Product Information
Cloud Integration – Connect to Microsoft 365 Mail with OAuth2
Microsoft 365 supports connecting to Outlook 365 via OAuth2 with Authorization Code grant type. This blog provides a step by step description on how you can connect from SAP Cloud Integration to a mail account in Outlook 365 via OAuth2 with Authorization Code grant type, using either the protocol SMTP for sending e-mails or the protocol IMAP for reading e-mails.
If you want to send mails using Microsoft Graph REST API, then follow the blog “Cloud Integration – Send Mail via Microsoft Graph API with OAuth 2.0 Authorization Code“.
Prerequisites
When connecting to Microsoft Outlook 365 with OAuth2, you need to have an organizational directory/tenant in Microsoft Azure Active Directory and a user in this directory which has a subscription to Outlook 365. The following screen shot shows an example of such a user in the Azure Active Directory with name “testusermail” which has the license “Exchange Online (Plan1)”.
You can check whether the user has a subscription to Outlook 365 by logging-in with the user to https://outlook.office365.com/mail/.
For the configuration tasks in the Azure Active Directory, you also need a user with the “Application administrator” and the “Application developer” role.
Furthermore, you need a SAP Cloud Integration tenant on which you have a user with the “Integration Developer” role. If you only have a user with the “Administrator” role, you can do all the configurations mentioned below in SAP CPI, except for the last two configurations in the integration flow.
If you want to read emails then IMAP and if you want to send emails then SMTP must be enabled for the used Outlook 365 mailbox:
- From the Microsoft 365 Admin Center, navigate to Users > Active users > select a user > Mail tab > Email apps > Select Manage email apps link
- Select IMAP (if you want to read emails) and Authenticated SMTP (if you want ro send emails)
- Click the Save changes button at the bottom
You have to use the sender mail adapter version 1.8 or higher and the receiver mail adapter version 1.9 or higher. If you use older adapter versions in your integration flows, you have to delete these adapters and recreate them.
Setup
To set up the OAuth2 connection for reading and sending e-mails with SAP Cloud Integration, do the following steps:
- Determine Redirect URI
- Create OAuth Client/App in Microsoft Azure Active Directory
- Create OAuth2 Authorization Code Credential in your SAP Cloud Integration tenant
- Configure Mail Sender Adapter in your integration flow
- Configure Mail Receiver Adapter in your integration flow
Determine Redirect URI
When you log into the SAP Cloud Integration or Integration Suite WEB-UI, you see your host name in the browser address field:
https://<host name>/itspaces (for Cloud Integration)
https://<host name>/shell/home (for Integration Suite)
Use the <host name> to construct the following redirect URI:
https://<host name>/itspaces/odata/api/v1/OAuthTokenFromCode |
You need this redirect URI in the next step.
Create OAuth Client/App in Microsoft Azure Active Directory
- Log into your Azure tenant by using https://portal.azure.com/
- Select “App registrations” under “Azure services”.
- Click on “New registration”, provide a name for your app, choose in the drop down “Seledct a platform” the value “Web“, and enter the redirect URI you determined at the beginning. Do not change the default setting for the “account types” (“Accounts in this organizational directory only”). After that, select “Register”.
Remark: If you do not see the option “Account in this organizational directory only …” for “Supported account types” then you do not have an organizational directory/tenant in Microsoft Azure. You have to first purchase such an organizational directory from Microsoft, before you can continue.
Save the Application (client) ID anywhere on your local desktop. You will need this ID later to configure the OAuth2 Credential in CPI.
4. Choose “Certificates & secrets” in the menu on the left.
5. Select “New client secret”, choose your preferred expiry period. Optionally, you can also add a description. When you’re done, select “Add”.
Remark: Before the secret expires you have to create a new secret and transfer the new secret to the SAP CPI OAuth2 Authorization Code credential (see below).
6. Use the “Copy to clipboard” button to remember the created secret (you will need this later to configure the OAuth2 credential in CPI).
7. Go back to the “Overview” view of the app and select the “Endpoints” tab.
Copy the “OAuth 2.0 authorization endpoint (v2)” and the “OAuth 2.0 token endpoint (v2)” to your local desktop. You need these values later for the creation of the OAuth2 credential in Cloud Integration.
Remark: Do not add any further API permissions, otherwize the connection will not work.Create an OAuth2 Authorization Code Credential in SAP CPI Tenant
- Log into your Cloud Integration tenant via the URL https://<host name>/itspaces. Change to the “Operations View” (press the eye icon), and select the “Security Materials” tile. Select the “Create” button and choose “OAuth2 Authorization Code”.
- Enter a name for the Credential and the “Authorization URL”, “Token Service URL”, “Client ID”, and “Client Secret” from your Microsoft App.
Enter also a “User Name”. This is the e-mail address of the user whose mail resources you want to access in an integration flow. This user must exist in the same Microsoft Azure directory/tenant as the App created and must have an Outlook 365 account.
Enter the necessary scope (see https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#get-an-access-token):
– “https://outlook.office.com/IMAP.AccessAsUser.All” for accessing e-mails
– “https://outlook.office.com/SMTP.Send” for sending e-mails
Additionally, you need the scope “offline_access” for creating refresh tokens (if this scope is not added, SAP Cloud Integration will add this scope automatically). The scopes must be separated by a space.
The default value for the Refresh Token Expiry is set to 90 days for “Microsoft 365” (see: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes). However, if the expiry time was changed for your Microsoft tenant, then you have to adjust this value.
After clicking on the “Deploy” button, you see the newly created “OAuth2 Authorization Code” credential in the list of Security Materials in status “Unauthorized“.
- Select the three dots in the entry with the created credential and choose the “Authorize” option.
A confirmation pop-up will come up. Select “Continue”:
A Microsoft login screen appears. Enter the password of the user you specified in the OAuth2 credential:
After you’ve selected “Sign in”, a further pop-up comes up, indicating the requested permissions required by the app:
Now, with status “Deployed”, the credential can be used by the mail adapters.
Configure the Mail Sender Adapter in an Integration Flow
We assume that you are familiar with the Integration Flow modeling in SAP Cloud Integration, and provide here only configuration details for the OAuth2 configuration in the mail adapter.
Be aware that the adapter version must be at least 1.8 (you see the version if you press the i button, see screen shot below). If your adapter has a lower version, then you have to delete the adapter and recreate the adapter (this will automatically use the newest version).
If you want to receive mails, you configure the Mail Sender Adapter with the created OAuth2 Credential. In the creation dialog for the Mail sender adapter, you have to chose the transport protocol “IMAP4” (we do not support OAuth2 for POP3). Enter the Address value “outlook.office365.com:993“. In the “Connection” tab, choose “OAuth2 Authorization Code” as “Authentication”. Protection must be defined as “IMAPS” for Microsoft 365.
Configure the Mail Receiver Adapter in an Integration Flow
Be aware that the receiver adapter version must be at least 1.9 (you see the version if you press the i button, see screen shot below). If your adapter has a lower version, then you have to delete the adapter and recreate the adapter (this will automatically use the newest version).
If you want to send mails, you need to configure the Mail Receiver adapter. Enter the Address value “smtp.office365.com:587“. Enter “OAuth2 Authorization Code” for “Authentication” in the “Connection”. Protection must be defined as “STARTTLS Mandatory” for Microsoft 365.
Using Shared Mailbox
Microsoft 365 supports shared mailboxes so that several people can access and write to the same mailbox. Only users who are members of the mailbox, can read mails from the shared mailbox or send mails from the shared mailbox. The shared mailbox itself does only have an e-mail address, but does not have a password. Members of the shared mailbox must have a licence for Outlook 365 (the cheapest license is “Exchange Online (Plan1)”).
Reading from a Shared Mailbox
You can read e-mails from a shared mailbox with an OAuth2 Authorization Code credential, if you have the email address of the shared mailbox and a user/password of a member of the shared mailbox. You need the user/password of the member for “authorizing” the Oauth2 Authorization Code credential. Follow the below instructions when creating and “authorizing” the OAuth2 Authorization Code credential.
The shared mail box and the member of the shared mailbox must be members of the same Azure Directory as shown in the following screen shot of the Azure Portal user view:
During creating the OAuth2 Authorization Code credential you enter in the field “User Name” the email address of the shared mailbox, in the following screenshot the field is marked with a red circle. And we also recommend to add in the description the user name of the member of the shared mailbox which you will use for the “Authorize” action (marked with a blue circle).
When you “authorize” the credential (step 3 of above chapter “Create an OAuth2 Authorization Code Credential in SAP CPI Tenant”) then you choose the option “Sign in with another account” in the login dialog.
Now you can sign in with the member of the shared mailbox.
If you use this OAuth2 Authorization Code credential in the configuration of a mail sender adapter as described in the chapter “Configure the Mail Sender Adapter in an Integration Flow”, then this adapter will read emails from the shared mailbox using the member user you used for the login.
Sending Mails from a Shared Mailbox
If you want to send mails which have in the “from” field the address of the shared mailbox, then you need a user which is member of the shared mailbox. During the configuration of the OAuth2 Authorization Code credential you use the e-mail address of the member in the field “User Name”. Be also aware that the mailbox of the member must have SMTP enabled.
In the configuration of the receiver adapter you use the email of the sharad mailbox in the “from” field:
Limits and Scope
- SAP Cloud Integration does not support the authentication with OAuth2 for the POP protocol. If you are currently using the POP protocol in the mail sender adapter, you can switch to the IMAP protocol in order to use the OAuth2 authentication.
- The maximum number of OAuth2 Authorization Code credentials in a Cloud Integration tenant is limited to 500.
- Microsoft does not support OAuth2 for personal e-mail accounts ending in “outlook.com“.
Dear Franz,
Thanks for taking time to write a nice blog.I think there is some issue with the images with your blog.Appreciate if you could check it.
Regards,
Sriprasad Shivaram Bhat
Hi Sriprasad Shivaram Bhat,
thanks for this feedback. I updated the blog. The images are now available.
Regards Franz
Dear Franz,
I’m getting authentication failed error after deploying iflow at both sender and receiver side. Even though oauth 2.0 authorization code security artifact has got deployed successfully. Is it that organization has to explicitly provide access to be able to access and send emails
Hi Ravi,
please check whether the user has an Outlook 365 account by logging-in with this user into https://outlook.live.com/.
Secondly, please be aware of the restriction that personal accounts (ending with "outlook.com") cannot be used for OAuth2.
Thirdly, please check whether the user was created in the organization where you have created the app/oauth client and whether the user has a subscription to Outlook 365 in this organization as stated in the prerequisites.
Hi Franz,
I'm using my organization email Id and not personal accounts ending with outlook.com.
Yes I can very well login into https://outlook.live.com
Created app/ oauth client in Microsoft Azure. I don't any issues here. I have also been able to deploy authorization code artifact successfully but my iflow is not pulling or sending mails.
Does the organization have been explicitly grant authorization for this?
Dear Franz,
first of all thanks for the great blog post.
I have now tried to reproduce the scenario several times in different CPI environments. Unfortunately, when authorizing the security material entry, I receive the following message on the CPI side after successful authentication and authorization in Azure AD:
Do you have any ideas what the problem might be or how I can determine the cause?
Simon
Hello Simon,
please clear the cache of your Browser and then try again.
Regards Franz
Hello Franz,
I just did. Same result.
Simon
Hi Simon,
can you please try with another Browser. For example if you are currently using Firefox then use Chrome, or vice versa. Or change from Internet Explorer to Firefox or Chrome or vice versa.
Hi Franz,
I have tested it in Chrome, Edge and Internet Explorer. Always with the same result.
Simon
Hi Simon,
which kind of Role Collections are assigned to your user? I guess that your user has several Role Collections assigned. Can you try with a user who only has the Role Collection PI_Administrator assigned.
The background is that we found that the problem "Bad Request" occurs, if the HTTP header size of the request is too large. The header size is also influenced by the number of Role Collections you have assigned to your user. Therefore if you reduce the Role Collections the problem can be avoided.
We will correct this error soon. But I hope you can go-on with this workaround.
Regards Franz
Hi Franz,
that made it work! Thanks a lot!
Simon
Hi Franz Forsthofer,
Very Informative Blog, Our oauth 2.0 authorization code security artifact has got deployed successfully. But while deploying our I-flow with mail sender channel we are getting the below error related to certificate:
Hi Bhandari,
from the next release onwards you have the possibility to select the Authentication "OAuth2 Authentication Code" in the IMAP Connectivity Test where you can enter the OAuth2 Authorization Code Credential name. I have executed this option for you as shown in the following screen shot:
You can see the server certificate chain. The chain consists of the server certificate and the intermediate certificate with dn=CN=GlobalSign Organization Validation CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE. The intermediate certificate is signed by the root CA "CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE". Because the root CA is not part of the certificate chain you cannot download the root CA with the download button shown in the above screen shot, you have to look up the root CA in the internet or if the root CA is part of the trusted CAs in your browser, you can download it from there. I give you here the internet location:
https://support.globalsign.com/ca-certificates/root-certificates/globalsign-root-certificates
On this site the relevant root CA is called "GlobalSign Root R1"
This root CA you have to import into the keystore of the CPI tenant.
Hi Franz Forsthofer
As we don't have OAuth2 Authentication Code option in IMAP Connectivity Test, How can I download the server and intermediate certificate?
Thanks,
Poushali Bhandari
Hi Poushali,
for what do you need the intermediate and server certificate? We recommend to upload the root certificate into the CPI tenant keystore. The server certificate can be changed.
Regards Franz
Hi Franz Forsthofer ,
Thanks for the blog. Followed the same steps as per the above. OAuth2 Authentication code was successfully deployed. When deploying the iFlow, getting an error " F3 BAD User is authenticated but not connected". We are trying to connect to a shared mailbox.
Could you please assist?
Thanks
Raja
Hi Raja,
please check the user you registed in the Oauth2 Aurhoirzation Code credential. You must have an account in the azure directory tenant which has an e-mail of the form UserName@DomainName where the DomainName is the domain name of the Azure directory where you registered the app. And you have to register this UserName@DomainName in the OAuth2 Authorization Code credential of CPI with the correct password.
Regards Franz
Hi Franz,
Thanks for the update. MFA has been enabled for this email ID and the issue got solved once we have removed the MFA.
Regards
Raja
I had the same problem today. It is indeed very important that you use UserName@DomainName. we had something different than Username here and than it did not work.
Kr
Rob
Hello Franz Forsthofer thank you for a thorough and well written article.
All the necessary steps required from Exchange/Office 365/Azure AD have been performed as per Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Docs
Why would a password prompt still appear when connecting to a shared mailbox if the application has already been granted access to Shared mailbox?
Hi Anindya Kumar Banerjee,
I added a new chapter "Using Shared Mailbox". Please have a look.
Further I want to add, calling the Authorization URL requires a login to Microsoft Azure even if the access rights to the mailbox had been granted.
Further, we even enforce the login with the correct user due to the single sign-on functionality of the browser. Suppose you have two users A and B which both have a mail account in Microsoft 365. And suppose the browser which the Cloud Integration developer is using has a user session for user A, because the Cloud Integration developer has logged in with this user before to Microsoft 365. Now the Cloud Integration developer wants to create an OAuth2 Authorization Code credential for user B. If the Authorization URL is called and we would not enforce the login with user B via the login popup, then the single sing-on functionality of the browser will login the user A .
I hope this clarifies you question.
Regards Franz
I can't send email using SMTP, but i can read mailbox using IMAP. The connectivity test shows Invalid Certificate, but I added all certificates in SCPI Key Store, including oauth urls . Any idea? See my error and configurations
I Verified that "DigiCert Cloud Services CA_1" is intermediate certificate, but there are 2 differents end date from different outlook URLs (2 differents intermediate certificate with the same name) . I'm don't know if it can be the error reason. I tried to add one each once, but didn't solve the problem.
Hello Lenardo,
first a remark to the necessary certificates which you have to add the the SCI keystore:
do not add the server certificate and the intermediate certificate (remove them from the keystore if you have already added those). Only add the root certificate with subject DN CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
The same holds also for the IMAP connection: Only the root CA which is self signed must be added.
Further, in your third screenshot you have set the option "Protection" to "Off", and you got the response message "Server Certificate Invalid". This message is sent because the "Protection" "Off" is not supported by smtp.office365.com. I get the same message on my test SCI account, although on my test SCI account the setting "STARTTLS Mandatory" works successful.
Further, for the imap protocol you should only use the imap server outlook.office365.com:993, see above.
Regards Franz
Franz, thanks for your answer! I tried to clean certificates, but I'm still geting error.
Do you believe there could be a configuration problem at Azure? Do you have any suggestions on how to get more details of the error? My Iflow trace:
Test1:
Test2:
Test3:
Test4:
An SAP DigiCert certificate already existed in the environment. In the last test (4) I left only the SAP certificate. About IMAP, i'm using outlook.office365.com:993, as you said. It's OK! thanks Leonardo LemosHi Leonardo,
I checked the internet with search terms like "PRX4" and "451 4.7.0 Temporary server error", all the post indicate that it is a problem on the mail-server side or the network. Maybe you contact Microsoft support for this.
Regards Franz
Franz, Problem solved! Indeed, there is a block for sending by SMTP (SmtpClientAuthenticationDisabled). We removed the block to test it, and it worked. But, I will try to switch to the graph API, because the infrastructure wants to keep this blocking rule.
thank you so much!
Hi,
configured everything as stated in the blog. But we always receive this error:
javax.mail.AuthenticationFailedException: 535 5.7.3 Authentication unsuccessful [AM4PR0701CA0014.eurprd07.prod.outlook.com]
Any Ideas?
Hello Franz,
1st of all great Blog.thanks for writing this.
I tried to do the same but after creating Oauth token in CPI security artifacts, I am not able to authorize it.
Could you please guide if I am missing anything or I need to get in touch with my Company's office 365 account management team to enable some integration?
Attached screenshots-
As soon as I click on authenticate, I get this error:
Thanks in advance.
Regards,
Pooja Tiwari
Hi Tiwari,
looks for that the Oauth Client (=Application) with client id starting with 'fee48...' is not contained in the directory '964ce526-9c...' Yes, you should contact the administrator which created the OAuth Cient (Application) of the Azure directory.
Regards Franz
Thank you Franz for your input .
I will check with my admin team and share it will you the solution.
Thanks again.
Regard,
Pooja
Hello,
Is there a OAuth 2.0 solution for on premise SAP systems to send e-mails via Office 365?
We are on ECC 6 EHP8 and already use Azure for AD and want to implement direct O365 e-mail delivery. The client submission option utilizes the SMTP AUTH protocol that is being retired.
Thanks,
Tivi
Hi Tivi,
I know that SAP Process Integration is an on premise solution which offers OAuth2 for Office 365. See the note https://launchpad.support.sap.com/#/notes/2928726.
And have a look at the documentation of SAP Process Integration for the sender and receiver mail adapter:
https://help.sap.com/viewer/5cf7d2de571a45cc81f91261668b7361/7.5.22/en-US/483276dba3af58d8e10000000a421937.html
and
https://help.sap.com/viewer/5cf7d2de571a45cc81f91261668b7361/7.5.22/en-US/6b4493404f673028e10000000a1550b0.html
Regards Franz
Danke Franz,
The article describes the exact challenge that I had in mind but unfortunately we don't use PI at the moment so these options are not available for me.
Do you know if SAP planning to provide support for modern authentication to Netweaver?
We currently use an SMTP relay server but our infrastructure team wants to discontinue that. One shortcoming of the relay server is that it is less secure plus sent e-mails are not stored on O365.
With MS discontinuing the basic authentication, we are running out of options.
Regards,
Tivi
Hi Franz Forsthofer
We followed this blog and when we are trying to authorize the OAuth2 authorization code, we are getting 401 authorization error. I have asked the question here with more details:
https://answers.sap.com/questions/13711263/getting-401-when-trying-to-authorize-oauth2-in-clo.html
Can you think of something obvious we might have missed or changed since the writing of this blog?
Thanks
We have resolved this issue.
We were using Client Secret ID instead of Client Secret Value.
Hello Franz
Great Blog!!!
I have a doubt with the configuration but on the SAP ECC side, how do you indicate that now it must send the emails through SAP CPI to Office 365 and not through SMTP with the SCOT transaction?
This would no longer be through SMTP but through HTTP or SOAP or REST? How do you make this change? through a BADI?
Best Regards
Yoel Guevara
Hi Guevara,
I am not an expert for SAP ECC. I covered the functionality of SAP Cloud Integration with respect to the protocols IMAP and SMTP in this blog.
Microsoft 365 offers the possibility to use HTTP REST calls to send and read e-mails via the Graph APIs. See also https://learn.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0. Maybe this is interesting for you.
Regards Franz
Hi Franz, our scenario is crm 7.0 EHP 4 and MS Exchange on premise . We want to use Chrome without activex control to connect to exchange adressbook e.g. Is this possible ? We tried to configure it with sap note 3099344 CRM Email Integration using Azure OAuth 2.0 but it didn't work. Is exchangeonline mandantory for this szenario ? Kind Regards Marco
Hi Franz,
it is so details. I have another concern:
for Sending Mails from a Shared Mailbox, shall we use another oauth2 code credential than the one for receiving?
As you said : “During the configuration of the OAuth2 Authorization Code credential you use the e-mail address of the member in the field “User Name”.” this is different with receiving credential.
Then which user name shall be used for executing the authentication flow for receiving email, the e-mail address of the member or the email address of the shared mailbox?
Hi Eric,
yes you are right. You need a different OAuth2 Authorization Code credential for "Sending Mails from a Shared Mailbox" because the "User Name" field must contain the e-mail address of the member (for "Reading from a Shared Mailbox" this is different then the "User Name" field must contain the email address of the shared mailbox).
For the authentication flow you always must use the e-mail address of the member.
Regards Franz
Hello,
I would like to contribute with an error that made me waste some time to find out the cause of the problem.
After performing all the configuration in Azure and also in the CPI in the Security Material with the OAuth2 Authorization Code (Microsoft 365). In the Authorize step to collect the token, the error below occurred:
<response>
<script/>
invalid_resource: AADSTS500011: The main resource named https://outlook.office.com/IMAP.AccessAsUser.Allhttps://outlook.office.com was not found in the tenant named xxxxxxxxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: xxxxxxxxxxxxxxx Correlation ID: xxxxxxxxxxxx Timestamp: 2023-05-25 00:56:47Z
</response>
After analyzing several points, I discovered that only two spaces were missing between the two records in the scope. Below the example:
With two spaces (working):
"https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access"
No space(with error):
"https://outlook.office.com/IMAP.AccessAsUser.All
https://outlook.office.com/SMTP.Send offline_access"
No space:
With space:
After adjusting the scope the token worked successfully.
Regards.