About Office 365 OAuth Configuration

In This Manual

This manual contains steps to configure eCASE to integrate with OAuth for sending emails from a system account. The steps to complete this configuration take place in three parts:

• Register Application: Register your application through the Azure Portal.

• Create Client Secret: Using the Azure Portal, create a Client Secret you will use for OAuth configuration.

• API Permissions: Add appropriate API permissions to permit sending emails.

Prerequisites

The following are prerequisites for completing OAuth configuration:

• OAuth configuration should be completed by a system administrator with the appropriate knowledge and access to complete all required steps.

• Before beginning the configuration, you must create an Exchange mailbox in Office 365 (ex. noreply@Casepointtech.com). This email appears as the sender for all system messages from eCASE and is used to complete the configuration.

Register Application

The first step in OAuth configuration is to register your app. Follow the steps below to register the app in Azure:

• Log in to portal.azure.com using the Exchange mailbox created as the eCASE system account.

• Click App Registrations > New Registration. The Register an application screen appears:

• Enter a (A) Name for the app in the field provided.

• Under (B) Supported account types, the top option is selected by default. You may need to make a different selection depending on your organization’s needs.

• Under (C) Redirect URL, enter “<Application Admin URL>/connectors/SMTP.aspx” where <Application URL> is replaced with your application’s admin URL.

• Click Register to register the app.

• The app is registered. The screen displays the (A) Application (client) ID and (B) Directory (tenant) ID. Copy both to your clipboard or otherwise save for later reference:

• Access eCASE Administration (eCASE > Settings > Connectors > eMail (SMTP)). The configuration screen appears as shown below:

• Under (A) OAuth Client ID, enter the Application (client) ID from step 7.

• Under (B) Tenant ID, enter the Directory (tenant) ID from step 7.

• In the User Name field, enter the email address being used as the system account for this configuration (ex. noreply@ains.com).

• Click Save to save the changes.

Create Client Secret

Next, you’ll follow the steps below to create a new Client Secret:

• Within the Azure Portal, access your application, then access the Certificates & Secrets screen.

• Click New Client Secret:

• The Add a client secret screen appears. First enter a Description in the field provided. This is an internal description that is visible only to Admin users:

• Use the Expires field to determine an expiration date based on your organization’s preference (with a 24-month maximum).

NOTE: Take a note of this expiration date, as this Client Secret will need to be renewed prior to the expiration for continuous operation.

• Click Add to generate the Client Secret.

• The Client Secret is successfully generated, and the secret appears as shown in the example below:

NOTE: Save the “Value” as this cannot be retrieved. You will need this to complete the configuration.

• Copy the Value field to your clipboard.

• Access eCASE Administration (eCASE > Settings > Connectors > eMail (SMTP)).

• Copy the value obtained in step 7 into the Public Key (secret) field:

• Click Save to save the changes.

API Permissions

The final step to enable OAuth is configuring API permissions:

• Open the Azure Portal and access your application page, then click API permissions:

• From the API Permissions screen click Add a Permission.

• The Request API Permissions screen appears. Click Microsoft Graph:

• Next click Application Permissions.  

• In the Select Permissions field, type “mail”.

• Locate and expand the Mail permissions, then select Mail.Send:

• Click Add Permissions to apply the selected permission.

• The Administrator must grant these permissions. The Admin receives a notification to grant the requested permission and, once this permission is granted, the mailbox can send mail from the system account.

NOTE: Assigning the Mail.Send application permission allows the app to send emails on behalf of user configured explicitly in the application settings. This requires admin consent and should be granted only when necessary for your application's functionality. Ensure you follow organizational policies for access and security.

Restrict Application Access to Specific Users or Groups (Optional)

By default, granting the Mail.Send application permission allows the app to send emails on behalf of any user in the organization. To restrict access so that the application can only send emails on behalf of specific users or a group, you can configure an Application Access Policy using Exchange Online PowerShell.

Prerequisites

• Windows PowerShell 5.1 or PowerShell 7.4+ (recommended)

• Exchange Online PowerShell V3 module

Install the Exchange Online Module

1. Open PowerShell.

2. Run the following command: Install-Module -Name ExchangeOnlineManagement -Force

Create an Application Access Policy

Follow the steps below to restrict Graph API application access for the Collaboration system account:

1. Open PowerShell.

2. Type Connect-ExchangeOnline and press Enter.

3. Sign in using admin credentials when prompted.

4. Once connected, type New-ApplicationAccessPolicy and press Enter.

5. For AccessRights, type RestrictAccess and press Enter.

6. For AppId[0], enter the Application (client) ID obtained during the Application Registration step above and press Enter.

7. For AppId[1], leave blank and press Enter (this is required only when restricting multiple applications).

8. For PolicyScopeGroupId, enter the user account or a Mail-Enabled Security Group. Refer to the section below to create a Mail-Enabled Security Group if needed.

NOTE: If you want to restrict application access for more than one user account, you must use a Mail-Enabled Security Group.

Create a Mail-Enabled Security Group

To restrict application access for multiple users, create a Mail-Enabled Security Group in Exchange Online:

1. Log in to the Exchange Admin Center (EAC).

2. Navigate to Recipients > Groups > Add a group.

3. Select Mail-enabled security as the group type and click Next.

4. Enter a Name and Description, then click Next.

5. Assign owners, add members, and define the email address.

6. Review the details and click Create group.

Test the Application Access Policy

After creating the policy, verify that it is working correctly:

1. In PowerShell, type Test-ApplicationAccessPolicy and press Enter.

2. For AppId, enter the Application (client) ID used when creating the policy.

3. For Identity, enter the user account or group account to test. If the user or group has access, the test returns a result confirming access is granted.

4. If the user or group does not have access, the test returns a result indicating access is denied.