Exchange Online Integration for Email-Outbound from SAP ABAP Platform

Sending emails from your SAP backend is a standard feature widely distributed for use cases such as alerting for batch jobs, SAP workflow state changes, or invoice distribution. Many customers established the setup using Exchange Server on-premises. With a shift to Microsoft 365 and Exchange Online comes a set of cloud-native approaches impacting that setup.

This article describes the setup for outbound email-communication from ABAP Platform-based SAP systems to Exchange Online. That applies to SAP ECC, SAP S/4HANA on-premises, SAP S/4HANA Cloud (Public and Private Edition), SAP Business Technology Platform (BTP) ABAP Environment, and any other ABAP Platform-based system.

Overview

Existing implementations relied on SMTP Auth and elevated trust relationship because the legacy Exchange Server on-premises could live close to the SAP system itself governed by customers themselves. With Exchange Online, there's a shift in responsibilities and connectivity paradigm. Microsoft supplies Exchange Online as a Software-as-a-Service offering built to be consumed securely and as effectively as possible from anywhere in the world over the public Internet.

Follow our standard guide to understand the general configuration of a "device" that wants to send email via Microsoft 365.

Warning

With the deprecation of Basic Authentication in Exchange Online, all new SAP-to-Exchange Online integrations in SAP ABAP Platform systems with SAP Basis Component (SAP_BASIS) release 7.50 or higher must use OAuth 2.0 client credential grant. This approach uses Microsoft Entra ID for secure, passwordless authentication. Release 7.50 supports client ID and secret as defined in RFC 6749, section 4.4 for the client credentials authorization grant. With release 7.51, the JSON Web Token (JWT) bearer authorization grant as specified in RFC 7523 is also supported (see https://launchpad.support.sap.com/#/notes/3592080).

Setup considerations

Currently, there are four different options supported by SAP ABAP Platform. For systems from release 7.50 upwards, option 1 is recommended. For releases below 7.50, refer to options 2, 3, and 4.

1. SMTP OAuth 2.0 (recommended)
2. SMTP Direct Send
3. Using Exchange Online SMTP relay connector
4. Using SMTP relay server as intermediary to Exchange Online

This guide is updated when more SAP-supported options become available.

Option 1: SMTP OAuth 2.0 (recommended)

Important

Use this option for the integration between Exchange Online and SAP S/4HANA on-premises, SAP S/4HANA Cloud Private Edition, SAP S/4HANA Cloud Public Edition, and the SAP BTP ABAP Environment. This option is also recommended for all other SAP ABAP Platform-based systems from release 7.50 upwards. This option enables you to send mail to recipients inside and outside your organization.

Prerequisites

• Administrative access to an SAP S/4HANA system on-premises, SAP S/4HANA Cloud Private Edition tenant, SAP BTP ABAP Environment, or any other SAP ABAP Platform-based system with SAP Basis Component release 7.50 or higher. For SAP S/4HANA Cloud Public Edition, SAP manages customer-specific email configuration for SMTP OAuth 2.0. Also refer to SAP Note 3581654 as a prerequisite for using SMTP OAuth 2.0 in SAP S/4HANA on-premises and SAP S/4HANA Cloud Private Edition.
• Administrative access to a Microsoft Exchange Online subscription
• A valid account and email address in Microsoft Exchange Online. The email address appears as the sender of messages from the SAP system.
• Administrative access to a Microsoft Entra ID tenant with at least Application Administrator permissions
• Port 587 is required and must be unblocked on your network
• DNS resolution for smtp.office365.com. Don't use an IP address for the Microsoft 365 server, as IP Addresses aren't supported.
• Optional
  • Access to the SAP system for certificate export if you want to use the JWT bearer authorization grant.

Note

In the SAP BTP ABAP Environment, the JWT bearer authorization grant is the only option available. Refer to the respective section for more details.

• PowerShell 7.x to run the setup script for automating the configuration in Entra ID and Exchange Online. You can download the latest Microsoft PowerShell version from https://aka.ms/powershell-release?tag=stable
• Java 11 runtime to test the configuration in Entra ID and Exchange Online with this client app.

Note

You can use this setup script to automate the configuration steps in Entra ID and Exchange Online for option 1.

Register an application representing the SAP system in Entra ID

To create a new application, follow these instructions (see also Register an application in Microsoft Entra ID):

1. Go to App registrations in the Microsoft Entra Admin Center. Click New registration.

2. Enter a name for the new application representing the SAP system. Select Accounts in this organizational directory only and click Register.

Set the SMTP.SendAsApp API application permission for the application

1. Go to API Permissions of your new app registration. Click Add a permission.

2. Switch to tab APIs my organization uses. Enter "Office" in the search bar. Select Office 365 Exchange Online from the search result list.

3. Select Application permissions. Enter "SMTP" in the search bar. Expand the section SMTP and activate the checkbox for the permission SMTP.SendAsApp from the search result list. Click Add permissions.

4. Select Remove permission from the ellipsis menu of the User.Read permission in the Microsoft Graphs section and confirm with Yes, remove. Then select Grant admin consent for <your_organization_name> and confirm with Yes.

5. The API permissions should now be configured as shown in the following screenshot.

Configure application credentials

To obtain an access token from Entra ID for connecting to Exchange Online, the SAP system acting as the mail client requires a credential. In SAP ECC, SAP S/4HANA on-premises, and SAP S/4HANA Cloud Private Edition, client ID and secret are supported. For S/4HANA Cloud Public Edition, the BTP ABAP environment, and all SAP ABAP Platform-based releases from 7.51 upwards, the JWT bearer authorization grant is also supported as documented in SAP Note 3592080. Microsoft recommends that you use the JWT bearer grant instead of a client secret before moving the integration scenario to a production environment.

Client ID and secret

Follow the instructions listed in Add and manage application credentials in Microsoft Entra ID for using client ID and secret in the SAP system to obtain an access token from Entra ID.

1. Go to Certificates & Secrets. Switch to tab Client secrets and click New client secret. Enter a description for the new secret and select an expiration period. Click Add.

2. Copy the value of the generated secret value to the clipboard and paste it into a temporary text file.

JWT bearer

Follow these instructions (see also Add and manage application credentials in Microsoft Entra ID) for using the JWT bearer grant in the SAP system to obtain an access token from Entra ID.

1. For SAP S/4HANA on-premises and SAP S/4HANA Cloud Private Edition, export the JWT signing certificate. In newer systems where transaction code SOAUTH2_CLIENT is available, click Global Settings and download the certificate from the Settings for JWT Client Authentication.

Otherwise use transaction code STRUST. Search for SSF application "SSF OA2CJC" (OAuth2 Client - JWT Client Authentication), double-click the Subject value in Own Certificate, and click Export certificate. Use Base64 for the file format.

2. For the SAP BTP ABAP Environment, select your Exchange Online communication system's Outbound User to export the JWT signing certificate. See this section for more details.

3. In the Entra admin center, go to Certificates & Secrets. Switch to tab Certificates and click Upload certificate. Select the exported file, enter a description, and click Add.

4. The JWT signing certificate is uploaded to the application.

Register the application service principal in Exchange Online

1. Go to Overview of the new application registration. Click on the link to the Managed application in local directory.

2. Click Copy to clipboard for the Application ID and Object ID. Copy and paste both values into a temporary text file.

3. Go to the Exchange admin center and open a Cloud Shell. Click Switch to PowerShell.

4. Run the following PowerShell commands in the Cloud Shell.

   Connect-ExchangeOnline -ShowBanner:$false
   $mailboxName='<mailbox User ID, for example ABAP_XYZ@tenant.onmicrosoft.com>'
   $servicePrincipalAppId='<Application ID copied in step 2>'
   $servicePrincipalObjId='<Object ID copied in step 2>'
   New-ServicePrincipal -AppId $servicePrincipalAppId -ObjectId $servicePrincipalObjId
   Add-MailboxPermission -Identity $mailboxName -User $servicePrincipalObjId -AccessRights FullAccess
   

   The output should be as follows:

5. Verify that the service principal has the permission on the mailbox. Go to Mailboxes. Select the SAP system's mailbox and switch to the tab Delegation. Click Edit.

6. Your application's service principal is listed as a delegate with full access permissions to open the SAP system's mailbox and behave as the mailbox owner.

Activate SMTP AUTH for the mailbox

To allow the SAP system to send email messages, the assigned mailbox must enable the SMTP AUTH protocol.

1. Go to the Microsoft 365 Admin Center.

2. Go to Active users. Select your SAP system's mailbox user from the list, and switch to the Mail tab. Click Manage email apps.

3. Ensure that the checkbox for Authenticated SMTP is activated. If not, activate it, and save the changes.

Optional: Test the configuration in Entra and Exchange Online with the SMTP OAuth test client

You can test the new configuration with a simple SMTP OAuth test client app.

Note

The test client only supports client ID and secret. If you configured your application for JWT bearer only, add a client secret for testing with this app.

1. Clone the GitHub repository at https://github.com/microsoft/smtpoauth2/

   git clone https://github.com/microsoft/smtpoauth2.git
   

2. Follow the steps described in the test client's README file.

3. Run the test client with your values for client ID, client secret, tenant ID, and mailbox name. You can optionally pass a recipient email address to receive a test mail. Check the test client output for a message that confirms successful connection to Exchange Online with OAuth 2.0.

Configure SMTP OAuth in SAP

Follow the corresponding section of your SAP environment.

SAP S/4HANA on-premises and SAP S/4HANA Cloud Private Edition

1. Ping or telnet smtp.office365.com on port 587 from your SAP application server to make sure ports are open and accessible.

2. Make sure SAP Internet Communication Manager (ICM) parameter is set in your instance profile. See this example:

   parameter	value
   icm/server-port-1	PROT=SMTP,PORT=25000,TIMEOUT=180,TLS=1

3. Restart ICM service from SMICM transaction and make sure SMTP service is active.

4. Activate SAPConnect service in SICF transaction.

5. You need to configure an OAuth 2.0 Client Profile for the integration. SAP delivers a standard OAuth 2.0 Profile “BCS_MAIL”, which can be used directly. Alternatively, you can create your own OAuth 2.0 Profile and use it for email outbound communication with Exchange Online.

6. Use transaction SBCS_MAIL_CONFIGSMTP to enter all relevant information for the SMTP configuration for outbound communication. Select OAuth2 as the Authentication Method, and enter the values for OAuth 2.0 Client Profile, OAuth 2.0 Client Configuration, and the authorized OAuth 2.0 Client User.

   Note

   By activating the checkbox Modify legacy SMTP node, the configuration is automatically copied to the old SCOT transaction

   

7. Alternatively, transaction SCOT can be used directly to enter the same information as in transaction SBCS_MAIL_CONFIGSMTP into the SMTP node.

SAP BTP ABAP Environment

Configuration in SAP BTP ABAP Environment is done with the communication arrangement of SAP_COM_0548.

1. This setup requires a Communication System and the creation of a new Outbound User of type OAuth 2.0. Enter the Application ID from the application registration in Entra ID as the OAuth 2.0 Client ID for the New Outbound User. Click Download Certificate to export the JWT signing certificate of your SAP BTP ABAP Environment.

2. In the communication arrangement of SAP_COM_0548, enter the mailbox user's email address from Exchange Online for the value of property OAuth User. Also enter the value "https://outlook.office365.com/.default" in the field Additional Scope.

SAP S/4HANA Cloud Public Edition

There's no customer-managed configuration in SAP S/4HANA Cloud Public Edition. SAP manages the integration with Exchange Online in your tenant.

Limitations of SMTP OAuth

• Sending email via individual SAP users requires to implement the "Send as permission" offered by Microsoft 365. Using the Send as permission allows the delegate to send an email from the shared mailbox. Messages will appear to have been sent from the delegate.

  Note

  You can only assign the Send as permission for the shared mailbox to individual users. Configuring the permission for a group isn't supported.

• Microsoft 365 imposes some sending limits. Refer to Exchange Online limits - Receiving and sending limits for more details.

Option 2: SMTP Direct Send

Microsoft 365 offers the ability to configure direct send from the SAP application server. This option is limited. It only permits mails to addresses in your own Microsoft 365 organization with a valid e-mail address. It can't be used for external recipients (for example vendors or customers).

Option 3: Using Microsoft 365 SMTP Relay Connector

Only choose this option when:

• Your Microsoft 365 environment has SMTP AUTH disabled.
• SMTP OAuth 2.0 (Option 1) isn't compatible with your business needs or with your SAP Application.
• You can't use direct send (Option 2) because you must send email to external recipients.

SMTP relay lets Microsoft 365 relay emails on your behalf by using a connector configured with your public IP address or a TLS certificate. Compared to the other options, the connector setup increases complexity.

Requirements for SMTP Relay

• SAP Parameter: SAP instance parameter configured and SMTP service are activated as explained in option 1, follow steps 2 to 4 from "Configure SMTP OAuth in SAP" section.
• Email Address: Any email address in one of your Microsoft 365 verified domains. This email address doesn't need a mailbox. For example, noreply@*yourdomain*.com.
• Transport Layer Security (TLS): SAP application must be able to use TLS version 1.2 and above.
• Port: port 25 is required and must be unblocked on your network. Some network firewalls or ISPs block ports, especially port 25 due to the risk of misuse for spamming.
• MX record: your Mail Exchanger (MX) endpoint, for example yourdomain.mail.protection.outlook.com. Find more information on the next section.
• Relay Access: A Public IP address or SSL certificate is required to authenticate against the relay connector. To avoid configuring direct access, it's recommended to use Source Network Translation (SNAT) as described in this article. Use Source Network Address Translation (SNAT) for outbound connections.

Step-by-step configuration instructions for SMTP relay in Microsoft 365

1. Obtain the public (static) IP address of the endpoint that sends the mail using one of the methods listed in the article above. A dynamic IP address isn't supported or allowed. You can share your static IP address with other devices and users, but don't share the IP address with anyone outside of your company. Make a note of this IP address for later.

Note

Find above information on the Azure portal using the Virtual Machine overview of the SAP application server.

2. Sign in to the Microsoft 365 Admin Center.

3. Go to Settings -> Domains, select your domain (for example, contoso.com), and find the Mail Exchanger (MX) record.

The Mail Exchanger (MX) record will have data for Points to address or value that looks similar to yourdomain.mail.protection.outlook.com.

4. Make a note of the data of Points to address or value for the Mail Exchanger (MX) record, which is referred to as your MX endpoint.

5. In Microsoft 365, select Admin and then Exchange to go to the new Exchange Admin Center.

6. New Exchange Admin Center (EAC) portal opens.

7. In the Exchange Admin Center (EAC), go to Mail flow -> Connectors. The Connectors screen is depicted below. If you're working with the classical EAC follow step 8 as described on our docs.

8. Click Add a connector

Choose "Your organization's email server".

9. Click Next. The Connector name screen appears.

10. Provide a name for the connector and click Next. The Authenticating sent email screen appears.

Choose By verifying that the IP address of the sending server matches one of these IP addresses which belong exclusively to your organization and add the IP address from Step 1 of the Step-by-step configuration instructions for SMTP relay in Microsoft 365 section.

Review and click on Create connector.

11. Now that you're done with configuring your Microsoft 365 settings, go to your domain registrar's website to update your DNS records. Edit your Sender Policy Framework (SPF) record. Include the IP address that you noted in step 1. The finished string should look similar to this v=spf1 ip4:10.5.3.2 include:spf.protection.outlook.com \~all, where 10.5.3.2 is your public IP address. Skipping this step may cause emails to be flagged as spam and end up in the recipient's Junk Email folder.

Steps in SAP Application server

1. Make sure SAP ICM Parameter and SMTP service is activated as explained in Option 1 (steps 2-4).
2. Go to SCOT transaction in SMTP node as shown in previous steps of Option 1.
3. Add mail Host as Mail Exchanger (MX) record value noted in Step 4 (yourdomain.mail.protection.outlook.com).

Mail host: yourdomain.mail.protection.outlook.com

Port: 25

4. Click "Settings" next to the Security field and make sure TLS is enabled if possible. Also make sure no prior logon data regarding SMTP AUTH is present. Otherwise delete existing records with the corresponding button underneath.

5. Test the configuration using a test email from your SAP application with transaction SBWP and check the status in SOST transaction.

Option 4: Using SMTP relay server as intermediary to Exchange Online

An intermediate relay server can be an alternative to a direct connection from the SAP application server to Microsoft 365. This server can be based on any mail server that allows direct authentication and relay services.

The advantage of this solution is that it can be deployed in the hub of a hub-spoke virtual network within your Azure environment. Or within a DMZ to protect your SAP application hosts from direct access. It also allows for centralized outbound routing to immediately offload all mail traffic to a central relay when sending from multiple application servers.

The configuration steps are the same as for the Microsoft 365 SMTP Relay Connector (Option 3). The only differences being that the SCOT configuration should reference the mail host that performs the relay rather than direct to Microsoft 365. Depending on the mail system that's being used for the relay it will also be configured directly to connect to Microsoft 365 using one of the supported methods and a valid user with password. It's recommended to send a test mail from the relay directly to ensure it can communicate successfully with Microsoft 365 before completing the SAP SCOT configuration and testing as normal.

The example architecture shown illustrates multiple SAP application servers with a single mail relay host in the hub. Depending on the volume of mail to be sent it's recommended to follow a detailed sizing guide for the mail vendor to be used as the relay. This may require multiple mail relay hosts which operate with an Azure Load Balancer.

Next Steps

Understand mass-mailing with Azure Twilio - SendGrid

Understand Exchange Online Service limitations (for example attachment size, message limits, throttling, etc.)

Verify your ABAP SDK for Azure configuration for Exchange Online integrations