Custom app registration in Microsoft 365 / Entra admin center to avoid repeated lost credentials or reauthetication

Custom app registration in Microsoft 365 / Entra admin center to avoid repeated lost credentials or reauthetication

Why use custom application registration?

By default, the application uses delegated authentication using OAuth to authenticate the user to Microsoft (sometimes called modern authentication). This sometimes can pose issues if you end up running the program as a service (eg. in PRO Server). Your domain administrator can control how long the granted permissions (delegated) remain valid and when the application needs to prompt the user for re-authentication. If you reset the password, then the program can loose credentials too.

Custom application registration allows you to register the program as a custom application in your Microsoft Entra admin center.

When you click on Settings (gear icon) for a given Account in the program, you will get the server settings popup. In that pop-up you should see a Custom Application Registration tab. You will need three things to set this up:
  1. Tenant ID
  2. Client ID
  3. Client Secret
To do so, you can follow the instructions below: 

Create a new application registration

1. Go to the Microsoft Entra admin center
2. Click on App Registrations
3. Click “+ New Registration”, proceed with required fields. Redirect URI is not required. Click “Register”.

Note down the “Application (client) ID” and use it as the “Client ID” in the app
Note down the “Directory (tenant) ID” and use it as the “Tenant ID” in the app

Create a new Secret

Go to “Certificates & secrets” -> “+ New Client Secret” and save it.
Copy the “Value” to the “Client Secret” in the app

Assign necessary permissions

1. Click your custom application in Microsoft Entra admin center.
2. Click API Permissions
3. Click Add a Permission
4. Choose Microsoft Graph
5. Pick Application permissions (<-- this is the one that'll let you use a custom client) and NOT Delegated permissions
6. Grant Mail.Read, Mail.ReadWrite, Mail.Send for Microsoft Graph. We do not recommend using Exchange Web Services when using this.
7. Click Add Permissions
8. Grand admin consent for Gearmage (will explain why this is needed below)
9. If you want to restrict this app to a specific user, then you can add an Exchange Online application access policy to do so either via Microsoft's newer Exchange Online RBAC for Applications OR using the older Application Access Policy with New-ApplicationAccessPolicy (legacy now).

Test the connection

Now go back to the Mail Attachment Downloader program and open the settings for the account. Click on the Custom Application Registration tab. And enter the Tenant ID, Client ID and Secret. Then click on Clear cache to clear any cached credentials. Then click on test connection. 
- If the connection succeeds, then you have set it up correctly. 
- If the connection fails, then you will need to recheck all the entries and ensure the necessary permissions are granted. 

If this continues to fail, try disabling any antivirus or firewall temporarily to rule any specific connection issues out.