How does GP behave when modern authentication is enabled?

There are three different processes in GP that emails behave differently when modern authentication is enabled.  Broadly speaking with modern authentication GP locates the Application Client ID registered for MSGraph in Azure, authenticates, and then MSGraph does the email functions on behalf of the GP user.  That is true for the all processes of emailing within the GP Client, Web Client, and with SMTP used for workflows.

GP Client

In the GP client when the Application (Client) ID is entered as shown below:

The first time it is entered must be done with a user that is a Global Administrator in Azure/O365.  The reason for this is you will be prompted to provide administrator consent for certain permissions in Azure.  These permissions can be viewed under the API Permissions of the Registered Application in the Azure portal.

Once those permissions have been granted MSGraph can perform those functions for any user from the same email tenant.  When a GP user tries to perform any email function for the first time in a GP session the user is prompted for email address and password.  In the background GP reaches out to the Azure and authenticates the user.  Once the user is authenticated GP stores the token returned from Azure for use during the GP session.  All email functions will be attempted using that authentication token which will show as coming from that user’s email address.  The token is a refresh token and valid for 3,953 seconds and automatically refreshes behind the scene so if you work more than an hour you seamlessly get a new token.  Once the user logs out of GP the token is thrown away and not used again.  If the user wants to use a different email address they will need to log out of GP and start over and when prompted use a different email address. 

Web Client

With the Fall Release 2022 18.5 and newer versions of GP the Web Client works differently than the GP client.  You must enter the information for emailing FROM the web client IN the Web Client. 

The one major difference between the Web Client and the GP Client is when entering the information for the Application Client ID is the email entered when prompted.  The email entered when prompted will be the email address used by ALL Web Client sessions.  DO NOT USE A GLOBAL ADMIN ACCOUNT WHEN ENTERING THE INFORMATION IN THIS SCREEN.  Use an email account from the tenant such as Accounting@mydomain.com, or ap@mydomain.com or whatever email address you want to use.  Just be sure not to use an O365 Global Administrator account because all emails will be sent from that account when using the Web Client for all users.

Workflow Emailing (SMTP)

The Setup information is entered in the GP Client.  When the information is entered in this screen there is no validity testing that is done.  To verify the information is correct you must use the “Test E-mail” button to confirm this information is entered correctly.  The “Test E-mail Action” button must be tested when using E-mail actions.

With Modern Authentication enabled workflow emails work slightly differently.  When a workflow action is performed that generates an email the user is prompted to enter their email address and password.  The user authenticates against the Azure App using the steps outlined in the GP Client section.  Emails come from that user. 

When a user uses an action link in the workflow notification email the process is performed through Web Services.  Web Services sends the email directly and does not use MSGraph to send the email.  To send the email Web Services uses the credentials entered in the Workflow Setup window.  Using the action link in the email is the only time that the user is not prompted to enter their email credentials.

Summary

The different clients, GP Client and Web Client, have differences in setup and use.  In the GP Client the App ID is entered and you use the Global Admin to grant permissions so users can send emails.  In the Web Client when entering the App ID you use the email address that you want ALL emails to come from. 

The Workflow Email Setup is entered in the GP Client.  The regular users are prompted to enter their email address and password when workflow tasks are completed.  The email comes from that user.  The exception being when using an action link in a workflow action email, the SMTP setup information is used to send the email.