Azure app registration and Microsoft service account (Outlook)
Azure app registration and Microsoft service account (Outlook)
Purpose
This article is for Microsoft 365 / Azure AD administrators who connect Outlook mailboxes in SuperSend using a Microsoft service account (application permissions and client credentials), instead of per-user OAuth. You will learn what SuperSend expects in Azure and where to enter credentials in the app.
Prerequisites
- Azure AD role that can create app registrations and grant admin consent (e.g. Global Administrator or Privileged Role Administrator with App Registration permissions—your org’s requirements may vary).
- A clear reason to use service account vs OAuth: service accounts use application permissions so mailboxes can be connected without each user signing in through Microsoft’s consent screen (typical for many mailboxes on one tenant).
- For manual setup: access to Azure Portal for your tenant.
What SuperSend stores
A Microsoft service account in SuperSend is team-scoped credentials:
- Application (client) ID
- Directory (tenant) ID
- Client secret (the secret value, not the secret ID)
These are used to obtain Microsoft Graph tokens for sending and mailbox access for Outlook senders linked to that service account.
Required Azure app registration (manual setup)
Create or edit an App registration in Azure Portal (Microsoft Entra ID → App registrations → New registration).
- Name — any name your admins will recognize (e.g.
SuperSend Outlook). - Supported account types — typically Accounts in this organizational directory only (single tenant), matching your tenant.
- Redirect URI — not required for the service account (client credentials) path. You can leave it empty for this use case.
API permissions (Microsoft Graph)
Add permissions under Microsoft Graph → Application permissions (not delegated):
Permission | Purpose |
|---|---|
User.Read.All | Lets SuperSend resolve the mailbox user when connecting a sender (Graph |
Mail.Read | Read mail (inbox/replies) via Graph. |
Mail.ReadWrite | Read and update mail folders and messages. |
Mail.Send | Send mail via Graph. |
Then click Grant admin consent for [your organization]. Application permissions do not apply until admin consent is granted.
Client secret
- Open Certificates & secrets → New client secret.
- Choose an expiry your security policy allows (many teams use 12–24 months).
- Copy the Value immediately (shown once). Paste that into SuperSend as Client Secret.
No Exchange “ApplicationImpersonation” in the portal checklist
SuperSend’s documented Graph setup focuses on Graph application permissions and consent. If your tenant uses additional Exchange Online policies, work with your IT team—some orgs restrict application access to mailboxes until mailbox or tenant policies allow it.
Where to enter credentials in SuperSend
Option A — Organization Admin (Integrations)
For teams that centralize credentials:
- Go to Organization Admin → Admin Settings (
/org/admin). - Open the Integrations tab.
- Select the team your senders belong to.
- Open the Microsoft integration. The Microsoft service account panel lets you create, edit, and delete service accounts and mark one as default for the team.
Option B — Add Sender wizard (inline)
When adding an Outlook mailbox:
- Go to Senders → Add Sender → Email Sender → Connect Your Own Mailboxes → Microsoft Outlook.
- Select the Service Account tab (next to OAuth).
- Choose an existing service account, or use Create Service Account / Create New Service Account and enter Name, Client ID, Client Secret, and Tenant ID.
- Enter the mailbox email address and complete the flow.
Troubleshooting
- Issue: “Failed to get Outlook profile” when connecting via service account.
Fix: In Azure, under Application permissions, add User.Read.All, then Grant admin consent. Confirm the mailbox address matches the user’s User principal name in Entra ID if your tenant uses a different UPN than the email alias.
- Issue: Service account shows Active but senders fail or mail actions fail with permission errors.
Fix: Re-check that all four application permissions are present, admin consent shows green checkmarks, and the client secret has not expired. Rotate the secret in Azure and update it in SuperSend.
- Issue: OAuth works for one user but you need many mailboxes without individual sign-in.
Fix: Use Service Account with application permissions as described above; OAuth in the wizard is a different integration path.
- Issue: You cannot see Organization Admin → Integrations.
Fix: Only organization administrators can open org-level Admin Settings. Ask an org admin to add the Microsoft service account, or use the Add Sender flow if your role allows creating service accounts there.
Related articles
Updated on: 21/03/2026
Thank you!