Skip to main content
Version: 8.4

Configuring Microsoft Azure for OAuth

What is Microsoft Azure?

Microsoft Azure is a public cloud computing service owned by Microsoft. It provides a wide range of cloud services, including analytics, storage, computing, and networking.

What is OAuth?

OAuth is an Open Standard Authorization protocol that allows you to authenticate one application communicating with another on your behalf without sharing the password. It uses client secret values instead of a password to allow access to a secured resource. Thus, the email communication will be secured.

This functionality is applicable from version 7.9 and above.

Prerequisites

  • Internet connectivity between ServiceOps and Microsoft Azure/Office 365 is required.

  • Redirect URL should be HTTPS.

  • To enable HTTPS in ServiceOps, a valid SSL Certificate is required.

  • Configure your firewall settings to allow communication between ServiceOps and the following Microsoft Office 365 URLs:

    • login.microsoftonline.com (For Enterprise application)
    • outlook.office365.com (SMTP, IMAP, and POP3) (For Enterprise application)
    • login.live.com (For Personal accounts)

    Whitelist these URLs to ensure that they are not blocked or restricted by your organization's network infrastructure. For more URLs and IP Address, refer to the link Office 365 URLs and IP address ranges.

  • The Microsoft Azure user should have administrator rights.

Configuring Microsoft Azure as Incoming Email Server

To configure Microsoft Azure as the Incoming Email server, follow the below steps:

  1. Sign in to the Microsoft Azure portal.

Microsoft Azure Portal Home page

  1. In the Azure services section, click App registrations > New Registration.

    note

    Create a separate app for every incoming email server (in ServiceOps), if multiple servers are configured each with different domains.

New Registration

  1. In the next screen, enter the name, and select the Supported account types. Under Redirect URI section, select the Platform as Web, and enter the Redirect URI.

    Syntax for Redirect URI: https://{server URL}/oauth/callback

    For example: https://dummy.com/oauth/callback

    Once done, click Register.

Register the Application

The application will appear in the list as shown below.

Registered Application

  1. Click on the application, and the below screen appears. Copy the Application (client) ID and paste it in ServiceOps. For Authorization and Token URL either click the Endpoints tab and copy OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2) URLs from the popup or copy the Tenant ID from Overview and use it for both the URLs in ServiceOps.

Authorization and Token URL

  1. Go to the Manage > Certificates & secrets > Client secrets tab, and click New Client Secret.

Certificates and secrets

  1. Enter the description, select the expiry time, and click Add.

Adding Client Secret

  1. The secret appears in the table as shown below. Copy it too.

    note

    The client secret value can be viewed only once immediately after creation. Hence, it is recommended to save the secret key before leaving the page.

Copy the Client Secret Value

  1. In Microsoft Azure, go to Manage > API Permissions tab, and click Add a permission to add permissions for the application.

API Permission

  1. The Request API Permissions popup appears. Click Microsoft Graph.

Microsoft Graph

  1. Add Permissions for IMAP or Office 365 Exchange Online (MAPI).

IMAP

Select Delegated Permissions, select the desired permissions for the application, and click Add Permissions.

note

The Azure application must have the below Delegated permissions for IMAP: Microsoft Graph (Delegated Type):

  • IMAP.AccessAsUser.All
  • Mail.Read

Add Permissions

Office 365 Exchange Online (For MAPI)

  1. For Office 365 Exchange, click Add a Permission > APIs my organization uses tab, search for the Office 365 Exchange Online permission, and click on it.
note

The Azure application must have the below Application permissions for MAPI: Office 365 Exchange Online: (Application Type):

  • Exchange.ManageAsApp
  • Full_access_as_app
  • Mail.Read
  • Mail.ReadWrite

Microsoft Exchange Permissions

  1. Next, click on the Application permissions tab, select the desired permissions, and click Add Permissions.

Add Permissions

  1. Click Grant admin consent for . A confirmation window will appear. Click Yes to continue.

Grant admin Consent

note

The Grant admin consent option will be enabled only if you are logged in as a user with Azure Global Administrator rights. For more details, refer Grant Tenant-wide admin consent to an application.

  1. For IMAP, register your Azure AD Application service principals in Exchange Online and grant access to the Exchange Online mailbox to this service principal. For more details, refer Register service principals in Exchange.
  2. For IMAP and MAPI, it is recommended to restrict the mailbox access, so that Azure app can access only a single mailbox. For more details, refer Limiting application permissions to specific Exchange Online mailboxes.

Configuring Microsoft Azure in ServiceOps

Now, login to the ServiceOps Portal, and go to Admin > Support Channel > Emails > Incoming Email Servers tab. Click the Add Incoming Email Server button, and the below popup appears.

note

After upgrading the ServiceOps version from 8.0 to 8.1, kindly check for the additional parameters unavailable in the previous version.

In ServiceOps version 8.0, the email configuration was based on the Client ID, Client Secret, Tenant ID, and the Authorization URL details. And now in version 8.1, it is based on the Client ID, Client Secret, Authorization URL, Token URL, Scope, and Redirect URL. You can get all these details by following the steps described in the above sections.

Configuring Incoming Email Server in ServiceOps

Enter the required details,

Parameters            Description
NameEnter the name of the email server.
EmailEnter the email address of the Azure user.
Technician GroupSelect the technician group that should be assigned when a new request is created via the email.
CategorySelect the category that you want to assign. If selected, the selected Category will get assiged to the ticket created using this email server.
Email ProviderOther
ServerEnter the server address of the server as per the protocol selected. The addresses are:

- IMAP: outlook.office365.com

- POP3: outlook.office365.com

- MAPI: outlook.office365.com

PortEnter the port number of the email server. The numbers are:

- IMAP: 993

- POP3: 995.

ProtocolSelect the protocol that the email server supports. The options are: IMAP, MAPI, and POP3.
Security TypeSelect the type of security that the email server supports. The options are: None, SSL and TLS.
Email Auth TypeSelect Oauth as email auth type.
Client IDPaste the client ID copied from Microsoft Azure (Step 4).
Client SecretPaste the client secret copied from Microsoft Azure (Step 7).
Authorization URLEnter the OAuth 2.0 authorization endpoint (v2) URL copied from Step 4.
Token URLEnter the OAuth 2.0 token endpoint (v2) URL copied from Step 4.
ScopeEnter the scope as per the protocol selected.

- IMAP: offline_access https://outlook.office365.com/IMAP.AccessAsUser.All

- MAPI: offline_access https://outlook.office365.com/EWS.AccessAsUser.All

- POP: offline_access https://outlook.office365.com/POP.AccessAsUser.All

Redirect URLThis is an editable field. It is set from the Application Settings Base URL.
EnabledToggle the switch to enable or disable the server.
Company

Select the company that should be assigned to the request when created via email.

Note: This field is available only if Managed Services Provider feature is enabled.

PrimaryEnable if you want to use this server as primary for receiving the emails.
Outgoing Email SeversEnable if you want to set the outgoing email server.
Outgoing EmailSelect the outgoing email server from the dropdown. The list displays the servers added in the Outgoing Email Servers section.
Filter TypeSelect whether to allow or ignore the emails received.
EmailsAdd the email addresses that should be evaluated based on the filter type selected.
DomainsAdd the domains that should be evaluated based on the filter type. For example: yahoo.com.
KeywordsAdd the keywords that should be evaluated based on the filter type. The system will look for keywords in the email subject and body.
note

Once done, click Save to add the Incoming Email Server. You can later check its connection using the Test Connection button from the server list page.

Microsoft Azure is now configured as an email server for ServiceOps.

Configuring Microsoft Azure as Outgoing Email Server

To configure Microsoft Azure as the Outgoing Email Server, follow the below steps:

  1. Follow the above steps from 1 to 9 of the Incoming Email Server section.

  2. Add Permissions for SMTP. Select Microsoft Graph > Delegated Permissions, select the SMTP permission for the application, and click Add Permissions.

    note

    The Azure application must have the SMTP.Send Delegated permission.

    Outgoing Email Server

  3. Click Grant admin consent for {directory}. A confirmation window will appear. Click Yes to continue.

note

The Grant admin consent option will be enabled only if you are logged in as a user with Azure Global Administrator rights. For more details, refer Grant Tenant-wide admin consent to an application.

Configuring Microsoft Azure in ServiceOps

Now, login to the ServiceOps Portal, and go to Admin > Support Channel > Emails > Outgoing Email Servers tab. Click the Add Outgoing Email Servers button, and the below popup appears.

Add Outgoing Email Server

Enter the required details,

ParametersDescription
NameEnter the name of the email server.
EmailEnter the email address of the Azure user which will be used for authentication.
ProtocolSelect the protocol that the email server supports. The options are: SMTP and MAPI.
Sender NameEnter the name of the sender.
Email ProviderOther
ServerEnter the address of the server.

- SMTP: smtp.office365.com

- MAPI: outlook.office365.com

PortEnter the port number of the email server.

- SMTP (TLS): 587

- SMTP(SSL): 465

Security TypeSelect the type of security that the email server supports. The options are: None, SSL and TLS.
Authentication NeededEnable the flag if you want the user to authenticate to the server while logging in.
Email Auth TypeSelect Oauth as the email auth type.
UsernameEnter the username of the server to login.
Client IDPaste the client ID copied from Microsoft Azure (Step 4).
Client SecretPaste the client secret copied from Microsoft Azure (Step 7).
Authorization URL**Enter the OAuth 2.0 authorization endpoint (v2) URL copied from Step 4.
Token URL**Enter the OAuth 2.0 token endpoint (v2) URL copied from Step 4.
ScopeEnter the scope as per the protocol selected.

- SMTP Scope: offline_access https://outlook.office365.com/SMTP.send

- MAPI Scope: offline_access https://outlook.office365.com/EWS.AccessAsUser.All

Redirect URLThis is an editable field. It is set from the Application Settings Base URL.
Reply-To EmailEnter the email address for replying over the email.
EnabledToggle the switch to enable or disable the server.
PrimaryEnable if you want to use this server as primary for sending emails.
note

Once entered, click Save.

Microsoft Azure is now configured as an Outgoing Email Server for ServiceOps. Once done, you can later check its connection using the Test Connection button from the server list page. If you face any issue while connecting to the SMTP server, ensure that it is enabled from the Microsoft Admin Center account.

To enable SMTP Authentication, follow the below steps:

  1. Sign-in to your Microsoft 365 Admin Center with the admin account.
  2. Navigate to Users > Active Users, click the desired email address, and a popup appears.
  3. Select the Mail tab and click the Manage email apps link below the Email apps section.

SMTP Authentication

  1. Select the option Authenticated SMTP and click Save changes as shown below.

SMTP Authentication