Configuring OAuth - Microsoft Office 365

HTTPS Required - Microsoft requires the requesting application to be hosted via HTTPS. A FlexDeploy installation only using HTTP will not be able to use Microsoft OAuth.

Create the Application in Azure AD

Register a New App

Navigate to the Azure portal and select Azure Active Directory from the browser. Once there click on App Registrations and register a new app.

Add the Redirect URI

Give your app a name and set the web redirect URI.

This should be your FlexDeploy server with the following path /flexdeploy/rest/v2/oauth

Request Permissions

After clicking register copy the client id and tenant id on the home page of the application. Next click on API Permissions

On the API Permissions screen, click Add a Permission and select Microsoft Graph → Delegated Permissions.

You will need to add the following permissions:

  • IMAP.AccessAsUser.All

  • offline_access

  • SMTP.Send

  • User.Read

You may need your admin to grant consent for the permissions above, which they can do by navigating to the same screen as above and hitting the currently disabled ‘Grant admin consent’ button

Add a Client Secret, OR upload an X509 certificate.

Finally, navigate to Certificates & secrets on the left hand panel, create a client secret and copy that to safe location.

To upload an X.509 certificate in FlexDeploy, navigate to the Credentials screen and select the option to upload a certificate. You will need to use a Certificate-type credential to store the X.509 certificate and an SSH-Key type credential to hold the private key that corresponds to the certificate. Ensure that the private key matches the uploaded X.509 certificate to enable proper functionality.

Update FlexDeploy System Settings

Match the Server Base URL

First, make sure your FlexDeploy Server Base Url in General Settings matches what you entered in Azure Application redirect.

Populate OAuth Information

Next, select Microsoft OAuth for the SMTP auth type in Email Settings and add:

  1. SMTP Host Name - smtp.outlook.com

  2. SMTP User

  3. Client Id

  4. Client Secret / Certificate

  5. Tenant Id

Authorize and Validate

In order to authorize, you should login to http://outlook.com as the user you wish to authorize as first. Otherwise, especially if you are using SSO, it is likely that you will be authorizing as the wrong user. The idea is that when you click authorize, it will ask you who to login as, and you will select (or type) the same user that you have in the imap user / smtp user box that you are authorizing.

After populating the necessary fields, click either the Authorize or Re-Authorize buttons. At this point you will be re-directed to Microsoft to authorize FlexDeploy as the same user that you have in the imap user / smtp user box that you are authorizing. If everything is successful you should be redirected back to this page:

or

Once authorization is complete, you can test the configuration by clicking on the Test Email Configuration button located at the bottom next to Save.

  • Sends a test email to the logged in user's email address to validate the SMTP OAuth settings.

  • Reads the inbox of the Approval Reply Address to validate the IMAP OAuth settings.

 

Once you test

 

If you authorized as the wrong user, you will get the error:

Bad User is Authenticated But Not Connected

If you get that, reauthorize as the correct user, and then test again. Similarly, if you authorized as one user and need to authorize as a different user in the same session, then make sure to sign out of Microsoft first (usually this would be signing out of https://portal.microsoftonline.com). You may also want to run just this step with FlexDeploy from on Incognito or inprivate browser. Otherwise, the first user’s credentials will automatically be used with the authorization instead of prompting you to login as the second user. You will see this error when testing the email configuration:

 

The following macros are not currently supported in the footer:
  • style