Configuring Email Clients for Outlook 365 Accounts using Oauth2.0

Oauth2 support has been added for email clients such as Outlook that have deprecated basic authentication for IMAP email and moved to Oauth.

Support for this was added in the AIQ 4.8.8 and 4.9.0 releases.

Setting up Azure

1. Go to Azure (https://portal.azure.com/) and sign in with your credentials.

2. Expand the left side menu and select Azure Active Directory.

   

3. In the left side menu, select App registrations.

   

4. Click New Registration.

5. Enter a name to identify your application.

6. In Supported account types, select Accounts in this organizational directory only (Single tenant).

   

7. Click Register.

8. In the left side menu, click API Permissions.

9. Delete any existing permissions.

10. Click Add a permission.

11. Select the APIs my organization uses tab.

    

12. Search for “Office 365 Exchange Online“. In the select permissions search box type “IMAP“ and select the results.

    

13. Click Update permissions.

14. This permission needs to be authorized by an administrator of your organization. If your are the administrator, click Grant admin consent for {Organization}. If you’re not an administrator, please contact an administrator to authorize this permission.

    

15. Save the values in the Overview page. You will need them in the command line configuration steps.

    

Command Line Configurations

1. Run Windows PowerShell as an Administrator.

   

2. Run the command: Install-Module AzureAD
   If it requests a confirmation, press Y and then Enter.

3. Run the command: Install-Module ExchangeOnlineManagement
   If it requests a confirmation, press Y and then Enter.

4. Run the command: set-executionpolicy unrestricted
   If it requests a confirmation, press Y and then Enter.

5. Run the command: Connect-ExchangeOnline --Credential $Credential
   The output should be something similar to this:

   

6. Run the command: $app = Get-AzureADServicePrincipal -SearchString "{Application Name}".
   Use the application name from Step 15 of the Setting up Azure section.

7. Run the command: New-ServicePrincipal -AppId $app.AppId -ServiceId $app.ObjectId -DisplayName "{Application Name} Service Principal"

   The output should be something similar to this:

   

8. Run the command: Add-MailboxPermission -Identity "<USER ID>" -User $app.ObjectId -AccessRights FullAccess
   The output should be something similar to this:

   

9. Run the command: $startDate = Get-Date

10. Run the command:$endDate = $startDate.AddYears(99)

11. Run the command: New-AzureADApplicationPasswordCredential -ObjectId {Object ID of Application} -CustomKeyIdentifier "Application Secret" -StartDate $startDate -EndDate $endDate
    Use the Object ID from Step 15 of the Setting up Azure section.

    

Example Test Script

You can use the following example as a test Service Suite script. You must perform the above configuration steps first, so you can collect the required parameters: secret key, application id and tenant id.

var mailClient = createOAuthMailClient( "mail@outlook.com", "secretKey", "applicationID", "tenantid");
mailClient.loginOAuth();
var Mails = mailClient.getOAuthEmails();
log(" " + Mails.toString());
mailClient.logoutOAuth();

See List of Services Workbench Calls for more details.