SMTP.Send Consent Flow with Daemon Service – Handling Token Refresh

Question

SMTP.Send Consent Flow with Daemon Service – Handling Token Refresh

Ranjith Kumar Sekar 0

We are building a feature where users provide consent for the SMTP.Send scope by signing in once through our frontend portal (Angular 19 with MSAL integration).
- During login, consent for SMTP.Send is granted.
- The resulting tokens are securely passed to our backend API (built in .NET Framework 4.6.1) and stored.
- A daemon service then sends scheduled reports as email using the signed-in user’s identity.
- The daemon should not require further user interaction and must be able to refresh the token automatically.
Question:
- What is the Microsoft-recommended approach to implement this flow?
- Can we use the refresh token with offline_access for this, or is the on-behalf-of flow recommended?

1 answer

Your answer

Answer 1

Gabriel-N 9,955 Microsoft External Staff Moderator

Hi Ranjith Kumar Sekar

Thank you for reaching out to the Q&A forum.

While I am not a subject matter expert in this area, I have conducted research to provide you with the most accurate guidance possible. Based on your scenario, I recommend implementing the OAuth 2.0 On-Behalf-Of (OBO) flow. This approach is particularly suited for cases where:

A Single Page Application (SPA), such as Angular, manages user authentication and consent.
The SPA then delegates control to a secure backend service that calls downstream APIs, such as Microsoft Graph.

The OBO flow offers the following advantages:

It preserves the user’s identity and delegated permissions throughout the request chain.
The backend receives only the scopes explicitly consented to by the user, mitigating the risk of privilege escalation.
It enables secure service-to-service communication while maintaining the user principal, which is essential for operations such as sending emails on behalf of the user.

Conversely, the direct approach, where the frontend requests Graph scopes (e.g., Mail.Send, offline_access) and transmits access or refresh tokens to the backend, is not recommended due to:

Increased token exposure risk
Potential compliance violations
Architectural misalignment

For comprehensive details, please refer to the official Microsoft documentation: Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow

I hope this information proves helpful.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Gabriel-N 9,955 Reputation points Microsoft External Staff Moderator

2025-09-04T09:46:49.8766667+00:00

Hi Ranjith Kumar Sekar

Is there any update from you?

If yes, please feel free to let us know.
Ranjith Kumar Sekar 0 Reputation points

2025-09-04T11:21:27.64+00:00

Hi @Gabriel-N

Thanks for answering.
I understand that you’re suggesting the On-Behalf-Of (OBO) flow. How is the user principal actually passed to the backend if I’m using MSAL.js for frontend login? Also, is it possible to use this flow for a longer duration without requiring user interaction?
Gabriel-N 9,955 Reputation points Microsoft External Staff Moderator

2025-09-04T14:53:09.0466667+00:00
Hi Ranjith Kumar Sekar

For your two questions, I’ve done some research that might help. But here’s what I found regarding the OBO Flow with MSAL.js for Frontend Login:

Frontend (Angular/MSAL.js):

The user logs in interactively (e.g., loginPopup).

Requests backend scope (e.g., api://backend-app-id/user_impersonation) plus offline_access.

Receives an access token (JWT with user claims like oid) and a refresh token.

Pass to Backend:

Only the access token is sent securely via HTTPS to the .NET API.

Backend OBO:

MSAL.NET uses AcquireTokenOnBehalfOf with the access token as a user assertion.

Exchanges it for a Graph token (e.g., scope: Mail.Send).

This preserves the user’s identity via claims.

Using OBO for Long Duration Without User Interaction:

Backend Caching: MSAL.NET caches Graph access/refresh tokens and silently refreshes access tokens using the refresh token.

Duration: Refresh tokens typically last ~90 days of inactivity (configurable via Entra ID policies).

Daemon Operations: Backend can use AcquireTokenSilent for ongoing tasks like email sending without user prompts.

Limits: Tokens are revoked on sign-out or password change, so it’s important to monitor errors and plan for re-authentication if needed.

This setup is ideal for daemons due to secure backend handling.
Ranjith Kumar Sekar 0 Reputation points

2025-09-08T06:58:59.3366667+00:00

Hi @Gabriel-N
Thanks for continued support.
I’m still a bit unsure about the correct authority URI and scopes required to acquire the SMTP.Send permission. Could you please suggest the right authority URI and scopes that should be used in both the frontend and backend for generating and rotating the token?
Gabriel-N 9,955 Reputation points Microsoft External Staff Moderator

2025-09-09T09:41:34.27+00:00
Hi Ranjith Kumar Sekar

Based on my research, I believe the following information is what you might be looking for. Please note that this is based on theoretical understanding and documentation review. For more accurate or in-depth technical assistance, I recommend raising a support ticket with Microsoft or posting your question on Microsoft Tech Community.

Authority URI (for both frontend and backend)

https://login.microsoftonline.com/{tenant-id}/v2.0

Replace {tenant-id} with your Entra ID tenant GUID or domain (for example, contoso.onmicrosoft.com). The v2.0 endpoint is required for modern OAuth flows and delegated permissions such as SMTP.Send.

Frontend (MSAL.js in Angular)

Authority: same as above

Scopes:

['api://your-backend-client-id/user_impersonation', 'offline_access']

user_impersonation is the custom scope for your backend API, and offline_access enables refresh tokens for silent token renewal.

Backend (.NET with MSAL.NET)

Authority: same as above

Scopes for On-Behalf-Of (OBO) exchange:

["https://outlook.office.com/SMTP.Send"]

This scope allows sending emails via SMTP on behalf of the signed-in user.

Additional Notes

The frontend should not request SMTP.Send directly; it only requests the backend API scope.

The backend uses the OBO flow to exchange the frontend token for an SMTP token.

Include offline_access in the frontend scopes to allow token refresh without user interaction.

For new applications, Microsoft recommends using Microsoft Graph Mail.Send instead of SMTP, as SMTP AUTH is considered legacy.

You may also find this document helpful for additional insight: Tutorial: Authenticate Users End-to-End - Azure App Service | Microsoft Learn
Gabriel-N 9,955 Reputation points Microsoft External Staff Moderator

2025-09-12T09:47:12.88+00:00

Hi Ranjith Kumar Sekar

Is there any update from you?

If yes, please feel free to let us know.
Ranjith Kumar Sekar 0 Reputation points

2025-09-17T06:52:55.14+00:00

Hi
We tried but couldn't reach the solution.
Gabriel-N 9,955 Reputation points Microsoft External Staff Moderator

2025-09-24T09:18:34.93+00:00

Dear Ranjith Kumar Sekar

Apologies for the delayed response. Based on the issue you're experiencing, I believe the most effective course of action would be to contact Azure Support. They’ll be able to provide tailored technical assistance for your Graph API-related concern.

Share via

SMTP.Send Consent Flow with Daemon Service – Handling Token Refresh

1 answer

Your answer