Exchange Online: Modern Authentication for Remote Approval

Azure Active Directory (Azure AD) has been renamed to Microsoft Entra ID (ME-ID). While the WorkflowGen documentation has been updated to reflect this name change, the WorkflowGen application settings still refer to Azure AD (for example, Azure AD SCIM v2 directory connector).

Likewise, certain ME-ID configuration items in the Azure portal have been renamed and/or moved. The WorkflowGen documentation has been updated accordingly, but still might not be completely accurate in this regard. See the Microsoft Entra ID documentation for more information.

Overview

As of WorkflowGen version 7.22.5, Remote Approval supports the use of a Microsoft 365 user account in Exchange Online using Modern authentication to receive and process approval emails.

Modern authentication uses the industry-standard OAuth2 protocol for authorization. For this, OAuth2 provides a type of grant called Client Credentials that simply exchanges a client ID and secret for an access token that will be used to retrieve and send approval emails from the Office user account mailbox.

This section provides instructions on how to configure Remote Approval to integrate with Exchange Online using Modern authentication. First, you'll need to configure a new application in the Azure portal; then, you'll need to configure the Remote Approval settings in WorkflowGen.

Microsoft plans to disable support for Basic Authentication across all tenants for the Exchange Online service in the near future. It is now suggested to migrate to Modern authentication. See the Basic Authentication and Exchange Online – February 2021 Update Microsoft article for more information.

Prerequisites

  • Make sure to have a licensed copy of WorkflowGen installed and running on a server.

  • Make sure to have administrative access to WorkflowGen.

  • Make sure to have administrative access to Microsoft Entra ID to be able to configure it properly.

  • Make sure to have turned ON Modern authentication for Outlook client in the Microsoft 365 admin center. See the Basic Authentication and Exchange Online – July Update Microsoft article for more information.

  • Make sure to use a Microsoft 365 user account that has a valid Microsoft 365 license and read/write permissions to the Exchange Online mailbox. This account will be used for the Remote Approval username and default reply-to email settings.

Microsoft Entra ID configuration

Step 1: Register a new application

  1. In the Azure portal, click App registrations in the Azure services section.

  2. Click New registration, and fill in the properties:

    • Name: Your Remote Approval app name (e.g. WorkflowGen Remote Approval)

    • Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant)

    • Redirect URI: Leave this blank

  3. Click Register at the bottom of the page.

You've now successfully registered your Remote Approval app in ME-ID.

If you require multitenant support (all users in Microsoft 365 and Microsoft personal accounts, e.g. hotmail.com, outlook.com), follow the instructions in the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide instead.

Step 2: Grant access to your Remote Approval app

  1. Click API permissions.

  2. In the Configured permissions section, click Add a permission.

  3. Click APIs my organization uses, then search for Office 365 Exchange Online.

  4. Select Office 365 Exchange Online from the list.

  5. Click Application permissions.

  6. Expand Other permissions, then check full_access_as_app.

  7. Click Add permissions.

  1. Stay within the API permissions section.

  2. If you're a Microsoft 365 administrator, click Grant admin consent for to grant consent to the application.

  3. If you're not a Microsoft 365 administrator, then you'll need to ask one to grant admin consent for your application in their Azure Portal.

  4. Once your application has admin consent granted, you'll see a green checkmark for each of the permissions.

It's also possible to send a link to a Microsoft 365 administrator to grant admin consent. For more detailed instructions about the admin consent link, see the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide.

Step 4: Generate a key

  1. In the Applications menu, click Certificates & secrets.

  2. In the Client secrets section, click New client secret and enter the following properties:

    • Description: client_secret (or something that clearly identifies that it's a secret)

    • Expires: Select the desired expiration period (e.g. Recommended: 6 months)

  3. Click Add.

  4. Copy and save the value generated by Azure somewhere safe. This is your client secret (referred to as application password), and you won't be able to retrieve it later.

Step 5: Branding

  1. In the Applications menu, click Branding.

  2. If needed, update your application name, company logo, home page URL, terms of service URL, or privacy statement URL.

  3. Click Save when done.

If you require multitenant support, you must complete the publisher verification for multitenant applications; otherwise, your application will not request access tokens correctly. For instructions on how to do this, see the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide.

Review the registration

Here's a review of the information you'll need:

  • The Remote Approval application (client) ID, which can be found in the registered application overview section.

  • Your directory (tenant) ID, which can be found in the registered application overview section.

  • A client secret, which is the value that was generated in the Certificates & secrets section from step 4.

You're now ready to configure your Remote Approval settings in WorkflowGen.

WorkflowGen configuration

Configure Remote Approval settings

  1. Open the Configuration Panel from the WorkflowGen Administration Module home page.

  2. On the Remote Approval tab, fill in the form for the Incoming mail server section:

    • Type: Exchange Online - Modern Authentication

    • Server address: outlook.office365.com, or your own Exchange Online domain name

    • Security: SSL

    • Default reply-to email: Email address of the Remote Approval Office user

    • Username: Username of the Remote Approval Office user

    • Application (client) ID: The Remote Approval application (client) ID from the Azure Portal

    • Client secret: The client secret that was generated in the Remote Approval Certificates & secrets section from the Azure Portal

    • Scope: https://outlook.office365.com/.default&grant_type=client_credentials (replace outlook.office365.com with your own Exchange Online domain name if needed)

    • Access token URI: https://login.microsoftonline.com/{directory_tenant_ID}/oauth2/v2.0/token (replace {directory_tenant_ID} with your own directory (tenant) ID from the Azure Portal)

  3. In the Remote Approval section:

    • Check Activate to enable the Remote Approval service

    • Update the other fields as needed

  4. Click Save.

For more information about the different settings, see the Remote Approval section of the Configuration Panel chapter in the WorkflowGen Administration Guide.

Your Remote Approval integration with Exchange Online - Modern authentication should now be complete and functional.

Last updated