Microsoft is disabling SMTP Basic authentication as of 31-12-2022, see Deprecation of Basic authentication in Exchange Online. I will show you how easy it is to replace the default SMTP email client in Keycloak with the Microsoft Graph API – user: sendMail.


Keycloak is designed to cover most use-cases without requiring custom code, but we also want it to be customizable. To achieve this Keycloak has a number of Service Provider Interfaces (SPI) for which you can implement your own providers.

See Keycloak – Service Provider Interfaces (SPI) for more info regarding how to implement your own SPI.

A working Java Maven project is available, see Git Repository – rh-sso-msgraph-sendmail. With this project you’re able to create a jar-file with your EmailSenderProvider of choice and test it on a local Keycloak instance.

How Keycloak sends email

The current way of Keycloak sending email is by using a SMTP client with Basic Authentication which can be configured on the realm in Keycloak. The is the default implementation which I will replace with The class implements the interface EmailSenderProvider with just one method send(). In this method we have to retrieve a JWT token and send email with the Graph API.

The Active Directory (AD) user account which will retrieve a JWT token should have the role sendMail

Substitute DefaultEmailSenderProvider

To configure Keycloak to use the new MsGraphEmailSenderProvider we just have to reference our new class in the correct resource.
The SPI configuration for EmailSenderProvider can be configured in resource file resources/META-INF/services/
Add entry nl.edekler.rhsso.msgraph.provider.MsGraphEmailSenderProviderFactory.

be aware of the fact that the MsGraphEmailSenderProviderFactory method getId() returns “default” so that it will be used by Keycloak as the default EmailSenderProvider!

Deploy Jar to Keycloak

When all sourcecode is ready there’s only one thing to do to implement the new MsGraphEmailSenderProvider and that’s to deploy the jar-file to Keycloak. Just deploy the jar-file to your local Keycloak instance in map /standalone/deployments.

Check Git Repository – rh-sso-msgraph-sendmail how to install a local Keycloak server.

You should see something like this in the Keycloak logs:Keycloak Startup log

After deployment you can login to the Keycloak master realm and click the button Test Connection on the realm email tab.


With the use of the Server Provider Interfaces (SPI) it’s quite easy to implement your own EmailSenderProvider implementation.