Authentication in mail clients using Microsoft Office 365
As of October 2022, Exchange online email servers may no longer accept connections using basic authentication.
Instead, you can use authentication methods based on what Microsoft refer to as "modern authentication", which often use an OAuth2 flow to achieve token-based authentication.
note
The instructions in this topic only apply to scenarios where the mail server is Exchange online.
In iCore Integration Suite (iCIS), modern authentication using access token is supported in the following mail activities and objects:
Adapterflow activities
Workflow activities
Script objects
Configuring modern authentication
To start using modern authentication in mail activities and objects, you need to:
- Populate a number of parameters with values that replace the traditional username and password parameters in basic authentication.
- Configure the required permissions in the Azure AD application where authentication is performed.
Setting the parameters
To configure modern authentication in mail activities and Script objects, you need to collect values for the following parameters:
- Tenant ID – The ID of the Tenant in Azure where the Active Directory holding the user resides.
- Client ID – The ID of the application in the Azure AD where users are authenticated.
- Client Secret or Certificate – Authentication is performed either with a client secret or a certificate.
Tenant Id, client Id and client secret can all be retrieved in the Azure portal on the application used as authentication provider. If you want to use a certificate for authentication instead of a client secret, you need to prepare the application with the certificate.
Expiration date
Client secrets and certificates usually have an expiration date. If the client secret or certificate expires, authentication will not succeed and consequently lead to failing mail activities.
Configuring permissions
Successful authentication results in an access token that iCIS can use when sending and receiving email in Microsoft Office 365. However, it is important that the access token is issued with sufficient permissions, and since the authentication is performed without any user interaction, these permissions need to be configured in the application where authentication is performed.
For sending email, the following application permission has to be added and granted with admin consent:
- Mail.Send
For receiving email, the following application permissions have to be added and granted with admin consent:
- Mail.ReadBasic.All
- Mail.Read
- Mail.ReadWrite
The permissions above are all Microsoft Graph permissions. For more information on how to add and grant admin consent to Microsoft Graph permissions, see Microsoft Graph permissions reference.
If a restriction to limit access to a specific mailbox is desired, a so-called Application Access policy can be added using the New-ApplicationAccessPolicy cmdlet. For more information, see New-ApplicationAccessPolicy documentation.