Create and Configure OAuth App for EWS in Azure

  • Updated

Step a: Find the Directory ID

To find the Directory ID:

  1. In the Microsoft Azure Portal for your organization, navigate to Azure Active Directory and then to Properties.

  2. On the Properties page, locate the Directory ID, and copy it.

    It will be used as the Tenant ID in the connection.

    Azure-find-the-Directory-ID(2) (1).png

Step b: Create an App Registration for an OAuth Connection

To create an App Registration for the connection:

  1. In the Microsoft Azure Portal for your organization, navigate to More Services.

  2. In the All Services search field, search for App Registrations, and select App Registrations.

    Azure-navigate-to-App-registrations(1) (1).png

  3. On the App registrations page that appears, select + New registration.

    Azure-select-New-registration (1).png

  4. On the Register an application page appears,

    Azure-Register-an-application (1).png

    set the following:

    • Name: Enter a name that is unique among all the other application registrations in your organization's Azure portal.

    • Supported account types: Use the default option, Accounts in this organizational directory only (Single tenant).

       

  5. At the bottom of the page, select Register. Result: An App Registration and its Application ID are created.

  6. Locate the Application (client) ID, and copy it. Note: It will be used as the Application ID when creating the connection.

  7. For Office 365 connections, remain in this window for the next procedure.

Step c: Grant Office 365 Exchange Online Permissions to the New App Registration

Applies to:

To grant Office 365 Exchange Online permissions to the new Application Registration:

  1. On the leftmost pane, select API Permissions. On the Configured permissions page that appears, select Add permission.

    Azure-grant--permissions--navigate-to-Request-API-permissions (1).png

  2. On the Request API permissions pane that appears to the right, select the APIs my organization uses.

    Azure-grant--select-APIs-my-organization-uses (1).png

  3. In the search field, enter Office, and select Office 365 Exchange Online.

    Azure-grant-permissions--Request-API-permissions--Office-365 (1).png

  4. Select the required type of permissions:

    Azure-grant-permissions--Request-API-permissions--permission-types (1).png

    • For a certificate-based connection:

      1. Select Application Permissions.

      2. Under Select Permissions, expand Other Permissions.

      3. Select the check box to the left of full_access_as_app and Use Exchange Web Services with full access to all mailboxes.

      4. At the bottom of the pane, select Add Permissions.

    Result: The rightmost pane disappears. The Configured Permissions page appears and displays the item that you added permissions to.

    Note:     Do not grant admin consent to the permissions added if you are using a RBAC scope.

Step d: Limit the scope of mailboxes that the Riva app has access to

Note, that previously Microsoft supported Application Access Policies for restricting mailbox access. However, they have announced that Role Base Access controls for Applications (RBAC) will replace Application Access Policies. To learn more about RBAC for applications, click here

To configure RBAC for your application, you will need to use PowerShell connected to Office 365 to set up a Role Based Access Control for Applications in Exchange Online.

The following steps assume you have a mail-enabled security group configured in Office 365 that the Riva users will belong to (Note that we have tested other group types and this method does not seem to work with those).  

Note, that you will be the Application (Client) ID and the Object ID for the enterprise application. This can be located by selecting the application in "Enterprise applications" and selecting "Overview". 

  1. Connect to Exchange from Windows PowerShell. To learn how to connect to Exchange Online using PowerShell, please review the Microsoft documentation here
  2. From PowerShell use the Get-DistributionGroup cmdlet to obtain a list of the distribution groups available in your tenant. Find the one you are going to use and make note of the Name. You will need it later. 
  3. Add a New-ManagementScope. This will add a scope to the RecipientRestrictionFilter, in this case, the mail-enabled security group.  
    New-ManagementScope -Name "RivaSync" -RecipientRestrictionFilter {memberofGroup -eq "CN=RivaSecurityGroup20220128151208,OU=rivalabs.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=CANPR01A004,DC=PROD,DC=OUTLOOK,DC=COM"}
    Note: You need to use the fully qualified Distinguished Name.  
     
    Get-Group "groupName" | Select-Object -Property DistinguishedName
    1. Name - sets the ManagementScope name. 
    2. RecipientRestrictionFilter - defines the filter that restricts the mailboxes that can be managed by the ManagementScope. 
  4. Create a New-ServicePrincipal. This sets the ServicePrincipal for the application object in Azure. You will need the Application ID and the Object ID. You can get this from the "Enterprise Application" section in Azure.  
    New-ServicePrincipal -AppId a3324834-eacd-4f3a-8256-7d977a799ffe -ObjectId 3d5bdc46-4b47-4770-8d2e-d0331b19d393 -DisplayName "RBAC RivaSync"
  5. Once you have the ServicePrincipal defined, you need to create a New-ManagementRoleAssignement.
    New-ManagementRoleAssignment -Name "RBAC RivaSync" -Role "Application EWS.AccessAsApp" -App a3324834-eacd-4f3a-8256-7d977a799ffe -CustomResourceScope "RivaSync"
    1. The Name is the name of the ServicePrincipal in step 4. 
    2. The role Application EWS.AccessAsApp grants the application access to EWS with full mailbox access. 
    3. The App is the Application ID from Azure. 
    4. The CustomResourceScope is the ManagementScope defined in step 3. 

Now that you have restricted the application access to those mailboxes that are part of the defined security group, Riva will only be able to access those defined mailboxes. 

 

To test the application RBAC scope, you can run the following PowerShell cmdlet:

Test-ServicePrincipalAuthorization -identity "RBAC RivaSync" -Resource HenriettaM@rivalabs.onmicrosoft.com | Format-Table
Replace "HenriettaM@rivalabs.onmicrosoft.com" with the mailbox you want to test against. 
 
Note that it can take some time for these permissions to propagate. Therefore, if you run this test immediately after the RBAC scope has been configured, it might not work.
 
 

Note, about using RBAC scope and setting permissions in step c. If you are using an RBAC scope to limit mailbox access you don't need the "full_access_as_app" permission. If you have already granted it in step c, you can do the following to revoke it. 

  1. Navigate to "Microsoft Entra"
  2. Select "Enterprise Application" and select the application. For Riva Cloud, the application is called Riva for Exchange Online (Application Permissions/EWS).
  3. Under "Security" select "Permissions".  
  4. Find the "full_access_as_app" permission and select the three ellipses (...). 
  5. Select "Revoke Permissions". 
 
An alternative method to limited access is to use an Application Access Policy (AAP). Microsoft has indicated that RBAC is designed to replace AAP, however, they have not provided any indication of when that change will be enforced. If you would prefer to use AAP to restrict access, please follow these steps

 

Was this article helpful?

/