Skip to main content
All CollectionsPulseway PSAPSA ServiceDesk setup
OAuth2.0 for Microsoft O365 with PSA email parser
OAuth2.0 for Microsoft O365 with PSA email parser
Tara Bennet avatar
Written by Tara Bennet
Updated over a year ago

Introduction

OAuth 2.0 is introduced in the PSA email parser for Office 365 in response to Microsoft's lifecycle announcement, in which they indicate that they will begin deprecating Basic Authentication. When using the Basic/Legacy Authentication application sends a username and password with every request, the Exchange service account is granted access to relevant mailboxes using the Application Impersonation role. With Modern Authentication, full access to all mailboxes permission is granted to the PSA application as part of the consent flow. Modern Authentication is based on the OAuth 2.0 protocol which is a token-based authentication, this design ensures that your global administrator credentials are never stored in PSA for mail parsing.

With token-based authentication, users would enter their username and password to get a token. This token provides access to the resource for a specific time period. The token is auto-renewed as long as the credentials entered in the parser settings are still valid.

Setup in Azure

To connect your parser using OAuth 2.0 in the Pulseway PSA, you will have set up the PSA App in your Azure Portal. Login to https://portal.azure.com using your global administrator credentials.

(1) App Registration

Refer to the below steps/screenshots to register the app -

  1. On your Home page, Under Azure services, Click on Azure Active Directory

  2. Under Manage on the left-hand navigation menu, Choose App Registrations > New registration

  3. Register an Application, provide a name

    • Supported account types: Option 2, Accounts in any organizational directory (Any Azure AD directory - Multitenant)

    • As we are not performing any Oauth authentication on the PSA interface we don’t need to fill the redirect URI

  4. Click Register

  5. Copy the Application (client) ID and Directory (tenant) ID from the screen and save them on your notepad

  6. We will now need to provide Authentication and give API permissions for this app registration in order to access the mailboxes

    1.png

mceclip0.png
4.png
5_app_id.png

(2) Authentication

  1. Under Manage on the left-hand navigation menu, Choose Authentication

  2. Select Yes to Enable the following mobile and desktop flows

  3. Save

6_auth.png

(3) API Permissions

  1. On the left-hand side under Manage, Navigate to API Permissions

  2. Add the permission

  3. On the Request API permission screen Select Microsoft Graph

  4. In Graph API choose Delegated permissions

  5. Permissions needed here are

    1. Email

    2. User.Read.All

    3. User.Read

    4. POP.AccessAsUser.All

    5. IMAP.AccessAsUser.All

    6. offline_access

    7. SMTP.Send

  6. Click on Grant admin consent for a user and the status for all these permissions will be set to green.

    7_API_Permissions.png
    8_gprha.png
    mceclip0.png


Setup in PSA

Important! Oauth 2.0 does not support MFA-enabled accounts. Microsoft Graph API does not support this.

  1. Set up the email parser for office 365 under Admin > Service Desk > Email Parser.

    • Incoming Mail Server: outlook.office365.com

    • Server Port Number: 993

    • EncryptionType: SSL

    • Username: [your mail address]

    • Password: [your mailbox password]

  2. Under IMAP settings, Select Yes for Enable OAuth 2.0 Authentication

  3. Enter the Application ID and Directory ID you saved during App registration earlier.

  4. Save and Test your connection.

Upon successful connection, Basic authentication can be turned off. With Basic Authentication, the parser uses a username and password every time it tries to download an email. With Modern Authentication, the parser will present a token for the session instead of a username and password. With the combination of credentials stored, the Application ID and Directory ID parser will generate a token from O365, and the further activities by Parser will be done based on the token. The system will auto-generate a new token when it expires.

Did this answer your question?