OAuth Configuration for Office 365 Exchange Online

This article provides instructions for configuring EMS Exchange Integration Web Service (EIWS) to access 365 mailboxes using OAuth with Microsoft Exchange Web Services. You can do this in EMS update 34 or later.

If this service is enabled, the service account with application Impersonation permissions no longer needs access to 365 mailboxes and the scope of permissions for that account can be reduced to only your on premise mailboxes.

If you are using a hybrid environment, this service account will still be used to access the on premise mailboxes.

Application registration in Azure Active Directory (AD)

To register an application in Azure AD:

1. Log into portal.azure.com with the appropriate admin account.

2. Click Azure Active Directory in the menu.

3. Under Manage, choose App registrations.

4. Choose New registration.

5. Enter a name.

6. Set Supported account types as appropriate for your scenario.

7. Click Register.

Configure permissions in Azure AD

To configure permissions in Azure AD:

  1. In App registrations, select the application registered in the previous section.
  2. Under Manage, click API Permissions.
  3. Choose Add a permission.
  4. Under APIs my organization uses, type “office” in search box and select Office 365 Exchange Online.
  5. Under Applications permissions choose the full_access_as_app.

    If you previously created an app for Exchange-to-EMS Synchronization for EMS for Microsoft Exchange (formerly Exchange Room Integration), you can add the full_access_as_app permission to your existing app.

  6. Click Done.
  7. Under Grant Consent, select Grant admin consent for (your domain here).
  8. Select Yes.

    The permissions appear in the list.

  9. Under Manage, click Certificates and Secrets.
  10. Select New Client Secret.
  11. Choose an expiration window. We recommend None.

    Don't enter a value. Click Save.

    A value appears.

  12. Copy and make note of that value, since this is the only time it appears.
  13. From the Overview section, copy the Application ID and Tenant ID to add to the EMS configuration.

EMS Exchange Integration Web Service configuration

To configure the EMS Exchange Integration Web Service to use OAuth:

  1. Add Application ID, Tenant ID, and ClientSecret value to the respective configuration fields on ExchangeIntegrationWebService/pamconfig.aspx
  2. Select OAuth.

    If the Application ID, Tenant ID, and ClientSecret have already been saved to EMS you don't have to save them again. In this case, select Use OAuth for Office 365 Exchange Web Services.