ResourcesDocs › Microsoft 365 › Mail sending
Docs · Microsoft 365

Custom E-Mail Sending via Microsoft 365

Configuring the user-defined e-mail transport using the Microsoft Graph API

Version: July 2026 · Audience: Administrators · unixpass + Microsoft 365 / Entra ID

What is this about?

By default, unixpass sends system e-mails (invitations, registration codes, notifications) through the central unixpass mail server. With the user-defined e-mail transport, your installation sends directly through your own Microsoft 365 tenant via the Microsoft Graph API. Benefits: e-mails originate from your own domain, are SPF/DKIM/DMARC compliant and are far less likely to end up in spam.

Who configures what?

Own unixpass installation (OnPremise / Master)

You configure everything yourself in UXP-Admin (part 2 of this howto).

Tenant on the R3levance cloud

You only complete part 1 (Microsoft Entra) and securely hand the three values to R3levance support — they will set up the transport for your tenant.

Prerequisites

  • Microsoft 365 tenant with access to the Entra admin center (role: Global Administrator or Application Administrator)
  • An app registration for unixpass (“UXP”) — the same app can be used for SSO (login via O365) and for mail sending
  • An existing mailbox (or shared mailbox) in the tenant used as the sender address, e.g. noreply@your-domain.com

Part 1 — Microsoft Entra: authorize the app

1

Open the app registration

Sign in to the Entra admin center and open Entra ID → App registrations. Select the existing UXP app. If none exists yet: New registration → name “UXP”, account type “Accounts in this organizational directory only”.

From the app overview, note the Application (client) ID and the Directory (tenant) ID — both are needed in part 2.
Entra: App-Registrierungen
Entra ID → App-Registrierungen / App registrations
2

Add the Mail.Send permission

In the UXP app, open API permissions and click Add a permission → Microsoft Graph → Application permissions. Search for Mail.Send (“Send mail as any user”) and add it. Important: the type must be Application, not “Delegated” — unixpass sends without a signed-in user.

Entra: API-Berechtigungen
API permissions of the UXP app: Mail.Send of type “Application”, next to the delegated SSO permissions (email, openid, profile, User.Read).
3

Grant admin consent

Application permissions require administrator consent. Click Grant admin consent for <your organization> and confirm. The Status column then shows a green “Granted” check mark.

4

Create a client secret

Open Certificates & secrets → New client secret. Enter a description (e.g. “unixpass mail sending”) and an expiry period. Copy the value immediately — it is shown only once.

⚠️ Treat the secret like a password: never send it by unencrypted e-mail and never show it in screenshots or recordings. Before it expires, create a new secret and update it in unixpass — otherwise mail sending stops.
5

Recommended: restrict sending to the sender mailbox

Mail.Send as an application permission technically allows the app to send as any user of the tenant. Use an application access policy in Exchange Online to restrict the app to the single sender mailbox:

# Exchange Online PowerShell (Connect-ExchangeOnline)
New-DistributionGroup -Name "UXP-MailSend-Allowed" -Type Security
Add-DistributionGroupMember -Identity "UXP-MailSend-Allowed" -Member noreply@your-domain.com
New-ApplicationAccessPolicy -AppId <APPLICATION-ID> -PolicyScopeGroupId UXP-MailSend-Allowed@your-domain.com -AccessRight RestrictAccess -Description "UXP may only send as noreply"
# Verify:
Test-ApplicationAccessPolicy -Identity noreply@your-domain.com -AppId <APPLICATION-ID>

You now have these three values

Application (client) IDCLIENT_APP_ID — GUID from the app overview
Client secretCLIENT_APP_SECRET — the value copied in step 4
Directory (tenant) IDTENANT_ID — GUID from the app overview

Part 2 — unixpass: configure the e-mail transport

☁️ R3levance cloud tenants: this part is done by R3levance support. Hand over the three values from part 1 plus the desired sender address through a secure channel (no plain-text e-mail — e.g. password manager share or split channels).

In UXP-Admin, open the tenant settings and enable the User-defined e-mail transport section:

User-defined e-mail transport
Custom ▾
microsoftgraph+api://CLIENT_APP_ID:CLIENT_APP_SECRET@default?tenantId=TENANT_ID
z.B.: smtp://user:pass@example.org:25 · microsoftgraph+api://CLIENT_APP_ID:CLIENT_APP_SECRET@default?tenantId=TENANT_ID
noreply@your-domain.com
z.B.: info@example.org
UXP-Admin: user-defined e-mail transport — replace the values with your own.

Anatomy of the DSN

microsoftgraph+api://transport scheme: sending via the Microsoft Graph API
CLIENT_APP_IDapplication (client) ID of the UXP app
CLIENT_APP_SECRETclient secret (value). If the secret contains special characters such as / @ : ?, they must be URL-encoded (e.g. /%2F)
@defaultfixed part
?tenantId=TENANT_IDdirectory (tenant) ID of the M365 tenant
The sender e-mail must belong to a real mailbox (or shared mailbox) in the tenant. Plain alias addresses without a mailbox do not work reliably.

Testing & troubleshooting

Trigger a system e-mail (e.g. an invitation or a registration code) and check delivery. Typical issues:

Mail not delivered, error “insufficient privileges”Admin consent for Mail.Send missing (part 1, step 3), or the permission is “Delegated” instead of “Application”.
Error “invalid client secret” / 401Secret copied incorrectly, expired, or special characters not URL-encoded.
Error “ErrorAccessDenied”An application access policy blocks the sender mailbox — check group/policy (Test-ApplicationAccessPolicy).
Sender rejected / NDRSender e-mail does not belong to a mailbox in the tenant.
Sending suddenly stops after monthsClient secret expired — create a new secret and update the DSN.