The Email Communication Services (ECS) is a resource created in Azure, which lets an organization use SMTP AUTH (using Basic Authentication) and send email to internal and external recipients. Follow the link to understand the concept of Email Communication Services.

Graphical representation of ECS.

Graphical representation of ECS.

Prerequisites of using Email Communication Services.

Below are the prerequisites if the organization wants to send email using Email Communication Services.

  • An active azure subscription associated with the Tenant.
  • Azure Communication Services (ACS) Instance created in Azure.
  • Email Communication Services (ECS) resource provisioned in Azure.
  • Connection between Azure Communication Services Instance and Email Communication Services resource.
  • A custom domain verified in Azure.
  • Custom domain added in Email Communication Services resource.
  • Microsoft Entra Enterprise Application registered and connected to Azure Communication Services Instance.
  • Client Secret for Microsoft Entra Enterprise Application.

Creating an Azure Communication Service Instance.

Azure Communication Service instance is a resource in Azure, where you can integrate your custom application with communication experiences like emails, chat, voice, video calling, SMS messaging. We can say that the Azure Communication Service instance is the holding area where all the other communication features integrate with each other and this is where the organizations custom application can use those communication features.

To create a new Azure Communication Service instance, you need to.

  • Navigate to https://portal.azure.com/ and select create a resource option.
  • Type communication services in the search bar and select the communication services resource and press create.
Create Azure Communication Service
  • In the Subscription section select an active azure subscription and in the Resource Group section select a previously created resource group.
  • In the Data location section, select the region where the organization wants to save the data at rest.
  • Add relevant Tags and then select create.
create azure communication service resource

Once we navigate to https://portal.azure.com/ and then open Communication Services, we get to view the newly deployed Communication Services Instance.

Communication Service instance

Create an Email Communication Services resource.

The Email Communication Services resource will receive the emails from your organizations Multifunction Device and sends the email to internal or external users. To Provision the ECS resource we need to

  • Navigate to https://portal.azure.com/
  • Click on Create a resource option and select Email Communication Services.
  • Select the create option to start creating Email Communication Services.
Email communication Services option
  • In the Subscription section select an active azure subscription and in the Resource Group section select a previously created resource group.
  • In the Data location section, select the region where the organization wants to save the data at rest.
  • Add relevant Tags and then select create.
Email communication Services creation setting

The Email Communication Resource will be deployed in the previously selected resource group.

Deployed ECS Resource

Adding Custom domain to the ECS Resource.

After you open the ECS Resource, you will have 2 options, the first option is to use your own custom domain in ECS, and the second option is to use free Azure subdomain. Using a custom domain or a free Azure subdomain (example 1234-XXXX-XXXX-1234.azurewecomm.net) does impact the “From” address seen by the recipient.

adding domain in ECS Resource

If you select the option to add free Azure subdomain, then Azure will provision sub domain for the domain azurecomm.net (example 1234-XXXX-XXXX-1234.azurewecomm.net). You can only have one Azure subdomain per Email Communication Services. The free azure subdomain will automatically verify the SPF, DKIM and DMARC.

Azure subdomain

You can also select the option to add the custom domain. After you add the custom domain, you have to verify the domain in Azure by adding the TXT record provided by Azure in the added domain’s registrar. Verify SPF, DKIM for the custom domain.

Custom Domains

Now we have Azure provisioned sub domain (1234-XXXX-XXXX-1234.azurewecomm.net) as well as custom domain aashu.co.in verified and connected to the Email Communication Service Resource.

Connecting Azure Communication Service Instance to Email Communication Service Resource.

As the Azure Communication Service Instance and the Email Communication Service Resource, both are provisioned, now we have to connect the ACS with ECS using the below steps.

  • Navigate to https://portal.azure.com/ and select the Communication Services and now open the newly deployed Communication Service Instance.
  • On the left navigation pane, select Email –> Domains –> Connect domain.
Connect ACS to ECS
  • Select the proper Azure subscription type.
  • Under Resource Group select ECS-Resource-Group.
  • Under Email Service select Email-Communication-Services-Resource.
  • Under Verified Domain select either the custom domain or the Azure provisioned sub domain.

Now the Azure Communication Service Instance and the Email Communication Service Resource are connected with each other. Below is how the portal should look like after ACS is connected to ECS.

After connection of ACS to ECS

Registering the Application in Microsoft Entra Enterprise Applications.

  • Login to https://entra.microsoft.com/
  • Navigate to Identity –> Applications –> App registrations and select New registration.
  • Type the name of new application (example: ECS-App-in-enterprise-applications).
  • In supported account types select Accounts in this organizational directory only.
  • Redirect URI is optional and it can be set later. (Redirect URI is the location where Microsoft Entra ID will send the access token to after successfully authenticating the user.)
  • Select Register.
App registration in Microsoft Entra Enterprise Application.

Create Client Secret for the Enterprise Application.

After registering the Enterprise Application, we have to create the client secret to access the enterprise application.

We have to navigate to https://entra.microsoft.com/ –> Applications –> App Registration –> All Applications –> select the application whose client secret we need to generate –> Certificates & secrets –> Client Secrets –> New Client Secret.

Client Secret for Enterprise Application

Connect the Enterprise Application with Azure Communication Service Instance.

As the application is registered in Microsoft Entra Enterprise Applications and the Azure Communication Service Instance is also created in Azure, we now have to connect the enterprise applications to Email Communication Service resource.

There are 3 necessary permissions to access the Email Communication Service resource, and the permissions are Microsoft.Communication/CommunicationServices/Read, Microsoft.Communication/CommunicationServices/Write and Microsoft.Communication/EmailServices/write

These permission are by default present in the contributor role, you can use contributor role or create a new custom role and assign the above permission to the new custom role.

Create a custom role in Azure Communication Service Instance.

In order to create a new custom role, please follow the below steps.

  • Navigate to https://portal.azure.com/
  • Open the Azure Communication Service Instance.
  • Select Access control (IAM) and then select Roles.
  • Select any Role and select the Clone button from the three dots.
Create a new role in Azure Communication Services Instance
  • When the Create a custom role option page loads up select Start from scratch under Baseline permissions.
new custom role options page
  • Type the Custom role name (example: Custom Role for Enterprise Application) and select next.
  • Under the permissions section, select Add permissions and then select Azure Communication Services.
Custom Permission Page
  • Now select the Microsoft.Communication/CommunicationServices Read, Microsoft.Communication/CommunicationServices Write, and the Microsoft.Communication/EmailServices Write permissions and Click Add.
Custom Permission Options Pqage

The final permissions should look like the permissions below, now select Review+Create and then select Create.

final permission in new custom roles

Assign the custom role to the Enterprise Application.

To assign the custom role to the Enterprise Application, please follow the below stpes.

  • Navigate to https://portal.azure.com/
  • Open the Azure Communication Service Instance.
  • Select Access control (IAM) and then select Add role assignments under the Add section.
Add role assignment page in Azure Communication Services Instance
  • Once the Add role assignment options page opens up, select Role section and then select job function roles and then type the name of the custom role in the search bar and select the role and then select next.
add role assignment options page in ACS

Under the Members tab, select User, group, or service principal and then click +Select members and type the enterprise application name (example: ECS-App-in-enterprise-applications) and select Review+Assign.

Member section in add role assignment in ACS

If we check the role assignment section under Access control (IAM) of the Email Communication Service resource, the Enterprise Application (named ECS-App-in-enterprise-applications) will now show up with the custom permission Custom Role (name Custom Role for Enterprise Application).

assigned role in Azure Communication Service

Creating Username and password for Multifunction Device.

username that will be used in the MFD or the inhouse application will be the combination of the Azure Communication Service Instance name AND Microsoft Entra Enterprise registered Application ID AND the Tenant ID. The delimiter would be | (pipe symbol ) or . (period symbol).

Username in ACS Instance
Username in Enterprise Applicaiton

Example: Username would be “Communications-Services-Main-Resource.584exxxx-xxxx-xxxx-xxxx-xxxxxxxxfb65.4d33xxxx-xxxx-xxxx-xxxx-xxxxxxxx80cd” OR the username would be “Communications-Services-Main-Resource|584exxxx-xxxx-xxxx-xxxx-xxxxxxxxfb65|4d33xxxx-xxxx-xxxx-xxxx-xxxxxxxx80cd“.

The password that need to be used in the MFD or the inhouse application would be the Client Secret Value in the enterprise application.

Client Secret

Note: Secret ID is not the password, if we use secret ID as the password then we will get the error in the sign in logs of the Enterprise Application. (Error: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app ‘{identifier}’.).

Sending Test Email to check the configuration.

As all the configuration of Email Communication Service is completed, it is now time to send a test email.

Below is how the email looks when it delivers to the recipients mailbox.

Test Email sent using ECS

Conclusion.

Emails Communication Services in Azure is a great tool to send the emails internally and externally. The organization would not be able to send high volume of emails using ECS, first the limitation would be 2400 emails per day (100 emails per hour). Organization has to raise a service request with Azure support to get the email limit increased.

By Ashutosh Gawali

Ashutosh Gawali is Microsoft 365 consultant, Networking and Security enthusiast, he has nearly 10 years of experience in product implementation, optimization and customer support. Through this blog, Ashutosh is trying to share his experience and understanding of the Microsoft, Networking, Security and other technologies,

Leave a Reply

Your email address will not be published. Required fields are marked *