Configuring OAuth authentication for Incoming Mail agent
You can configure OAuth 2.0 authentication for the Incoming Mail agent used by the TRIRIGA® application to connect to the configured mailbox for retrieving email messages with the offline forms. You must register an application in Microsoft Azure for OAuth and then configure TRIRIGA application for using the OAuth 2.0 authentication for Incoming Mail agent.
Contents
I. Registering OAuth authentication in Azure
You can use the OAuth 2.0 authentication service provided by Azure Active Directory (Azure AD) to enable TRIRIGA application to connect with IMAP, or POP protocols to access Exchange Online in Office 365. For more information, see Authenticate an IMAP, POP or SMTP connection using OAuth.
- Launch the Microsoft Azure app registration screen from the following URL:
- Under Manage, select App
registrations > New
registration to begin the app registration process:
- Name: Specify the name to identify the registration in the Microsoft Azure portal. For example, TririgaIncomingMailAgent.
- Account Type: Select the single tenant account type.
- Click Register. When registration finishes, the Azure portal displays the app registration's Overview pane. Make a note of the Application ID.
- Create a client secret by completeing the following steps:
- Click Certificates & secrets.
- Click New client secret.
- Provide a description and enter a value for the duration of when the client secret expires.
- Click Add.
- Copy the client secret value from the
Value column. This value is later
provided in the OAuth Application
Secret field of the Microsoft OAuth
profile record in TRIRIGA. Note: The client secret can only be viewed immediately after creation so ensure to make note of the value before leaving the page.
- Click Overview and then click the Endpoints tab. Copy the OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2).
- Configure API permissions by completing the following steps:
- Click API permissions.
- Click Add a permission.
- Select the APIs my organization uses tab and search for Office 365 Exchange Online.
- Click Application permissions.
- Select the following permissions:
- POP.AccessAsApp
- IMAP.AccessAsApp
- Click Add permissions.
- Click Grant admin consent for "application
name" for providing consent.Note: You need admin access to view the option to grant admin consent.
- Click Yes.
- Register the Service principal in exchange via Exchange Online
PowerShell by running the following PowerShell commands:
- Install the ExchangeOnlineManagement and connect to your
tenant ID:
Install-Module -Name ExchangeOnlineManagement -allowprerelease Import-module ExchangeOnlineManagement Connect-ExchangeOnline -Organization <tenantId>
- Register an Azure AD application's
service principal in
Exchange:
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]
Use the Client ID as Application Id, Object ID as the Service ID for the application, and the Tenant ID as the ORGANIZATION_ID. You can find these details in Overview tab of the Azure portal by navigating to Azure Active Directory > Enterprise applications and select the application that you have registered. For more information, see New-ServicePrincipal command
- Add Mailbox permissions to the application to give access to
your
mailbox:
Add-MailboxPermission -Identity "<EXCHANGE_EMAIL_ID>" -User <OBJECT_ID> -AccessRights FullAccess
- Install the ExchangeOnlineManagement and connect to your
tenant ID:
II. Configuring OAuth profile in TRIRIGA
After you register an OAuth application with Microsoft Azure, you must enter the OAuth provider (Microsoft Azure) in TRIRIGA. To enter the OAuth provider (and OAuth application), you must create a Microsoft OAuth profile record in TRIRIGA.
- Log in to the TRIRIGA main portal.
- Navigate to .
- Select Add to add a new Microsoft OAuth profile record.
- In the OAuth Setup section, specify the following
OAuth settings.
- Name: This name may be displayed to end users, and used in API calls to identify the target record.
- OAuth Provider: Name of the OAuth provider. For example, "Azure" for Microsoft Azure Active Directory. Name is not case-sensitive.
- Access type: Set the access type as Application.
- Description: Description that describes this profile, so an application may display it to end users.
- OAuth Application Key: Enter the value of the Application (Client) ID field from the above OAuth application registration in Microsoft Azure.
- OAuth Application Secret: Enter the value of the client secret Value column from the above OAuth application registration in Microsoft Azure.
- OAuth Authorize URL: Enter the
tenant-specific URL value of the OAuth 2.0
authorization endpoint (v2) field from the above
OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve. For example:
https://login.microsoftonline.com/<tenant
Id>/oauth2/v2.0/authorize.Note: To obtain the URL value, click Overview on the Azure App registrations page, and then click the Endpoints tab. Copy the value of the OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) fields.
- OAuth Token URL: Enter the tenant-specific URL value of the OAuth 2.0 token endpoint (v2) field from the above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve. For example: https://login.microsoftonline.com/<tenant Id>/oauth2/v2.0/token
- OAuth Scope: API permissions that are
granted to an OAuth application. For Microsoft Azure, enter:
https://outlook.office365.com/.default
Note: Users might need to approve these permissions when they login.
- Save your new Microsoft OAuth profile record.
III. Configure the IncomingMailConfig record
Configure the IncomingMailConfig record to use OAuth authentication to connect with IMAP and POP protocols and access email data for Office 365 users.
- Navigate to .
- Host: Specify the host as: outlook.office365.com
- INBOX: Specify the folder name as: INBOX.
- Action: Specify the action as CREATE.
- Username: Enter your Outlook Mailbox address.
- Password: Enter the Outlook password of the mailbox used by the Incoming Mail agent for offline forms for a particular topic.
- MailServerType: Enter the mail server type as
imaps with port
993.Important: For POP3 protocol, specify the mail server type as POP3S and port as 995.
- OAuthProfile: Select the OAuthProfile created in II. Configuring OAuth profile in TRIRIGA section.
- Save the record.
IV. Next
Verify that the Incoming Mail agent is running. Log in to the Admin Console, navigate to the Agents panel, and ensure that the Incoming Mail agent is running.