MFA) and other conditional access policies.
- That means only approved tokens—issued per your security rules—can use SMTP Auth.
Per-Mailbox Configuration
-
- You can enable SMTP Auth only for the specific mailboxes needing it, keeping everything else locked down.
Audit & Monitoring
-
- You can track all login attempts in Azure AD logs, ensuring no unexpected Basic Auth connections occur.
Recommended Additional Safeguards
-
- Enable MFA for all users—especially service accounts.
- Disable Basic Auth across the tenant if not already done.
- Use conditional access to limit which devices/IPs can request OAuth tokens.
- Restrict SMTP Auth to only the mailboxes/apps that need it.
- Periodically review logs to confirm no Basic Auth attempts are succeeding.
Errors with OAuth
You may run into a banner saying your email settings are invalid. All you need to do is click Email Account Settings and re-authenticate your email account.
If you have basic authentication/app passwords enabled and you stop midway through the OAuth process, your basic authentication will cease to work.
Comments
0 comments
Article is closed for comments.