What Is a Security Operations Center (SOC)?

Introduction to Email configuration | PRA Cloud

Ever wonder why your perfectly good password reset email ends up in someone's junk folder? It's usually because the backend plumbing—the email configuration—is just a little bit off.

When you're running BeyondTrust PRA Cloud, getting these settings right isn't just a "nice to have" thing. It is the literal lifeline for your admins and users. If the api can't talk to your mail server, nobody is getting into the system.

Think of email as the nervous system of your privileged access setup. It handles the stuff that keeps the lights on:

• Access Invites: In industries like finance, where you might have third-party auditors coming in, they need that invite email pronto to start their work.
• System Alerts: If a critical vault setting changes, your security team needs an alert before things go sideways.
• Compliance: Healthcare providers often need audit trails sent via email to prove who accessed what and when for HIPAA stuff.

I've seen so many people trip up on the same few things. Usually, it's a "set it and forget it" mistake that comes back to haunt you. according to the PRA Cloud documentation, most issues boil down to:

• Spam Filters: Your corporate filter thinks the system emails are phishing attempts because the spf records aren't updated.
• oauth2 Mess-ups: Getting the permissions wrong in microsoft Entra ID or google Workspace is super common.
• Port Confusion: Using the wrong smtp port (like 25 instead of 587) will kill your connection instantly. (What SMTP port should be used? Port 25, 587, or 465? - Cloudflare)

Next up, we're gonna dive into the actual steps for hooking up your smtp server.

Configuring OAuth2 for Microsoft Entra ID

Ever tried to explain to a security auditor why you’re still using basic auth for system emails? It’s an awkward conversation you definitely want to avoid.

Moving to OAuth2 for microsoft Entra ID (formerly Azure AD) is basically the gold standard now for BeyondTrust PRA Cloud because it stops relying on those clunky, static passwords that everyone forgets to rotate. It’s a bit of a process to get the plumbing right in the azure portal, but once it's done, the api handles the heavy lifting.

First thing is you gotta tell microsoft that your PRA instance is allowed to talk to it. You’ll head into the Entra ID portal to create a "New Registration."

• Permissions are everything: You don’t want to give this app the keys to the kingdom. You specifically need the Mail.Send permission. I've seen people accidentally select Mail.Read and then wonder why the system can't send out those critical password reset links to retail managers in the field.
• Client Secrets: This is the "password" for the app. Make sure you copy the Value, not the ID, and save it somewhere safe because azure hides it forever once you leave the screen.
• Redirect URIs: Don't skip this. The system needs to know where to send the token back to after it authenticates. For PRA Cloud, you need to enter: https://<your-appliance-hostname>/login/oauth2/code/microsoft. Replace that hostname part with your actual instance address or the handshake won't work.

Now take those strings you just generated and head back to your PRA management console. You're going to need the Tenant ID and the Client ID (sometimes called Application ID).

• The Handshake: When you hit "Test Connection," the system actually goes out and tries to grab a refresh token. If you're a healthcare provider sending out audit logs, you need this to be rock solid so reports don't fail at 2 AM.
• Token Refresh: The beauty of this setup is that the api handles the rotation. You won't have to log back in every 90 days to update a password.

Next, we’re going to look at how to do the exact same thing but for those of you running on google Workspace.

Google OAuth2 Integration for PRA Cloud

So you're a google shop and need to get your alerts flowing? Honestly, setting up the google cloud console feels like a maze sometimes, but it's way better than dealing with "less secure apps" or app passwords that eventually break and leave your security team in the dark.

First, you gotta head over to the google cloud console and create a project if you haven't yet. The big thing here is enabling the gmail api. Without that, your pra cloud instance is just talking to a brick wall.

• The Consent Screen: You have to configure the OAuth consent screen. Since this is for your internal BeyondTrust PRA Cloud setup, set the user type to "Internal" so you don't have to deal with google's rigorous verification process.
• Scopes: You need the https://www.googleapis.com/auth/gmail.send scope. I've seen retail chains miss this and then wonder why their store managers aren't getting password resets during a busy holiday shift.
• Credentials: Create an OAuth Client ID (not a Service Account) and choose "Web application." Once it's done, download the OAuth Client ID credentials JSON file. Don't just copy the text; the file has everything the appliance needs to make the handshake work.

Now, take that json file back to your pra management interface. You'll upload it directly into the email configuration section.

The system will ask you to authorize. This usually pops a google login window where you pick the mailbox that'll actually "send" the mail. If you're a finance firm sending sensitive audit reports, make sure this account has the right permissions in your workspace.

Once you hit "Allow," google gives an authorization code back to the appliance. The api takes it from there, handling the tokens behind the scenes.

Next up, we're gonna look at what to do if you aren't using the big cloud providers and need to stick with a traditional smtp relay.

SMTP Configuration and Deliverability Optimization

Ever had that moment where you send a critical access invite to a vendor and it just... vanishes? It's usually not a ghost in the machine, but your smtp settings playing hard to get with a spam filter.

If you aren't using OAuth2, you'll likely use a Transactional Email Service or an SMTP Relay. These are third-party services designed to send system-generated mail without the headache of managing a full mail server. A provider like Mailazy can be a lifesaver here. It’s basically a relay that handles the heavy lifting so your BeyondTrust PRA Cloud alerts don't get blocked by aggressive corporate firewalls.

• Port and Security: When setting up your relay, always use Port 587 with STARTTLS. Avoid port 25 because most cloud providers block it to stop spam, and port 465 is mostly for old-school SSL.
• High Deliverability: Services like this are built to make sure emails actually hit the inbox, which is huge when a finance auditor is waiting on a login link.
• Tracking via api: You can actually use the mailazy api to see if an admin opened a security alert or if it's just sitting there unread.

Honestly, most email issues come down to proving you are who you say you are. If you don't have your dns records in order, you're gonna have a bad time.

1. SPF, DKIM, and DMARC: These are the "big three." As noted in the documentation, missing spf records are the #1 reason for spam flags. Make sure your pra cloud ip or relay is authorized to send on your behalf.
2. Watch the Bounce: If you’re seeing a high bounce rate on access invites, your domain reputation will tank fast. Keep your user lists clean.
3. Template Triggers: Avoid using "spammy" words in your custom email templates. If a retail manager gets an email titled "URGENT ACCESS NOW," a filter might think it's a phishing attempt.

A 2024 report by Validity found that nearly 1 in 5 emails never reach the inbox due to poor sender reputation or authentication failures.

Logging and Troubleshooting

So you finally got the emails sending, but how do you keep things from breaking or—worse—leaking info? It's one thing to get a test mail to land, but keeping a production flow secure and clean is a whole different beast.

You don't want your pra cloud instance becoming a random relay for some bored hacker. Locking down the "from" address is the first step.

• Domain Restrictions: Only allow the system to send from your official company domain. If a retail manager gets a password reset from a ".xyz" domain, they’re gonna (rightly) ignore it.
• Encryption: For healthcare or finance, ensure your smtp server uses TLS. You don't want session invites with sensitive access info flying around in plain text across the web.
• Logging outbound events: You gotta keep track of what the system sends. In the PRA interface, you can check the Management -> Syslog settings to ensure email events are being captured. If an auditor asks who received a vault report last Tuesday, you need that trail ready in your logs.

Even the best setups go sideways when a secret expires or a firewall rule changes without notice.

I've seen plenty of admins pull their hair out over a "dead" email flow only to find out an azure client secret expired after 12 months.

1. The 'Send Test' Button: Use it every time you change a setting. Don't assume.
2. Watch the api errors: If you're using google or microsoft, the api will usually tell you exactly why the handshake failed—like "invalid_grant."
3. Monitor Appliance Logs: Your appliance logs are the best place to find raw smtp handshake errors. If you see a connection timeout, check if you're accidentally using port 25 instead of 587.

Honestly, just keep an eye on those expiration dates and you'll be fine. Getting this right means your users actually get their work done without calling the helpdesk every five minutes. Stay safe out there.