What is a one sentence summary of your feature request?
Request for Support of Modern Authentication (OAuth) for SMTP in PingCastle
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
We would like to formally request the implementation of modern authentication (OAuth) support for email notifications in PingCastle.
As of October 2024, we raised a support ticket on this subject (ref: 00424048), highlighting the urgent need to move away from basic authentication when connecting to M365 mailboxes.
In alignment with Microsoft’s security recommendations, our organization will disable basic authentication within the next two months. Without support for modern authentication, we will no longer be able to send email notifications via SMTP using PingCastle, which could impact our security monitoring workflows.
We are requesting a solution that would allow authentication via an Azure AD application or a modern, OAuth-compliant method to maintain compatibility with Microsoft 365.
We believe this enhancement is essential to ensure continued secure operation of PingCastle in modern enterprise environments, and we hope it will be prioritized in upcoming product updates.
Thank you for considering this request.
How do you currently solve the challenges you have by not having this feature?
Basic authentication is currently allowed under an exception, but it will be prohibited in two months.
Hi there @RC-1234,
Apologies for not making much progress on this when you logged last year. It was in our backlog but had not got around to it yet.
I have just completed some testing and looks like we may be able to release it as a 3.4 hotfix once we get the initial build out over the next couple of weeks.
I think our solution for this will be to use an Application Registration to authenticate to the GraphAPI with ClientCredentials flow, then use the SendMail endpoint to do the sending of the emails. This is the basics then there is some setup in exchange using the Role Based Access for Applications flow to assign only the Mail.Send permission to the shared-mailbox that would be used for PingCastle to send emails.
Does this sound like it should work for you and your environment?
I would like to sincerely thank you for your support on this matter.
The proposed solution seems to be fully compatible with our environment.
Using the ClientCredential flow with an Application Registration, combined with the SendMail endpoint and a configuration through Role Based Access for Applications, aligns with what we are able to implement on our side.
We are counting on you to keep us informed about the next steps, as well as any requirements for testing or implementation.
No problem at all! Glad to hear were on the same page
I will upload all the detail here and in our docs when we come to release. I have already fully documented the Entra/Exchange setup and have a script which seems to work well for it too. Just need to await the actual implementation to finalize with the specifics.
Thanks a lot for the update, great to hear everything is progressing smoothly!
It’s reassuring to know that the Entra/Exchange setup is already documented and that a working script is available.
We will keep an eye out for the release and will review the documentation as soon as it’s available.
Don’t hesitate to let us know if you need anything from our side in the meantime.
