0

We have an on-premises (self-hosted) app which supports sending email notifications to users by providing SMTP mail server settings. Our users are all in Azure AD and are the only users of this on-premises app. Our users want to be able to receive email notifications from this app.

What is the recommended/best practice method for achieving this? Ideally the solution wouldn't require any additional subscriptions or added cost. It would be nice if the sending email address could be branded to match the app service it is coming from.

Here are some options that I've come up with:

  1. Create a new user in Azure AD solely for sending email
    • Seems wasteful, and we are billed monthly per user
  2. Use an existing user (i.e. my own) to provide authorization to the SMTP server
    • Rather not tie my own user credentials to this, and will break if I ever change my password
  3. Use an entirely different email account (e.g. gmail?) for sending email
    • No relation to Azure AD tenant at all, harder for others to manage
  4. Some existing method/service in Azure that is meant for this purpose, if it exists
Jack
  • 106
  • 6
  • Could u pls explain 'sending email address could be branded to match the app service it is coming from'? I mean that it's not clear for me to understand your business scenario, it seems your app could listen something and got target email address to send notification? – Tiny Wang Feb 01 '21 at 05:38
  • What I mean by "branded email" is that the sending email address could be set to ApplicationName@example.com to show that this email was generated and sent by said application and not from a live person. – Jack Feb 02 '21 at 22:03
  • I see. And I think my answer could solve your problem except setting application name as the email sender. What do u think about it? And could you pls explain how can your on-premise app receive single to send notification email to someone? Via http request to call an API provided by your self-hosted app? – Tiny Wang Feb 03 '21 at 02:15

1 Answers1

1

Here's my idea on your case.

I watched this document, and I found that we can use API Key to initialize 'new SendGridClient', and it mentioned that we can stored this key into azure key vault.

So if you just wanna use azure ad to achieve the goal of protect your local app from unauthorized user, you may try my idea. First, create azure key vault in azure portal, and you could create a new secret to store your SendGrid Api key. Next to create an azure ad application used to achieve authentication, such as 'ROPC' flow(use user account and password to get access token). Now we can set access policy in azure key vault, added the azure ad app and all your user accounts so that every one could access API key via that azure ad app. After that, your app could send email.

enter image description here

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29