Exchange Online: Modern Authentication for Remote Approval

Overview

As of WorkflowGen version 7.22.5, Remote Approval supports the use of an Office user account in Exchange Online (Office 365) using Modern authentication to receive and process approval emails.
Modern authentication uses the industry-standard OAuth2 protocol for authorization. For this, OAuth2 provides a type of grant called Client Credentials that simply exchanges a client ID and secret for an access token that will be used to retrieve and send approval emails from the Office user account mailbox.
This section provides instructions on how to configure Remote Approval to integrate with Exchange Online using Modern authentication. First, you'll need to configure a new application in the Azure portal; then, you'll need to configure the Remote Approval settings in WorkflowGen.
Microsoft plans to disable support for Basic Authentication across all tenants for the Exchange Online service in the near future. It is now suggested to migrate to Modern authentication. See the Basic Authentication and Exchange Online – February 2021 Update Microsoft article for more information.

Prerequisites

    Make sure to have a licensed copy of WorkflowGen installed and running on a server.
    Make sure to have administrative access to WorkflowGen.
    Make sure to have administrative access to Azure Active Directory to be able to configure it properly.
    Make sure to have turned ON Modern authentication for Outlook client in the Microsoft 365 Admin Center. See the Basic Authentication and Exchange Online – July Update Microsoft article for more information.
    Make sure to use an Office user account that has a valid Office 365 license and read/write permissions to the Exchange Online mailbox. This account will be used for the Remote Approval username and default reply-to email settings.

Azure Active Directory configuration

Step 1: Register a new application

    1.
    In the Azure portal, click App registrations in the Azure Active Directory section.
    2.
    Click New registration, and fill in the properties:
      Name: Your Remote Approval app name (e.g. WorkflowGen Remote Approval)
      Supported account types: Accounts in this organizational directory only (Single tenant)
      Redirect URI: Leave this blank
    3.
    Click Register at the bottom of the page.
You've now successfully registered your Remote Approval app in Azure Active Directory.
If you require multitenant support (all users in Office 365 and Microsoft personal account, e.g. hotmail.com, outlook.com), follow the instructions in the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide instead.

Step 2: Grant access to your Remote Approval app

    1.
    Click API permissions.
    2.
    In the Configured permissions section, click Add a permission.
    3.
    Click APIs my organization uses, then search for Office 365 Exchange Online.
    4.
    Select Office 365 Exchange Online from the list.
    5.
    Click Application permissions.
    6.
    Expand Other permissions, then check full_access_as_app.
    7.
    Click Add permissions.
    1.
    Stay within the API permissions section.
    2.
    If you're an Office 365 administrator, click Grant admin consent for to grant consent to the application.
    3.
    If you're not an Office 365 administrator, then you'll need to ask an Office 365 administrator to grant admin consent for your application in their Azure Portal.
    4.
    Once your application has admin consent granted, you'll see a green checkmark for each of the permissions.
It's also possible to send a link to an Office 365 administrator to grant admin consent. For more detailed instructions about the admin consent link, see the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide.

Step 4: Generate a key

    1.
    In the Applications menu, click Certificates & secrets.
    2.
    In the Client secrets section, click New client secret and enter the following properties:
      Description: client_secret (or something that clearly identifies that it's a secret)
      Expires: Select the desired expiration period (e.g. Recommended: 6 months)
    3.
    Click Add.
    4.
    Copy and save the value generated by Azure somewhere safe. This is your client secret (referred to as application password), and you won't be able to retrieve it later.

Step 5: Branding

    1.
    In the Applications menu, click Branding.
    2.
    If needed, update your application name, company logo, home page URL, terms of service URL, or privacy statement URL.
    3.
    Click Save when done.
If you require multitenant support, you must complete the publisher verification for multitenant applications; otherwise, your application will not request access tokens correctly. For instructions on how to do this, see the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide.

Review the registration

Here's a review of the information you'll need:
    The Remote Approval application (client) ID, which can be found in the registered application overview section.
    Your directory (tenant) ID, which can be found in the registered application overview section.
    A client secret, which is the value that was generated in the Certificates & secrets section from step 4.
You're now ready to configure your Remote Approval settings in WorkflowGen.

WorkflowGen configuration

Configure Remote Approval settings

    1.
    Open the Configuration Panel from the WorkflowGen Administration Module home page.
    2.
    On the Remote Approval tab, fill in the form for the Incoming mail server section:
      Type: Exchange Online - Modern Authentication
      Server address: outlook.office365.com, or your own Exchange Online domain name
      Security: SSL
      Default reply-to email: Email address of the Remote Approval Office user
      Username: Username of the Remote Approval Office user
      Application (client) ID: The Remote Approval application (client) ID from the Azure Portal
      Client secret: The client secret that was generated in the Remote Approval Certificates & secrets section from the Azure Portal
      Scope: https://outlook.office365.com/.default&grant_type=client_credentials (replace outlook.office365.com with your own Exchange Online domain name if needed)
      Access token URI: https://login.microsoftonline.com/{directory_tenant_ID}/oauth2/v2.0/token (replace {directory_tenant_ID} with your own directory (tenant) ID from the Azure Portal)
    3.
    In the Remote Approval section:
      Check Activate to enable the Remote Approval service
      Update the other fields as needed
    4.
    Click Save.
For more information about the different settings, see the Remote Approval section of the Configuration Panel chapter in the WorkflowGen Administration Guide.
Your Remote Approval integration with Exchange Online - Modern authentication should now be complete and functional.
Last modified 5mo ago