Hey all,

I'm rather new in the Odoo pool...getting my feet wet as an integrator.  I had some questions about getting Odoo to integrate with an Office365/Azure/Entra/MS ecosystem.

I am working with a client that has Azure/Entra as their email provider.  We are using a custom domain for that... but not for the address of the database itself.  (If that matters.  E.g. database is my-db.odoo.com, but email domain is <name@myCompany.com>.  They are running Odoo 19.1, via Odoo Online.  (They plan to shift to .sh soon - the email setup the same, there, I would assume...)

We are also working with an outside IT provider for this client, too, just FYI.  They seem good, and err on the side caution when it comes to security - which is good.)

We do have outgoing email working, currently.  But to get it working, we had to make a number of additional changes to the Entra environment that are different/not-documented in the Odoo 'How-To' page.  (https://www.odoo.com/documentation/19.0/applications/general/email_communication/azure_oauth.html)

The additional steps needed involved reducing security levels, as told to me by the IT provider:

Enabling SMTP AUTH for a Single Mailbox in M365 (Security Defaults Tenant)

Step 1 — Disable Security Defaults in Entra ID

• Navigate to entra.microsoft.com
• Go to Identity → Overview → Properties
• Click Manage Security Defaults at the bottom of the page
• Toggle Security Defaults to Disabled
• When prompted for a reason, select the appropriate option and confirm
• Important: When disabling, Microsoft will automatically offer to create equivalent Conditional Access policies to replace Security Defaults — accept this. It will create policies for MFA enforcement and blocking legacy authentication, maintaining your security posture while giving you the granular control you need

Step 2 — Exclude the Service Account from all CA Policies

• Navigate to entra.microsoft.com
• Go to Protection → Conditional Access → Policies
• Open each policy that was created (at minimum the Block Legacy Authentication and Require MFA policies)
• For each policy, go to Users → Exclude → Users and Groups
• Search for and add the service account UPN
• Click Save
• Allow 15-30 minutes for the policy changes to propagate

Step 3 — Enable Authenticated SMTP on the Mailbox

• Navigate to admin.microsoft.com
• Go to Users → Active Users
• Click on the specific user/service account
• Select the Mail tab
• Click Manage email apps
• Check the box for Authenticated SMTP
• Click Save changes

Security Note: Excluding an account from MFA and legacy authentication blocking is a necessary tradeoff for SMTP AUTH to function, but it does reduce the security posture of that account. Compensate by ensuring the account has a strong unique password, monitoring its sign-in activity in Entra ID under Identity → Users → Sign-in logs, and restricting the account's permissions to only what the application requires.

I'm not a security expert, by a long shot.  😊   But I'll pose this question: with modern concerns about security and everybody moving away from SMTP, why is Odoo using SMTP for email sending?  Shouldn't it be a full API integration with MS Graph?  It seems like the above changes wouldn't need to be made if it were a full API integration.

Or am I just doing something wrong in the initial email integration setup inside Odoo?