Microsoft Entra App registration for SMTP modern auth keeps needing to reauthenticate

Question

So we have a 365 subscription and a wordpress website and we would like to send mails from the contact form on the website through our exchange online server to the recipient (one of our internal mailboxes) for the contact form.
I have attempted to set up the fluentSMTP plugin which is advertised as having microsoft 365 support. Through their documentation I am instructed to go to our azure portal > app registrations > register a new app for it and then using a callback url the plugin provides it retreives an access token and then is able to authenticate and send mail through our exchange server. I have done this procedure successfully multiple times and it works fine. The problem is after an unknown period of time, i would estimate a few weeks, this access token somehow becomes invalidated and the plugin gets an "unauthorized" error when attempting to send. This can seemingly only be fixed by reauthenticating through the setup procedure.
Obviously this is very suboptimal as it requires manual intervention constantly. Unfortunately I have been unable to find any documentation or configuration for this authentication token and how to keep it permanently authorized.

Thanks in advance for any solutions
Regards,
Cai

Answer 1

That's probably something you want to address with the fluentSMTP folks. In general, tokens issued by Entra ID do expire or can be revoked for various reasons, in which case the application will need to reauthenticate. From what you are describing, it looks like this part is a manual process, likely because the plugin is using delegate permissions (authenticating as a user). Check whether the application permissions model is supported, as the authentication for it is non-interactive and can be performed by the backend.

Answer 2

Hello @Cai Strickland ,

Thank you for posting your query on Microsoft Q&A.

In addition to the information provided by @Vasil Michev , I would like to inform you that the Sign-in frequency settings configured in the Conditional Access policies will require users to reauthenticate to the application at regular time intervals.

Sign-in frequency

Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource. Administrators can select a period of time (hours or days) or choose to require reauthentication every time.

The Microsoft Entra ID default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to do, but it can backfire: users that are trained to enter their credentials without thinking can unintentionally supply them to a malicious credential prompt.

Please note that you can configure the sign-in frequency settings in the Conditional Access policy with 1 hour(minimum time interval for reauthentication) to 90 days(maximum time interval for reauthentication).

Please refer to the below documents for your reference to know in detail about how Sign-in frequency works in Conditional Access policies.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#user-sign-in-frequency

https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-persistent-browser

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

If the above answer is helpful, please click "Accept Answer" and kindly upvote it. If you have additional questions about this answer, please click "Comment".

Thanks and Best Regards,

Sanoop Mohan