OAuth2 (App Auth) Configuration
Applies to: Patch My PC Publisher
Overview
OAuth2 allows the Publisher to send email without using a mailbox username and password. Instead, email is sent using a Microsoft Entra ID app registration, which is the recommended approach for modern cloud email services such as Microsoft 365 (Exchange Online) and Google Workspace.
This authentication method is intended for environments where SMTP basic authentication is restricted or deprecated and where secure, non-interactive service authentication is required.
App Registration and Permissions
OAuth2 email authentication requires a Microsoft Entra ID app registration with the Microsoft Graph Mail.Send (Application) permission granted.
Important
Because the Publisher sends email from a background service with no signed-in user, application-level permissions are required. User-based permissions are not suitable for unattended services like the Publisher. With Microsoft Entra ID, the Mail.Send (Application) permission cannot be restricted to a single mailbox. If an app is permitted to send email, it can send mail on behalf of the tenant. This is a Microsoft platform limitation rather than a Patch My PC design choice.
When configuring the app registration, you can apply standard Entra ID security practices such as:
Using a dedicated app registration for email
Using certificate-based authentication where possible
Reviewing Entra ID sign-in and audit logs as part of normal operations
This approach aligns with Microsoft’s recommended model for service authentication and automation.
When deciding which Microsoft Entra ID app registration to use for OAuth2 email authentication, you have two options:
Option 1: Use existing App Registration (Recommended)
This option reuses the existing authentication method already configured for Intune publishing, removing the need to create and manage a separate app registration. Using a single app registration centralises permissions and credentials, simplifying both initial setup and ongoing management.
When to choose this option
You already have Intune publishing configured in the Publisher.
You want to manage a single app registration for all Patch My PC operations in Microsoft Graph.
Requirements
The existing app registration must have the Microsoft Graph – Mail.Send (Application) permission granted.
Configure the App Registration
Follow the steps below to add the required Microsoft Graph Mail.Send (Application) permission to the Entra ID app registration used by the Publisher.
Sign in to the Microsoft Entra admin center.
Navigate to Entra ID > App registrations.
Select the app registration created for Patch My PC Publisher (for example, Patch My PC Publisher – Intune Connector).
In the left-hand menu, select API permissions.
Select Add a permission.
In the Request API permissions pane, choose Microsoft Graph.
Select Application permissions (not Delegated permissions).
Use the search box or expand the relevant categories and add the permissions listed in the table above, including:
Mail.Send
Select Add permissions to apply the selected permissions.
Select Grant admin consent and confirm the prompt to approve the permission.
Configure the Publisher
After selecting OAuth2 as the email authentication type, select Use existing app registration to reuse the same Microsoft Entra ID app registration configured under Intune Apps/Updates > Options. The available fields are automatically updated to reflect the existing app registration details and authentication method.
Click Test Permissions to verify the API permissions has been configured correctly.
Note
If multiple tenants are configured in the Publisher using an MSP or MSP Plus license, select the appropriate tenant from the tenant selector to use the app registration for that specific tenant.
Option 2: Create a new (or use a different) App Registration
This option uses a separate Microsoft Entra ID app registration that is not shared with Intune app and update publishing (if configured). The app registration can be newly created or an existing one in the tenant that you choose to use specifically for sending email from the Publisher.
Note
Using a separate app registration allows you to isolate email-sending permissions from Intune publishing and manage credentials independently.
When to choose this option
You want to separate email functionality from Intune publishing in the Publisher
You do not use Intune publishing with the Publisher
You prefer separate ownership, auditing, or credential rotation
Your security policy requires functional isolation or least-privilege separation
Requirements
The app registration must have the Microsoft Graph – Mail.Send (Application) permission granted
Admin consent must be granted for the permission
Configure the App Registration
Follow the steps below to add the required Microsoft Graph Mail.Send (Application) permission to the Entra ID app registration used by the Publisher.
Sign in to the Microsoft Entra admin center.
Decide which approach best fits your environment.
Create a new app registration
i. Follow the guidance in Register an Application to register an application in Entra ID. ii. After the app registration is created, continue to step 3.
Use an existing app registration
i. Navigate to Entra ID > App registrations. ii. Select the desired app registration to use for sending email notifications. iii. Continue to step 3.
In the left hand menu of the app registration, select API permissions.
In the left-hand menu, select API permissions.
Select Add a permission.
In the Request API permissions pane, choose Microsoft Graph.
Select Application permissions (not Delegated permissions).
Use the search box or expand the relevant categories and add the permissions listed in the table above, including:
Mail.Send
Select Add permissions to apply the selected permissions.
Select Grant admin consent and confirm the prompt to approve the permission.
Navigate to Certificates & secrets in the Entra ID app registration. Create or identify the client credential that will be used by the Publisher for email notifications. This can be either a certificate or a client secret, depending on the selected authentication method. Record the required values, such as the Application Client ID, Tenant ID, and certificate or secret details so you can Configure the Publisher.
Note
For additional guidance on choosing and configuring app registration credentials, refer to the Client Credentials, which explains credential types, requirements, and best practices in more detail.
Configure the Publisher
After selecting OAuth2 as the email authentication type, configure the following options to complete the OAuth2 configuration in the Publisher.
Auth Type
Select the authentication type based on the client credential configured for the Entra ID app registration.
Choose Client Secret if the app registration is configured with a client secret.
Choose Certificate if the app registration is configured with a certificate.
Client ID
Enter the Application Client ID from the Entra ID app registration.
You can find the Application Client ID on the Overview page of the app registration in the Microsoft Entra admin center.
Tenant ID
Enter the tenant authority URL for your Microsoft Entra ID tenant.
This value is typically in the format:
https://login.microsoftonline.com/<tenant-id>
The tenant ID can be found on the Overview page of the Entra ID app registration or on the Entra ID tenant properties page. The Publisher uses this value to authenticate against the correct Entra ID tenant.
Test Permissions
Click Test Permissions to validate that the configured app registration can authenticate successfully and has the required API permissions to send email.
When the test runs, the Publisher connects to Microsoft Entra ID using the configured app registration and checks whether the required permissions are present and granted.
The App Registration Connection Status window displays the status of each permission:
Green check (OK) The Mail.Send permission is present and correctly granted.
Red error (Missing) The Mail.Send permission is missing or has not been granted. Email Notifications will not work until the permission is added and admin consent is granted.
Last updated
Was this helpful?