Effective October 1, 2022, Microsoft began disabling Basic authentication for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. This means that for TeleMessage import sources using Exchange will no longer work with simple username and password authentication, instead OAuth 2.0 authentication must be used.
Register application in Azure
...
Step 8 - The two other values we need from the application is the application (client) id and the directory (tenant) id. Both can be copied from Overview:
Configure TeleMessage import source
On the Import source configuration page, select OAuth 2.0 for Authentication Mode, and set Application (Client) ID, Application (Client) Secret, Directory (Tenant) ID to their respective values from the registered Azure application above.
...
To use the New-ServicePrincipal cmdlet, install the ExchangeOnlineManagement and connect to your tenant as shown in the following snippet.
Install-Module -Name ExchangeOnlineManagement -allowprerelease
Import-module ExchangeOnlineManagement
Connect-ExchangeOnline -Organization <tenantId> |
---|
If you still get an error running the New-ServicePrincipal Cmdlet after you perform these steps, it is likely due to the fact that the user doesn't have enough permissions in Exchange online to perform the operation.
The following is an example of registering an Azure AD application's service principal in Exchange:
|
---|
The OBJECT_ID is the Object ID from the Overview page of the Enterprise Application node (Azure Portal) for the application registration. It is not the Object ID from the Overview of the App Registrations node. Using the incorrect Object ID will cause an authentication failure.
...
You can get your registered service principal's identifier using the Get-ServicePrincipal
cmdlet.
|
---|
The tenant admin can now add the specific mailboxes in the tenant that will be allowed to be access by your application. This is done with the Add-MailboxPermission
cmdlet.
The following is an example of how to give your application's service principal access to one mailbox:
|
---|
VFC can now access the allowed mailboxes via the POP or IMAP protocols using the OAuth 2.0 client credentials grant flow. For more information, see the instructions in Permissions and consent in the Microsoft identity platform.
Troubleshooting
If the import fails, do the following checks:
- Check if the client secret hasn't expired in Azure. Create a new one if needed and update on the import source configuration page.
- The default scope for the OAuth2 token is 'https://outlook.office365.com/.default'. If this needs to be changed for some reason, the correct scope can be set/edited in the registry with the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Verba\Archive Import\IMAP\Oauth2TokenScope