How to Set Up Private Infrastructure (OAuth) for Microsoft Outlook

Private Infrastructure lets you connect Outlook mailboxes through your own Microsoft Azure AD OAuth app instead of ColdSend's shared app. You control the credentials, satisfy security and compliance reviews, and sign every authentication request with your own app ID — boosting trust and mailbox reputation.

When to Use Private OAuth

Use this option if you:

• Need a custom-branded OAuth consent screen (your company name, not ColdSend's)
• Have compliance or security requirements that mandate your own OAuth app
• Want higher API quotas tied to your own Azure AD tenant
• Are managing mailboxes for clients or team members under your organization's identity

Looking for a quicker setup? If you don't need your own OAuth app, ColdSend Shared lets you connect in under a minute with no Azure configuration.

Prerequisites

• A Microsoft Azure account (free tier works — create one here)
• Access to the Azure Portal with permission to register applications
• A ColdSend account

---

Step 1: Register a New Application in Azure

1. Go to the Azure Portal.
2. In the top search bar, type App registrations and select it.
3. Click + New registration.
4. Fill in the details:
   • Name: Give your app a recognizable name (e.g., ColdSend Outlook OAuth)
   • Supported account types: Select Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts
5. Leave the Redirect URI empty for now (we'll add it in Step 2).
6. Click Register.

Azure App Registration

---

Step 2: Add Redirect URI

1. After registration, you'll land on your app's Overview page.

2. In the left sidebar, click Authentication.

3. Under Platform configurations, click + Add a platform.

4. Select Web.

5. Under Redirect URIs, enter:

   https://cloud.coldsend.pro/client/email-accounts/oauth/callback
   

6. Click Configure.

Add Redirect URI

This URI is required for ColdSend to complete the OAuth handshake. Without it, Microsoft will reject the sign-in.

---

Step 3: Set API Permissions

1. In the left sidebar, click API permissions.
2. Click + Add a permission.
3. Select Microsoft Graph.
4. Choose Delegated permissions.
5. Search for and add the following permissions:

API Permissions - Graph

1. Next, click + Add a permission again.
2. Select APIs my organization uses.
3. Search for Office 365 Exchange Online and select it.
4. Choose Delegated permissions.
5. Add the following:

API Permissions - Exchange

You should end up with 7 permissions total across Microsoft Graph and Office 365 Exchange Online.

1. Click Grant admin consent for [Your Organization] and confirm.

Grant Admin Consent

Note: If you don't see the "Grant admin consent" button, you may not have admin privileges. Ask your Azure AD administrator to grant consent.

---

Step 4: Generate Client Secret

1. In the left sidebar, click Certificates & secrets.
2. Under Client secrets, click + New client secret.
3. Fill in:
   • Description: e.g., ColdSend OAuth Secret
   • Expires: Choose 90 days or 180 days (recommended for safety)
4. Click Add.
5. Immediately copy the secret Value (not the Secret ID). You won't be able to see it again.

Client Secret

You should now have two pieces of information:

• Application (client) ID — found on the app's Overview page
• Client secret Value — the value you just copied

---

Step 5: Add Credentials in ColdSend

1. Log into your ColdSend account.
2. In the left sidebar, go to Sender Accounts.
3. Click the Create Email Account dropdown and choose Microsoft Outlook.
4. Under Choose connection type, select Private OAuth App.
5. The OAuth configuration form will appear. Fill in:
   • Client ID: Paste your Application (client) ID from Azure
   • Client Secret: Paste the secret value you copied in Step 4
   • App Name (optional): A friendly name like My Company Outlook App
6. Click Add Configuration.

ColdSend Private OAuth Form

---

Step 6: Verify Your Configuration

1. After adding the configuration, it will appear with a Pending or Unverified status.
2. Click the Verify (refresh) icon next to the configuration.
3. ColdSend will test the credentials against Microsoft's token endpoint.
4. On success, the status changes to Verified.

Unverified Config
Verified Config

Verification failed? Double-check that:

• The Client ID matches your Azure app's Application (client) ID
• The Client Secret is the Value (not the Secret ID)
• You granted admin consent in Step 3

---

Step 7: Connect Mailboxes Using Your Private OAuth

1. Ensure your verified configuration is selected.
2. Click Sign in with Microsoft.
3. You'll be redirected to Microsoft's login page — sign in with the Outlook account you want to connect.
4. Review the permissions and click Accept.
5. You'll be redirected back to ColdSend, and your inbox will appear in the Connected Accounts section.

Connect Mailbox

The consent screen will show your app name (not ColdSend's), providing a fully branded experience for your users or clients.

---

Connecting Multiple Mailboxes

Once your private OAuth app is configured and verified:

• You can connect multiple Outlook accounts using the same OAuth app
• Each user signs in with their own Microsoft credentials
• All connections use your app's Client ID for authentication
• Each inbox gets its own encrypted refresh token for independent token refresh cycles

To add more accounts, simply click Sign in with Microsoft again and authenticate with a different Outlook account.

---

Managing Your OAuth Configuration

Editing Credentials

If your client secret expires or you rotate it:

1. Generate a new client secret in Azure Portal.
2. In ColdSend, click the Edit (pencil) icon next to your configuration.
3. Paste the new Client Secret and save.
4. Re-verify the configuration.

Existing inboxes will continue using their current refresh tokens until they expire. New connections will use the updated credentials.

Deleting a Configuration

1. Click the Delete (trash) icon next to the configuration.
2. Confirm the deletion.

Warning: Existing inboxes using this configuration may fail to refresh tokens after deletion. Reconnect them using ColdSend Shared or a new private configuration.

---

Troubleshooting

"AADSTS50011: The redirect URI does not match"
Verify that the redirect URI in Azure exactly matches: https://cloud.coldsend.pro/client/email-accounts/oauth/callback (no trailing slash).

"AADSTS65001: The user or administrator has not consented"
Return to Step 3 and click Grant admin consent for your Azure AD tenant.

"AADSTS7000218: The request body must contain 'client_secret'"
Ensure you pasted the secret Value (from Certificates & secrets), not the Secret ID.

Verification fails in ColdSend

• Confirm your Azure app supports multitenant accounts ("Accounts in any organizational directory")
• Ensure the client secret hasn't expired
• Check that you've added both Microsoft Graph and Exchange Online permissions

---

FAQs

Can I switch back to ColdSend's shared OAuth?
Yes. Delete or deactivate your private configuration, then reconnect mailboxes using ColdSend Shared. Your campaigns and sending history are unaffected.

Does ColdSend store my Client Secret?
Your client secret is encrypted at rest to manage token refreshes for your team's OAuth flow. It is never exposed in the ColdSend UI.

Why do I need Exchange Online permissions in addition to Microsoft Graph?
ColdSend uses SMTP and IMAP protocols (not Microsoft Graph API) for sending and receiving email. The SMTP.Send and IMAP.AccessAsUser.All scopes are issued by the Exchange Online resource, not Microsoft Graph.

Do I need to get my Azure app verified by Microsoft?
If you're only connecting mailboxes within your own organization, admin consent (Step 3) is sufficient. Microsoft app verification is only required if you plan to have external users authenticate through your app.

What happens when my client secret expires?
Existing refresh tokens remain valid, but you won't be able to connect new inboxes until you update the secret. We recommend setting a calendar reminder before expiration.

Can I use a single Azure app for both Google and Outlook?
No. Google and Microsoft have separate OAuth ecosystems. You'll need a separate Azure AD app for Outlook and a separate Google Cloud project for Google Workspace. See the Google OAuth Setup Guide for Google setup.