This method uses EWS to meet Microsoft's OAuth 2.0 authentication requirements. If possible, it is usually better to accomplish this using the OAuth 2 setup described in Configure the Email SMTP Server and Inbound Email Accounts, because that configuration is more secure and allows both inbound and outbound authentication. However, if you can't use that method for some reason, you can use this method to authenticate inbound email.

This authentication method requires an Azure account and an Azure AD tenant. The account must be a tenant administrator.

Configure  in Azure AD

Configuring  as an application in Azure AD requires registering your system with Azure, identifying the application as an authentication tool in Azure, and adding access permissions. 

First, you need to register your   system with Azure. As you follow the steps, you can also refer to Microsoft's setup instructions if any of the options you see differ from those described here.

  1. Sign in to the Azure portal with the appropriate organization account.
  2. If your account has access to multiple tenants, select your account in the upper right corner and set your session to the appropriate AD tenant. For more information about tenants, see Microsoft's tenant documentation.
  3. Search for and select Azure Active Directory.
  4. Go to Manage > App registrations and select New registration.
  5. Enter a name for the registration. For example, you might name your registration " Application for OAuth2."
  6. Select an option for who can use the application. This choice depends on how you use Azure. If you created an Azure account and tenant only for this purpose, select "Accounts in this organizational directory only."
  7. Leave the default Redirect URI settings.
  8. Click Register. The portal automatically directs you to the overview page for the  application.

With the application registered, you can gather the necessary identifying information to use the application with Azure as an authentication tool.

  1. In the sidebar, click Certificates & secrets.
  2. Click New client secret.
  3. Give the Client Secret a descriptive name, such as " EWS Integration."
  4. Set it to never expire.
  5. Click Add. The secret now appears in the list.
  6. Copy the secret's value into a note or document. Make sure to take the value, not the ID.
  7. In the portal sidebar, click Overview to return to the overview page for the application.
  8. Copy the Application ID value into your note. This is the Client ID you need in .
  9. Copy the Directory ID value into your note. This is the Tenant ID you need in .

Before you leave the portal, add access permission for the application:

  1. Inside your Agiloft app registration, click Manifest on the sidebar.
  2. Locate the requiredResourceAccess property in the manifest, and add the following inside the square [] brackets:

    {
        "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
        "resourceAccess": [
            {
                "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
                "type": "Role"
            }
        ]
    }


  3. Click Save.
  4. Click API permissions in the sidebar.
  5. Confirm the full_access_as_app permission is listed.
  6. Click Grant admin consent, located next to the Add a permission button. 

Configure Inbound Email in

With the application registered and configured in Azure, you can use it to authenticate inbound email addresses in . You must complete this setup for each inbound account that uses an Office 365 or Microsoft Exchange email address.

Refer to Inbound Email Accounts as you work. This article focuses on the settings that are unique to Azure authentication.

  1. Navigate to Setup > Email and SMS > Configure Inbound Email
  2. Edit an inbound account from the list, or create a new one.
  3. On the Server tab:
    1. Select IMAP.
    2. Enter EWS:outlook.office365.com/ews/Exchange.asmx for the address.
    3. Enable SSL/TLS connection.
    4. Set the custom port option to 443.
  4. On the Account tab:
    1. Enter the full email address.
    2. Leave the password field empty.
    3. Enter the Tenant ID, Client ID, and Client Secret you copied from your Azure application page.
  5. If you need to access multiple mailboxes with this configuration, you can do so on the Account tab with the Additional Users field. In the field, enter each additional email address, separating addresses with semicolons. For example: email1@email.com; email2@email.com; email3@email.com


Related articles