OAUTH2 (EntraAD) and Security

  • Resolved r4d8

    (@r4d8)


    2 months, 2 weeks ago

    In addition to the well-known 422 error, which is expected to be resolved in the coming weeks, I have another concern regarding the security of our Microsoft tenant.

    By September 2025, we are required to disable or modify SMTP authentication on our web servers and transition to using OAuth2. However, I foresee potential issues with our tenant’s security because the API permissions appear to be excessively broad. Specifically, the “Mail.Send – Send mail as any user” permission must be granted, even though the plugin is only intended to send emails from a single address.

    Additionally, this plugin (as well as WP Mail SMTP) requests read permissions for all mailboxes, which I find unacceptable as it poses a significant security risk.

    How are you addressing this issue?

    The API permissions in EntraID (formerly Azure AD) are not sufficiently granular, making them less effective for adequately protecting the tenant.

Viewing 1 replies (of 1 total)
  • Plugin Support Ibrahim Sharif

    (@ibrahimsharif)

    Hello @r4d8,

    Thank You for contacting us. I understand your concern regarding the security of your Microsoft tenant when using OAuth2 for SMTP authentication.

    The API permissions required for OAuth2 authentication with Microsoft are currently broad. This includes the “Mail.Send – Send mail as any user” permission. Additionally, the plugin requests read permissions for all mailboxes.

    We are aware of these concerns and you are welcome to suggest any changes. In the meantime, we recommend using the “Other SMTP” option within the plugin, which allows you to authenticate using hostname and port combination instead of API Authorization.

    We appreciate your feedback and suggestions. We will continue to work towards improving the security of our plugin and will keep you updated on our progress.

    Please let us know if you have any further questions.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.

Tags