Historically, Xperience by Kentico—like many other platforms—relied on standard SMTP with Basic Authentication (username and password) for email delivery. While simple to configure, this approach is now considered insecure and operationally risky.

Microsoft has officially deprecated Basic Authentication for Exchange Online, mandating the use of Modern Authentication based on OAuth 2.0. This change directly impacts how applications are allowed to send emails within Microsoft 365 environments.

Out of the box, Xperience by Kentico supports standard SMTP and SendGrid integration. The native SMTP options are limited to host, port, and static credentials, which are incompatible with the token-based authentication flows required by Exchange Online.

This creates a functional gap for organizations standardized on Microsoft 365. Without additional customization, they must either maintain a legacy SMTP relay or compromise on security and compliance. The Xperience.Community.Exchange package bridges this gap by replacing the default SMTP provider with a Microsoft Graph API client that manages the OAuth token lifecycle automatically.

Before configuring the application, a secure trust relationship must be established between your server and Microsoft 365. This configuration is performed in the Microsoft Azure Portal.

The integration requires a Microsoft Entra ID App Registration. This identity represents your Xperience application within your tenant. To permit email sending, the registration must be granted the Mail.Send application permission from the Microsoft Graph API.

Critical Security Step: Application Access Policies

It is important to understand that the Mail.Send permission, by default, grants the application the ability to send email as any user in the Exchange organization. From a security and governance perspective, this is an unacceptable risk in most enterprise environments.

To mitigate this, an Application Access Policy must be configured in Exchange Online. This policy acts as a security boundary, restricting the application’s sending capabilities to a specific security group or a defined list of mailboxes (for example, only no-reply@yourdomain.com).

By implementing this policy, organizations ensure that even if application credentials were compromised, the potential impact would be strictly limited to the intended service accounts. Detailed instructions for configuring these policies can be found in Microsoft’s official documentation on scoping application permissions to specific Exchange Online mailboxes.

For detailed instructions on configuring these policies, refer to the official Microsoft documentation on Scoping application permissions to specific Exchange Online mailboxes.

Once registered and secured, the following values are required to connect the systems:

• Tenant ID (Directory ID)
• Client ID (Application ID)
• Client Secret

The integration process consists of three straightforward steps: installation, configuration, and service registration.

1. Installation

Add the NuGet package to your Xperience by Kentico web project:

dotnet add package XperienceCommunity.MicrosoftExchange

2. Configuration

Add the App Registration credentials to your appsettings.json file. The package uses a default configuration section named MicrosoftGraphApiEmailSender. The Sender address must correspond to a valid mailbox in your Exchange tenant that the application is authorized to use.

{
  "MicrosoftGraphApiEmailSender": {
    "TenantId": "00000000-0000-0000-0000-000000000000",
    "ClientId": "00000000-0000-0000-0000-000000000000",
    "ClientSecret": "YourEntraIDClientSecret",
    "Sender": "no-reply@yourdomain.com"
  }
}

3. Registration

Register the service in the application startup code (Program.cs). This extension method replaces the default IEmailSender implementation in the Dependency Injection container with the Graph API–based provider.

// Registers the Exchange email sender using the configuration from appsettings.json
builder.Services.AddMicrosoftExchangeEmailSender();

Once these steps are complete, no further code changes are required. All system emails—including password resets, workflow notifications, and form auto-responders—are automatically routed through Exchange Online using modern authentication.

While the default implementation supports standard text and HTML emails, more advanced use cases may require additional customization. The package is designed with extensibility in mind.

The core logic resides in the ExchangeOAuthEmailClient class. By subclassing this client, developers can override virtual methods to introduce custom behavior, such as:

• Attachments – extending message conversion logic to handle file attachments or embedded images.
• Metadata – injecting custom internet headers for tracking, auditing, or compliance purposes.
• Routing – dynamically modifying reply-to addresses based on recipient context or message content.

Once a custom client is implemented, it can be registered in place of the default implementation while remaining fully compatible with the Xperience email engine.

Bluesoft is a development company specializing in custom web solutions, e-commerce platforms, and digital applications. For more than 16 years, we have been a Kentico Gold Partner, ranking among the most experienced implementation teams in the region.

We also deliver projects on Kontent.ai and Umbraco, supporting mid-sized and enterprise clients such as Škoda Auto, Sazka, and E.ON. Our solutions regularly earn Kentico Site of the Year awards, confirming the quality and long-term reliability of our work.

As part of the BIQ Group, we bring together over 460 professionals and have successfully delivered more than 1,500 projects.

👉 Send us a message via the contact form and our team will get back to you.