Table of Contents
Modern Authentication in Microsoft 365 is based on OAuth 2.0. By using App registration, we can enable Users or automated Processes to do the following.
User self-service sync | Allow Users to download placeholder data for their Outlook signatures (Preferred method). |
Organization wide silent sync | Allow Administrators to download placeholder data for Outlook signatures on behalf of the Users. |
Outlook signature placeholder sync using a self-service shortcut
Important note: If your Outlook signature templates have placeholders and multiple user-attribute values corresponding to the placeholders are not available, the signature will not be displayed.
Administrators can use this recommended approach to roll out a shortcut to the User’s start menu. You will have to deploy the shortcut as an administrator or SYSTEM.
After installation, when the user launches the shortcut, the WPSecure engine will sync data corresponding to the placeholders in the Outlook signatures to the User’s device. The following command creates the shortcut.
wpsecure-set.exe -source azure -tenantid 9fb4d4d6-7541-490f-a49a-111d3393731f -clientid 55eba948-6cdd-4b98-ad9b-7ff7b36138c6 -createsc -version 1.2.3.5
The executable ‘wpsecure-set.exe‘ is in the WPSecure application directory within the ProgramFiles (x86) directory.
An Azure app registration must be set up to enable users to read their account attributes. The above-referenced TenantID and ClientID values will be generated during the Azure app registration—Microsoft documentation. The version is just your internal deployment identifier to be used if you were to deploy this using Software deployment tools like SCCM or Microsoft Intune.
Key | HKEY_LOCAL_MACHINE\SOFTWARE\wpsecure |
Name | sssversion |
Value | 1.2.3.5 (Any value you choose. Formatted as Version) |
Open Entra ID console (a.k.a. Azure Portal) https://portal.azure.com/ and click on new “New Registration“
Enter the following details and settings in the new registration window and save.
Name | WPSecure Signature Data Sync (This can be anything descriptive) |
Supported account types | Accounts in this organizational directory only |
Redirect URI | http://localhost:5453 (Public client/native (mobile & desktop) |
Allow public client flow | Yes |
API Permissions | Microsoft Graph | User.Read (Permission type: Delegated) |
Admin Consent | Yes |
Open the newly created App registration and make the following changes.
Allow public client flow | Yes |
API Permissions | Microsoft Graph | User.Read (Permission type: Delegated) |
That is it. Deploy the shortcut using the above command, and the users will see the below item in their start menu.
Organization wide Outlook signature placeholder silent sync
Administrators can use this approach to silently deploy Outlook signature placeholder data organization-wide. The command must be run in the logged-in user’s context.
You could do this as a Win32 Intune APP, SCCM application, SCCM Package, or Script.
Note: This option uses a ‘Secret‘ key. So it is more exposed than the first option. We recommend performing the rollout and immediately resetting the ‘Secret‘ after the placeholders are deployed.
Following the organization-wide placeholder deployment, you could use Option 1 as a primary means of keeping the placeholders updated.
Run the following command to perform the Sync for each user.
wpsecure-set.exe -source azure -tenantid 9fa4d436-7741-492f-a49a-001d3392731f -clientid 45eab948-6cdd-4b98-ad9b-7ff6b36038c4 -secret AzR8T2DKUe4.mKsugDLS8~ijvOr2XB9Tq45MxcT- -version 1.2.3.4
The executable ‘wpsecure-set.exe‘ is in the WPSecure application directory within the ProgramFiles (x86) directory.
The app registration process continues with what was done for Option 1.
The version is just your internal deployment identifier to be used if you were to deploy this using Software deployment tools like SCCM or Microsoft Intune.
Key | HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\wpsecure\signature |
Name | sddrversion |
Value | 1.2.3.4 (Any value you choose. Formatted as Version) |
Add a ‘User.ReadAll‘ Microsoft Graph ‘Application’ permission. As you can see, the ‘User.Read‘ permission is from Option 1, and that permission is ‘Delegated‘. Grant admin consent for your organization.
API Permissions | Microsoft Graph | User.ReadAll (Permission type: Application) |
As the last step in the App registration process, let’s create the ‘Secret.’ Security recommendations are listed below.
1 | Keep the validity time span as short possible. |
2 | Deploy the Placeholder Sync process as an Intune Win32 App and not an open script. |
3 | After a successful deployment revoke or delete the secret from the App registration. |