Skip to Content
Technical Articles
Author's profile photo Mohammed Aathif

SAP Password reset tool using Azure Logic App, SAP PO/Integration Suite and ABAP


Recently while working on Azure Logic App, I felt we can make use of Office 365 email connector to automate a few manual processes.

I thought, why not create a password reset tool?

So, I designed a Logic App that picks up email from a specific folder(outlook) and passes on the information to SAP ECC6 via SAP PO, finally using the ABAP program user password is reset/unlocked and messages are returned back to the sender by the Logic App.


Develop a logic app in Azure that is connected with an outlook account(in the real world email must be a service account) and look for new emails.


Outlook connector configuration

  • Emails are looked at under the Password Reset folder every 10 seconds, so any new email that comes in will be immediately picked up.

Make sure the email body is in a specific format (end-users need to be trained about the email body format), otherwise parsing at the logic app will fail and the correct format will be returned back the sender.

Default email format(JSON)


“User”: {

“Client”: “230”,


“email”: ”

“action” : “unlock”




Email body parsing

  • whenever an email trigger invokes, it will have a unique Message-Id. using message-id reply is sent back to the same email sender.

As soon as the parsing completes, a proper JSON structure request will be created and hit the SAP PO REST adapter endpoint using HTTP connector in Logic App.


HTTP connector


SAP PO or Integration Suite configuration:

In our DEV SAP ECC6, we have 2 clients(100 and 230), so the end-user needs to specify the proper client in the email body. once the payload is received in SAP PO it will be converted to XML by the REST adapter.

1. Develop ID objects in SAP PO with one REST sender adapter and 2 SOAP adapters(XI protocol) for two clients.


SAP PO ID objects

2. In the ICO, I have added conditions in the receiver determination so that based on the client its business system can be invoked for a password reset.


ICO – Receiver determination


3. Create ESR objects, thus the structure appears in SPROXY for ABAP coding.ESR%20objects

ESR objects

4. Mapping in ESR is straightforward (one-to-one mapping).


Message Mapping

We are done with the SAP PO configuration.

If anyone is using SAP Integration suite, we can completely ignore Azure Logic App. It is a known thing that not everyone will be using Azure in their organization, hence we will be performing all the operations in SAP.

SAP Integration Suite IFlow


  • In my case I have used XI adapter. cloud connector was already in place, so I directly hit my ECC system. (reference: Configuring Scenario Using the XI Receiver Adapter)
  • I reused the same SAP PO generated Service Interface in ECC.
  • It is also possible to connect via SOAMANAGER.
  • IFlow can be found at my Git Repository.

Password reset IFlow – GitHub


Sender MAIL adapter is connected to my email account via IMAP and polls from the folder CPI at an interval of 10 seconds.


sender mail adapter

Once we have an email in the folder. It will pick, process it and change the email to read from unread.

For the purpose of sending the sender’s email ID along with the request payload for unlocking/reset, I’ve extracted the adapter header parameter(FROM) using a groovy script and passed it to ECC by forming a payload in the content modifier.


Finally, the response from ECC must be returned to the sender via receiver email adapter.


Receiver email configuration


SAP ABAP development:-

1. Generate proxy for the service provider in t-code SPROXY.Service%20Proxy%20Proxy

Service Proxy Proxy

2. Once we generate a proxy, An ABAP class will be generated.Auto%20generated%20ABAP%20class

Auto-generated ABAP class


3. We can either code in the same method or create a separate class where all the operations can be performed. I have created a separate class*(SE24) and did all the validations and password reset/unlock operation.

4. The most important thing is, how are we getting user details from SAP? to do this we can make use of standard BAPI: BAPI_USER_GET_DETAIL where we pass user-id(UNAME from email) as an exporting parameter and return user address details and SCN(secure network communication data )



  • ls_address-e_mail will be holding the email address of the user in SAP.
  • the returned email(BAPI returned) will be validated against the sender’s email address (coming from Logic App or SAP Integration Suite).
  • if the email-id in SAP doesn’t match with the email sender’s email-id, then a reply will be sent back to the sender.
  • Otherwise, based on the action(UNLOCK/RESET) program will either reset or unlock the user’s password


5. The user details can be seen in transaction code SU01.

6. I have added a few validations within the ABAP code before resetting/unlocking the user.

  • There would be situations when the BASIS team will lock all the users during system maintenance, during such situations users shouldn’t be allowed to unlock. (if the status of usr02-uflag is 32 & 66 then it is locked by the administrator)
  • person who leaves the organization should not be allowed to reset/unlock. (usr02-class will hold user class)
  • email-sender needs to specify the correct user-id in the email body.

7. After validating and getting details from SAP, we can go ahead and reset/unlock users based on their choice.

8. Finally, using standard BAPI: BAPI_USER_UNLOCK user can be unlocked.


BAPI_USER_UNLOCK – To unlock user

9. If the choice is to reset, we can use BAPI: BAPI_USER_CHANGE.

  • I have used FM-GENERAL_GET_RANDOM_STRING to generate a random 8 character password and concatenated “@1” to it strong.
  • By passing a new string and username into FM-BAPI_USER_CHANGE, the password will be reset, and the response will be returned back to SAP PO –> Logic App –> email.

10. We are done with the ABAP development.

Note: Validations are based on my own understanding post discussing with the security team, you can add as many validations you want. Also, If you have any suggestions regarding validations please write in the comment section.

Now, It’s time to test our tool ๐Ÿ™‚

Test:1 – If is user tries to reset his password


A new password is generated and email is received as an email reply


Test 2: If the user tries to unlock.


User was not locked in SAP, so a proper response was returned back to the sender


Test 3: Few more validations.


Invalid action and invalid email validations

Test 4: In case the email body is not correct, the default email template will be returned as an email response.


Invalid email body



Azure Logic App


Logic App


Invalid JSON


HTTP connector



SAP PO Message Monitor


SAP ECC6 Logs:

For the audit log purpose, I have added logs in ABAP SLG1 for each password reset request.

Logs in ECC can be checked in the SLG1 transaction code.


SLG1 log


SAP Integration Suite:


SAP IS Message Log


Email picked and responded by SAP Integration Suite



One can only leverage on SAP Integration Suite if you do not want to use Logic App (I’ve done for my own experiment)

The only drawback of using SAP IS is, we cannot respond back to the same email using MAIL adapter. whereas in Logic App I was able to do.



To beautify user input, refer to my other post.

SAP Password reset tool โ€“ Part 2

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Martin Pankraz
      Martin Pankraz

      Hey Mohammed Aathif,

      interesting use case. What happens if I send an email with your payload? Can I reset your password and lock you out? ๐Ÿ˜‰ Are those CPI and logicApp endpoints protected?

      Your setup could be applied as a service with a couple more tweaks to make it secure. Keep it up ๐Ÿ™‚



      Author's profile photo Mohammed Aathif
      Mohammed Aathif
      Blog Post Author

      Hi Martin Pankraz ,

      You definitely cannot lock me with your payload and your email. because email From address is picked dynamically and also, it is again checked and validated in SAP too before doing any actual operation.

      We do not have CPI endpoint as I am using MAIL adapter for sender and Logic App triggers only when a new email arrives in a specific folder configured in Logic App.

      But for Azure Logic App <--> SAP PO connectivity I am having Azure API Management in between which serves as a proxy and I am checking subscription key too.



      Author's profile photo AMIT Lal
      AMIT Lal

      Nice work! Mohammed,
      You can also try/use the BAPI Call methods (built-in Logic Apps trigger available now) directly connected to SAP to execute lock/unlock FMs in the discussion, btw I tried in my lab environment after seeing your blog post, and it's working perfectly.


      Author's profile photo Mohammed Aathif
      Mohammed Aathif
      Blog Post Author

      Hi AMIT Lal,


      Thanks for your kind response. Yes, I remember SAP connector in Logic App but I felt it is premium connector and will cost more, so I decided to use existing middleware(SAP PO/Integration Suite) and achieved it. (I proposed this tool by saying, Less development effort and cost effective)

      Thanks for quickly doing in Azure Logic App and helping the community. Very well done!

      One more thing I would like to highlight here is, If we directly hit FM from the connector we won't be able to validate below things because it is stored in one of the SAP table and this is most important to have.

      Author's profile photo Mustafa Bensan
      Mustafa Bensan

      Hi Mohammed,

      While this is a very good example of what is technically possible, we should also consider whether the solution is practical for a real-world scenario as follows:

      • From a user experience perspective, will a business user really want to submit an email where they need to specify the request in JSON format?ย  This is prone to errors and would require training.ย  It is not ideal when there is an expectation of consumer-grade user experience these days.
      • From a solution architecture perspective this would be an expensive option to implement given the integration of SAP and non-SAP components as well as custom ABAP coding, compared to the online password reset apps/UIs that are typically used instead.



      Author's profile photo Martin Pankraz
      Martin Pankraz

      Good points Mustafa,

      • Teams Adaptive Cards or Outlook Actionable Messages could address the user experience nicely.
      • The reset app/UI calls an API too. Would be possible to address that directly as integration target. If you run an integration landscape already, this one additional flow wouldn't burn your bills. Indeed, buying all of it only for this purpose would be madness. Also see the other interface option using BAPI suggested above.

      But of course you need to get started somewhere. Rough beta version first for the tech savy engineers and enterprise readiness further down the line ๐Ÿ˜‰

      Mohammed Aathif: Curious to see version two of this, to maybe even win Mustafa over.



      Author's profile photo Mohammed Aathif
      Mohammed Aathif
      Blog Post Author

      Hi Mustafa Bensan ,


      1. One of the purpose of posting blog is to get alternatives too (particularly to replace JSON and to have a better UI), I am glad Martin Pankraz has suggested Adaptive cards and actionable messages which I was not aware of. I will try to implement the same for improvements.
      2. I don't consider this to be an expensive If you already have Azure.

      Believe me, overall cost for Logic App for the month of February was 12 euros.




      Author's profile photo Mohammed Aathif
      Mohammed Aathif
      Blog Post Author

      Hiย  Martin Pankraz

      The tool has now evolved, post implementing Adaptive Cards its amazing. Have a look hereย Password reset tool version two

      Mustafa Bensan My version two address your point one.