TeamConnect 8.0 Microsoft Exchange oAuth 2.0 Configuration

Prerequisites

Before using the Mailbox (email) as an Outgoing/Incoming Mail Server, please ensure the following:

Disable Multi-Factor Authentication (MFA) in both:
- M365 Admin Center / Exchange Center
- Security tab on https://account.microsoft.com
Remove Microsoft Push/Microsoft Authenticator from the Mailbox. (This is only required for Resource Owner Password Credential Flow.)

Configuring TeamConnect with M365 Exchange Services

Steps to Follow	Screenshot for Reference
1. Go to https://portal.azure.com/ and sign in with your admin account. In the left hand menu, select Azure Active Directory. Under Manage, select App registrations. (or) You can also select App registrations under Azure services.
2. Click on the + New registration button at the top of the page.
3. Fill in the following fields: Name: Enter a name for your application. Supported account types: Choose the account type as Accounts in this organizational directory only (single tenant). Click on Register once the fields are filled.
4. Go to the API permissions tab in your app registration.Click on + Add a permission. Choose Microsoft APIs and select Microsoft Graph. Then, choose the appropriate permissions: Delegated Permissions → IMAP.Access.AsUser.All Application Permissions → Mail.Read Click + Add a permission again, then choose: APIs my organization uses → Office 365 Exchange Online → Application Permissions → IMAP.AccessAsApp. APIs my organization uses → Office 365 Exchange Online → Application Permissions → SMTP.SendAsApp. Once all permissions are added, click Grant admin consent to grant the required permissions for your app.
5. Configure Outgoing Email Server Settings Log in to your TeamConnect instance as an Admin. Go to Admin → Admin Settings → Email → Outgoing Email Server Settings. In the left column: Outgoing Mail Server: Enter "smtp.office365.com" in the "Outgoing Mail Server" field. Reply-To Address: Enter a reply address, such as "noreply@company.com" (for example, noreply@mitratech.com). Security/Encryption: Default value is None. If you select Use SSL, the Port field is automatically set to 465. If you select Use TLS, the Port field is automatically set to 587. Port: The default SMTP port is 25. The value updates based on the selected security option. Outgoing Server Requires Authentication: Select this check box to enable authentication for sending email. Username: Input your M365 mailbox email in the "Username" field. Password: If you're using the Microsoft Exchange, the "Password" field is not required and can be left blank. In the right column: Enable OAuth: From the dropdown, select one of the following options: No – No authentication required. Microsoft Exchange – Use this to configure it with Microsoft authentication. If you selected Microsoft Exchange, enter the following credentials: Application Client ID: Enter the Client ID exactly as shown in Step 7. Application Client Secret: Enter the Client Secret exactly as shown in Step 8. Authority URL: Enter the Exchange Authority exactly as shown in Step 9. Select Test Connection to verify the authentication details. If successful, a Success message appears next to the Test Connection button. The authentication token is securely stored for future email retrieval. If unsuccessful, a Failure message appears. Verify your credentials and try again. Note: The Test Connection button can be used without clicking Update on this page. Clicking Update will overwrite previous values with the new ones, so please be mindful.
6. Configure Incoming Email Server Settings Log in to your TeamConnect instance as an Admin. Go to Admin → Admin Settings → Email → Incoming Email Server Settings. In the left column: Use SSL: Check the "Use SSL" box to enable a secure connection. Incoming Mail Server: Enter "outlook.office365.com" in the "Incoming Mail Server" field. Username: Input your M365 mailbox email in the "Username" field. Password: If you're using the Microsoft Exchange, the "Password" field is not required and can be left blank. In the right column: Enable OAuth: From the dropdown, select one of the following options: No – No authentication required. Microsoft Exchange – Use this to configure it with Microsoft authentication. If you selected Microsoft Exchange, enter the following credentials: Application Client ID: Enter the Client ID exactly as shown in Step 7. Application Client Secret: Enter the Client Secret exactly as shown in Step 8. Authority URL: Enter the Exchange Authority exactly as shown in Step 9. Select Test Connection to verify the authentication details. If successful, a Success message appears next to the Test Connection button. The authentication token is securely stored for future email retrieval. If unsuccessful, a Failure message appears. Verify your credentials and try again. Note: The Test Connection button can be used without clicking Update on this page. Clicking Update will overwrite previous values with the new ones, so please be mindful. Important: Action Required for Upgrading Users with Existing OAuth 2.0 Configurations When upgrading to TeamConnect 8.0, your existing Incoming Email Server Settings (Incoming Mail Server, Username, Password, and Use SSL Checkbox) are retained automatically. However, if you have enabled the “Enable Exchange oAuth” on your previous TeamConnect version you must now select “Microsoft Exchange” from the Enable oAuth dropdown after the upgrade to TeamConnect 8.0. Incoming Mail Server functionality will be impacted if this is not updated post upgrading to TeamConnect 8.0.
7. Get the Application Client ID Value from the Microsoft Azure Portal Application Client ID: Navigate to App Registration → Overview → Essentials, then copy the Application (client) ID and paste it into the "Exchange Application Client ID" field.
8. Get the Application Client Secret Value from the Microsoft Azure Portal Application Client Secret: Navigate to Certificates & secrets, then click on + New client secret. Provide the description and click save. Now copy the Value and paste it into the "Application Client Secret" field. Note: When adding a Client Secret, make sure to copy it immediately and save it. The secret will not be displayed again once the user navigates away from the page and returns to the Client secrets section.
9. Get the Authority URL Value from the Microsoft Azure Portal Authority URL: Go to App Registration → Overview → Endpoints. Copy the OAuth 2.0 token endpoint (v2), and paste it into the "Authority URL" field.
Your TeamConnect is now configured with M365 Exchange Services. Please start an email approval workflow to test the connection.

Creating Service Principals in Azure Directory for M365 Exchange

Important Links:

Connecting to Exchange Online

1. Run the latest version of PowerShell as Administrator on Windows.

2. Install the ExchangeOnlineManagement module by running the following command:

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 3.4.0 (select Y for all questions)

3. Import the ExchangeOnlineManagement module by running the following command:

Import-Module ExchangeOnlineManagement

4. Establish a connection to Exchange Online using the following command (replace the email with your own):

Connect-ExchangeOnline -UserPrincipalName [USEREMAIL]

Creating a Service Principal

1. To create a new service principal, run the following command (replace [APPID] with your application ID and [OBJECTID] with your service principal object ID):

New-ServicePrincipal -AppId [APPID] -ServiceId [OBJECTID]

2. To retrieve the Service Principal ID (SID), use the following command:

Get-ServicePrincipal | fl

3. Add mailbox permissions so that the mailbox can act autonomously. Use the following command, replacing [USEREMAIL] with the user email and [SERVICE PRINCIPAL ID] with the Service Principal ID obtained in the previous step:

Add-MailboxPermission -Identity [USEREMAIL] -User [SERVICE PRINCIPAL ID] -AccessRights FullAccess