Revision as of 00:37, March 27, 2020 by Valentip (talk | contribs)
Jump to: navigation, search

Setting up mailboxes for OAuth 2.0 authorization

Starting with version 8.5.107.xx, E-mail Server supports the OAuth 2.0 authorization protocol.

To set up mailboxes using the OAuth 2.0 authorization protocol:

  1. Create a Microsoft Azure application.
  2. Configure Genesys E-mail Server.

Creating a Micsosoft Azure application

  1. Follow all the steps as described in Microsoft Azure documentation to create an Azure application for the mailbox(es) that will be accessed by Genesys E-mail Server. Note that a single Azure application can support all mailboxes for the same company.
  2. In step 6 [where is step 6? I didn't see it],
    • Select Accounts in any organizational directory (Any Azure AD directory – Multitenant).
    • Leave the Redirect URI empty.

After the application is created, it should look similar to this (click to expand it):

Ems-app1.png


Where, esj_office365_imap is the Azure application name. Pay attention to the Application (client) ID and the Directory (tenant) ID, which you will use later in the configuration.

If you open the Supported account types and Redirect URIs, it should look similar to this:

Ems-app2.png

The Application ID URI should be empty:

Ems-app3.png

Add Application Permissions

Read through this Permissions and consent in the Microsoft identity platform endpoint article to understand permissions and consent.

This is a good reference document Configure permissions for Microsoft Graph, although it focuses on getting permission for the Graph API. For IMAP and EWS, the application must have the following permissions granted by the Company Admin depending on the email protocols used:

(To confirm if SMTP is needed and POP3) - [Is this a step?]

Ems-app4.png

Mailbox Setup

The mailbox has the following special settings in the company’s system:

  • Mult-factor authentication is disabled on the mailbox.
  • The IMAP protocol is enabled (if IMAP is used).
  • The POP3 protocol is enabled (if POP3 is used).
  • No need for the EWS protocol.

Configure Genesys E-mail Server

To configure E-mail Server:

  • Configure new options in the [smtp-client] section.
  • Configure new options in the [pop-client] section.

Configuring the [smtp-client] section

Only an smtp-client [should it be "SMTP client"?] with the EWS type can support OAuth2.

In addition to the following new configuration options, the JavaMail property mail.ews.auth.mechanisms must be set to XOAUTH2 [where this property is located?]. To disable OAuth 2.0, remove the JavaMail property.

  • directory-id—Specify the Directory (tenant) ID of the registered Microsoft Azure application for the Office 365 mailbox in the corresponding smtp-client.
  • tenant-authority—Specify the authority server of the registered Microsoft Azure application for the Office 365 mailbox in the corresponding smtp-client. For Office 365, the default configuration value is https://login.microsoftonline.com/.
  • client-id—Specify the Client ID of the registered Microsoft Azure application for the Office 365 mailbox in the corresponding smtp-client.
  • scope—Specify the access token scope. For Office 365, the default configuration value is https://outlook.office.com/.default.
  • token-expiry-margin-time— Specify the amount of time an SMTP connection for the EWS type remains connected before its access token expires and the server closes the connection.

Configuring the pop-client section

Only a pop-client with the EWS or IMAP type can support OAuth 2.0.

In addition to the following new configuration options, the JavaMail property mail.<type>.auth.mechanisms must be set to XOAUTH2. To disable OAuth 2.0, remove the JavaMail property.

  • directory-id Specify the Directory (tenant) ID of the registered Microsoft Azure application for the Office 365 mailbox in the corresponding pop-client.

tenant-authority: Specifies the authority server of the registered Microsoft Azure application for the Office 365 mailbox in the corresponding pop-client. This parameter will only take effect when the type is EWS or IMAP and mail.<type>.auth.mechanisms is XOAUTH2. For office365 it defaults to https://login.microsoftonline.com/

client-id: Specifies the Client ID of the registered Microsoft Azure application for the Office 365 mailbox in the corresponding pop-client. This parameter will only take effect when the type is EWS or IMAP and JavaMail property mail.<type>.auth.mechanisms is XOAUTH2.

scope: Specifies the access token scope. With office 365, the default configuration value is https://outlook.office.com/.default.

This parameter will only take effect when the type is EWS or IMAP and JavaMail property mail.<type>.auth.mechanisms is XOAUTH2.

Comments or questions about this documentation? Contact us for support!