Exchange Online: Modern Authentication for Remote Approval
Azure Active Directory (Azure AD) has been renamed to Microsoft Entra ID (ME-ID). While the WorkflowGen documentation has been updated to reflect this name change, the WorkflowGen application settings still refer to Azure AD (for example, Azure AD SCIM v2
directory connector).
Likewise, certain ME-ID configuration items in the Azure portal have been renamed and/or moved. The WorkflowGen documentation has been updated accordingly, but still might not be completely accurate in this regard. See the Microsoft Entra ID documentation for more information.
Overview
As of WorkflowGen version 7.22.5, Remote Approval supports the use of a Microsoft 365 user account in Exchange Online using Modern authentication to receive and process approval emails.
Modern authentication uses the industry-standard OAuth2 protocol for authorization. For this, OAuth2 provides a type of grant called Client Credentials that simply exchanges a client ID and secret for an access token that will be used to retrieve and send approval emails from the Office user account mailbox.
This section provides instructions on how to configure Remote Approval to integrate with Exchange Online using Modern authentication. First, you'll need to configure a new application in the Azure portal; then, you'll need to configure the Remote Approval settings in WorkflowGen.
Microsoft plans to disable support for Basic Authentication across all tenants for the Exchange Online service in the near future. It is now suggested to migrate to Modern authentication. See the Basic Authentication and Exchange Online – February 2021 Update Microsoft article for more information.
Prerequisites
Make sure to have a licensed copy of WorkflowGen installed and running on a server.
Make sure to have administrative access to WorkflowGen.
Make sure to have administrative access to Microsoft Entra ID to be able to configure it properly.
Make sure to have turned ON Modern authentication for Outlook client in the Microsoft 365 admin center. See the Basic Authentication and Exchange Online – July Update Microsoft article for more information.
Make sure to use a Microsoft 365 user account that has a valid Microsoft 365 license and read/write permissions to the Exchange Online mailbox. This account will be used for the Remote Approval
username
anddefault reply-to email
settings.
Microsoft Entra ID configuration
Step 1: Register a new application
In the Azure portal, click App registrations in the Azure services section.
Click New registration, and fill in the properties:
Name: Your Remote Approval app name (e.g.
WorkflowGen Remote Approval
)Supported account types:
Accounts in this organizational directory only (Default Directory only - Single tenant)
Redirect URI: Leave this blank
Click Register at the bottom of the page.
You've now successfully registered your Remote Approval app in ME-ID.
If you require multitenant support (all users in Microsoft 365 and Microsoft personal accounts, e.g. hotmail.com, outlook.com), follow the instructions in the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide instead.
Step 2: Grant access to your Remote Approval app
Click API permissions.
In the Configured permissions section, click Add a permission.
Click APIs my organization uses, then search for
Office 365 Exchange Online
.Select Office 365 Exchange Online from the list.
Click Application permissions.
Expand Other permissions, then check
full_access_as_app
.Click Add permissions.
Step 3: Grant admin consent
Stay within the API permissions section.
If you're a Microsoft 365 administrator, click
Grant admin consent for
to grant consent to the application.If you're not a Microsoft 365 administrator, then you'll need to ask one to grant admin consent for your application in their Azure Portal.
Once your application has admin consent granted, you'll see a green checkmark for each of the permissions.
It's also possible to send a link to a Microsoft 365 administrator to grant admin consent. For more detailed instructions about the admin consent link, see the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide.
Step 4: Generate a key
In the Applications menu, click Certificates & secrets.
In the Client secrets section, click New client secret and enter the following properties:
Description:
client_secret
(or something that clearly identifies that it's a secret)Expires: Select the desired expiration period (e.g.
Recommended: 6 months
)
Click Add.
Copy and save the value generated by Azure somewhere safe. This is your client secret (referred to as application password), and you won't be able to retrieve it later.
Step 5: Branding
In the Applications menu, click Branding.
If needed, update your application name, company logo, home page URL, terms of service URL, or privacy statement URL.
Click Save when done.
If you require multitenant support, you must complete the publisher verification for multitenant applications; otherwise, your application will not request access tokens correctly. For instructions on how to do this, see the Using Microsoft/Office 365 EWS OAUTH 2.0 in Background Service guide.
Review the registration
Here's a review of the information you'll need:
The Remote Approval
application (client) ID
, which can be found in the registered application overview section.Your
directory (tenant) ID
, which can be found in the registered application overview section.A
client secret
, which is the value that was generated in the Certificates & secrets section from step 4.
You're now ready to configure your Remote Approval settings in WorkflowGen.
WorkflowGen configuration
Configure Remote Approval settings
Open the Configuration Panel from the WorkflowGen Administration Module home page.
On the Remote Approval tab, fill in the form for the Incoming mail server section:
Type:
Exchange Online - Modern Authentication
Server address:
outlook.office365.com
, or your own Exchange Online domain nameSecurity:
SSL
Default reply-to email: Email address of the Remote Approval Office user
Username: Username of the Remote Approval Office user
Application (client) ID: The Remote Approval
application (client) ID
from the Azure PortalClient secret: The
client secret
that was generated in the Remote Approval Certificates & secrets section from the Azure PortalScope:
https://outlook.office365.com/.default&grant_type=client_credentials
(replaceoutlook.office365.com
with your own Exchange Online domain name if needed)Access token URI:
https://login.microsoftonline.com/{directory_tenant_ID}/oauth2/v2.0/token
(replace{directory_tenant_ID}
with your own directory (tenant) ID from the Azure Portal)
In the Remote Approval section:
Check Activate to enable the Remote Approval service
Update the other fields as needed
Click Save.
For more information about the different settings, see the Remote Approval section of the Configuration Panel chapter in the WorkflowGen Administration Guide.
Your Remote Approval integration with Exchange Online - Modern authentication should now be complete and functional.