Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Steps to configure Custom SMTP Server on SAP Analytics Cloud

varun_gupta15
Discoverer
‎11-06-2023 10:41 PM

Introduction


SAP Analytics Cloud (SAC) provides two options for sending email notifications from the platform. This includes :

  • Default SMTP

  • Custom SMTP


We will discuss in detail about these options and the pre-requisites need to configure these options.

 

Default SMTP


This is the option which comes with the tenant by default. Customers need not do anything to configure this.


When this option is selected , the email are sent from SAP Analytics Cloud <noreply-sac+notification@sap.com> and it uses SAP's SMTP servers to send the emails



Default SMTP Option Under System Administration



Header Sender Address


Under Default SMTP, there is an additional option named Header Sender Address. This option lets the customers configure the SMTP From header in the emails sent from SAC.

When this field is populated with a syntactically valid email address, the emails will be delivered with this email address in the From header

Please note that the actual sender address will still be the default address noreply-sac+notification@sap.com . But since email clients display the address in the From header of the email , the email will appear to be received from the address mentioned in the field.

e.g. If we configure abc@xyz.com as the header sender address as shown below



Configuration for header sender address


 

The email received would look like this.


Email delivered with header sender address set


 

Custom SMTP


Customers have a choice to configure their own publicly available SMTP server for email delivery  from SAP Analytics Cloud instead of using the default option.

There are authentication types which are supported for custom SMTP server :

  • Basic

  • OAuth


We will discuss both these options in detail below.

Basic Authentication


Pre-Requisites



  • The SMTP server must be publicly accessible over internet.

  • SMTP server must support TLS

  • These details must be known in prior before configuring the SMTP server:

    • Host name

    • Port

    • Username

    • Password

    • Allowed sender email address




Steps



  1. Go to System > Administration from the menu and click on Notifications tab

  2. Click on Edit button and scroll down to Email Server Configuration section.

  3. Switch to Custom option in the radio button. Select Basic in the drop down.

  4. Fill the details in the form



























    Host SMTP host FQDN
    Port SMTP port
    User Name SMTP account user name which is allowed to send emails. It need not be email necessarily and depends on your SMTP provider.
    Password Password of the SMTP account
    Envelope Sender Address The email address which will be used as sender of the emails for all the emails sent from the tenant. Note that some SMTP account may restrict sending the email only from a particular email address and only that must be used here.
    Header Sender Address This is an optional field and can be used to override the From SMTP. Please refer to the Header Sender Address section in Default SMTP. Please note that this may not be allowed by many SMTP providers like Microsoft and Gmail . Do check with the SMTP provider before configuring this field or leave it blank.

     

  5. Click on Check Configuration to check if the settings are correct. If all the details are correct and connection is established successfully, the person who is configuring will receive an email like this

  6. If the settings are incorrect, an error will appear indicating failure

  7. If the connection is successful, the settings can be saved using the save button on the page

  8. If the settings are saved successfully, this toast message should appear


 


OAuth Authentication


Pre-Requisites



  • The SMTP server must be publicly accessible over internet.

  • OAuth application must be configured and necessary scopes must be provided to the application.

  • Some additional steps may be required based on the vendor. We will discuss about Microsoft Office 365 as an example.


Configure Microsoft 365 as Email Provider

These steps are derived from Microsoft's documentation and assumes customer has a Microsoft 365 tenant available with appropriate licenses required

  1. Go to the Azure portal (https://portal.azure.com/) and sign in with your Azure account

  2. Navigate to the "App registrations" blade in the Azure portal and click on "New registration" to create a new app registration

  3. Fill in the required details for the app registration, such as the name, supported account types, and redirect URI. The redirect URI is the URL where the authorization code will be sent after the user grants consent. Copy the Redirect URL from the SAP Analytics Cloud configuration page as described below in Steps section

  4. After creating the application, generate the client secret for the application.
    Client ID also needs to be noted down from this same page.
    Directory tenant ID is needed to form the auth urls. Note down that too


  5. Once it's generated, copy the client secret value and keep it safe. It'll be needed in configuration later. 

  6. Click on API permissions and add Mail.Send permission from Microsoft Graph permissions. Click on Add permissions

    Please make sure to select Application permissions and not Delegated permissions




  7. The permission should appear now like this. 

  8. Click on Grant admin consent button and after that the app should like like this

  9. OAuth application is now ready. We should be able to use it to generate refresh token using this now. However, we need some more configurations yet in order to be able to send emails.

  10. Now we need to have a user account in Microsoft 365 which will be responsible for sending emails.

  11. To create a user or edit existing user to be able to send emails using the OAuth app created above, navigate to Microsoft 365 Admin Center and click on Users > Active Users > Add a user and enter the details to create a new user. This is an optional step which can be skipped if you need to configure an existing account.

  12. Make sure that the license assigned to user ensures that exchange online is available to the user

  13. Click on the user to enable SMTP for it. Check the Authenticated SMNTP option and save.


  14. Go to Active Directory menu on Azure portal again and click on Enterprise Applications option. Search and click on the OAuth app which we created earlier.


  15. Now assign the user which we created to this app. Click on Assign users and groups

  16. Click on Add user/group. Search and select the user and click on Select and then Assign.

  17. Once done, the user should appear in the list.

  18. Check if the assignment is done by clicking on the user and clicking on Applications link


  19. The user account is ready for configuration for Custom SMTP in SAP Analytics Cloud

  20. Following details are important which will be needed in steps below

    1. Directory tenant id - Can be fetched from the page in step 5

    2. Application Client ID - Can be fetched from the page in step 5

    3. Client Secret - created in step 5

    4. User Name - email address of the user created




 

Steps



  1. Go to System > Administration from the menu and click on Notifications tab

  2. Click on Edit button and scroll down to Email Server Configuration section.

  3. Switch to Custom option in the radio button. Select OAuth in the drop down.


    Custom SMTP OAuth Configuration



  4. Fill the details in the form



















































    Host SMTP host FQDN
    Port SMTP port
    User Name SMTP account user name which is allowed to send emails. e.g. Microsoft or Gmail mandates that this user must have a valid email account
    Refresh Token This will get populated once Get Token is successful. After filling all the fields correctly , click on Get Token button to fill this
    Envelope Sender Address The email address which will be used as sender of the emails for all the emails sent from the tenant. e.g. in Microsoft , this must be same as user name
    Header Sender Address This is an optional field and can be used to override the From SMTP. Please refer to the Header Sender Address section in Default SMTP. Please note that this may not be allowed by many SMTP providers like Microsoft and Gmail . Do check with the SMTP provider before configuring this field or leave it blank. For Microsoft Office 365 and Gmail, leave this empty
    Authorization URL This is the URL provided by the SMTP provider using which the authorization code can be generated. e.g. for Microsoft 365, this will look something like this : https://login.microsoftonline.com/<m365-tenant-uuid>/oauth2/v2.0/authorize. Replace the <m365-tenant-uuid> with valid Microsoft 365 tenant uuid.
    Token URL This is the URL which is used to generate the access token from the refresh token generated as part of Get Token button click. Please note that the Refresh token is saved securely for a tenant once it's generated. e.g. for Microsoft 365 the URL is https://login.microsoftonline.com/<m365-tenant-uuid>/oauth2/token. Replace the <m365-tenant-uuid> with valid Microsoft 365 tenant uuid
    Client ID Client ID of the OAuth application
    Client Secret Client secret of the OAuth application
    Scope Scope needed to send the emails. This is also added in the OAuth app created as part of pre-requisites. e.g. for Microsoft 365 , the scope is https://outlook.office365.com/SMTP.send
    Redirect URL Populated automatically for each SAC tenant. This is where the authorization code is received


  5. Click on Get Token button. It should redirect to the login page of the provider where the user need to login to the provider portal and provide the consent.
    e.g. for Microsoft 365, it would look like this

  6. If all pre-requisites are met and the details are correct, the authorization code flow will complete successfully and Refresh Token field will be populated. If there is any problem in pre-requisites from provider, it will throw error in the login popup itself.Please note that population of refresh token doesn't ensure that configuration is completed. It's just part of the configuration.

  7. Click on Check Configuration to check if the settings are correct. If all the details are correct and connection is established successfully, the person who is configuring will receive an email like this

  8. If the settings are incorrect, an error will appear indicating failure

  9. If the connection is successful, the settings can be saved using the save button on the page

  10. If the settings are saved successfully, this toast message should appear


 

 

Troubleshooting


Unable to grant access to Microsoft 365 app


If you have configured everything and still while getting the refresh token this error is seen.



Admin Approval Required


It means that current user is not configured to provide consent to the application. A secure way to configure this is to allow the admin consent requests to be sent to a configured set of admin users.


Admin Consent Settings


After this is set, the consent screen would change to something like this where an option to request approval will appear


New Consent Screen


Once the approval is requested, admin will get an email with approval request and can provide the approval for the application.


Approval Email



Admin Consent Approval Screen


After this retry to generate token and it should be successful.

 

Token generation is successful but Check Configuration fails in M365


This is likely to happen if the currently logged in user in Microsoft portal is different from the user configured in the Custom SMTP configuration.

Please check by visiting https://login.microsoftonline.com and check the profile of the user. If the user is different from what's configured as username in Custom SMTP configuration, use the option Sign in as different user and login with the same user in the configuration.


e.g. If we have configured abc@def.com in User Name field and Envelope Sender Address. Then login with this user to Microsoft portal

After this, click on Get Token again and if the token generation is successful, click on Check Configuration. If the user is configured correctly, it should lead to successful check and the currently logged in user will get an email.
Labels in this area
Popular Blog Posts