By Darinder Shokar
Originally posted on https://medium.com/@darinder.shokar
Introduction
The PingOne Advanced Identity Cloud (AIC) platform is able to logically group configurations and identities together so that you can manage different sets of identities and applications independently within the same tenant. This concept is called realms.
A typical application of realms is where an organisation uses one realm is used for customers and another for employees. Often an organisation wants to send automated emails for particular flows (new user registration, forgotten credentials, etc) through the External Email Provider, but in this scenario want a different “from” address for each realm.
If SMTP is configured for the Email Provider, the from address can be overridden in the Email Templates configuration without any issues. However if Microsoft (MS) Graph API is used, the override user specified in the Email Template configuration is checked against the address specified in the External Email Provider configuration and if they do not match a HTTP 403 error will be returned.
In this blog we look at how we can overcome this using MS Exchange Shared Mailboxes.
Configuration Steps
It is assumed these steps have been completed to either integrate with an Existing Microsoft Azure tenant or with a new Developer Sandbox.
Test the Happy Path
- Before we adjust settings lets test the integration first. From the PingOne AIC Platform UI, expand Email on the left panel and select Templates. Select the Welcome template > Send Test Email > Enter a valid email address and hit Send. If all is well, an email will hit the inbox specified
- If you hit the ellipsis on the template page > Settings and change the
From address
to sayrealm1@<my_tenant>onmicrosoft.com
hit update and try resend a HTTP 403 error will result and this page will return. This is what we will address next.
Modify Microsoft Exchange
To remedy this HTTP 403 error, we will create two Shared Mailboxes in Microsoft Exchange, add the correct member to each and retest:
-
Make a note of the user specified for the
mailEndpoint
parameter when the External Email Provider was setup -
From the Microsoft 365 Admin Center, expand Teams and Groups and select Shared mailboxes
- Create a new mailbox called
realm1
. Click Add members to your shared mailbox > Add members > and select the user you noted in step 1. The configuration should look like this:
-
Click close and repeat step 3 to add another new mailbox called
realm2
with the same member added. -
Now back in the PingOne AIC Platform UI, Expand Email > Templates > Click the Welcome email > the ellipsis on the template page > Change the
From address
torealm1@<my_tenant>onmicrosoft.com
and finally hit Save. -
Click Send Test Email > Enter a valid email address and hit Send. If all is well, an email will hit the inbox specified but now with the new realm1 email address.
- Repeat steps 5 and 6 with the
realm2@<my_tenant>onmicrosoft.com
email address and that should work too!
Conclusions
So there you have it, an easy way for PingOne AIC to support a different email address per realm when integrated with Microsoft Graph. Thanks for reading!