Outlook / Azure OAuth2.0 authentication
- Shrey Soni
- Elwin Vreeke
- Binish Shams
To start using an Outlook email account, a one-time configuration needs to be done first in Azure.
For Outlook OAuth, we require the following field values:-
Tenant (Realm / Directory Id)
Client Id (Application Id)
Client secrets
Username(username can be any email address that you want the system to listen to new incoming emails).
Step-by-step guide to configure Azure account
Register Application
Login to your organizations Azure account.
Select Azure Active Directory in the left-hand navigation, then select App registrations under Manage.
Select New registration. On the Register an application page, set the values as follows.
Set Name to a friendly name for your app.
Set Supported account types to the choice that makes sense for your scenario.
For Redirect URI, set the value that is shown in the MXTS Communication Channel page.
Redirect URI - https://<concern-code>.maxxton.net/customercare/en-us/azure-oauth-callback.html
Choose Register. On the next page, copy the values of the Application (client) ID and Directory (tenant) ID and save them, you will need them later.
Copy the values of the Application (client) ID and Directory (tenant) ID and save them,
API Permission
Once the app is registered, then provide the API permissions that are required: -
Select API Permissions in the left-hand navigations under Mange.
Click on Add a permission , and then click on tab APIs my organization uses.
Open the Microsoft API’s Tab and click on MicrosoftGraph
Select Delegated Permissions
Search for Mail.ReadWrite.Shared permission and click on Add Permission
Mail.ReadWrite.Shared - This permission allow us to read and write emails from main/shared account. using write permission we only mark/update email as read once our service successfully process the email.
Once permission is added click on Grant admin consent for MST (Note: Only admins have rights to grant the permission once added)
After permission is granted the status of the permission should be like this Granted for MSFT
That’s it all the necessary permissions are configured.
Old permissions that were configured:-
https://graph.microsoft.com/User.Read (To read the user basic detail like email)
https://ps.outlook.com/IMAP.AccessAsApp (To read the user emails from outlook)
(Note: Don’t remove the above two already configured permission because it might require again if new implementation doesn’t work as expected)
New permission that need to be configured:-
Generate client secrets
Once the API permissions are added to the registered application, it's time to generate the client secrets.
Select Certificates & secrets in the left-hand navigations under Mange.
Click on New client secret.
Add a meaningful description to the secrets, and select expiration time (it is recommended to set expiration time as 6 months).
Click on Add.
Copy the client secret values, which will be in the Values column, and save them; you will need them later.
Client-secret values cannot be viewed except immediately after creation. Be sure to save the secret when it is created before leaving the page.
Once Register Application, API Permission and Generate client secrets all three of this steps are completed you can start setting up outlook account in the communication channel.
Setup communication channel (Video)
Below is the step-by-step video guide to setup Email (Outlook / Azure) communication channel type.
The system will take two minutes to begin polling the emails from the mail client server if the communication channel is set to "Enabled" and "Authenticated.”
Some of the common errors that you can get during communication channel registration
Error Code | Error Description | Solution |
|---|---|---|
| Authorization code should not be empty or null for generating the access token | Try to re-authenticate the communication channel by updating the auth-info (you can find this by clicking the (three dot button) → update auth info. )
|
MS-AADSTS53003 | AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. | Check the Conditional Access policy of your organization (https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies), it might be that your organization have put some restriction on MS applications like location or device or sign in restrictions, due to which our service (outside of your organization) not able to connect/authenticate. |
Useful links
https://testconnectivity.microsoft.com/tests/O365Imap/input : This will help you to test the IMAP server, please select authentication type as Modern authentication(OAuth).
References