How To
Summary
Starting with IBM Content Collector 4.0.1 fix pack 10 (4.0.1.10) interim fix 13, OAuth support is enabled for Microsoft Exchange Online.
Objective
How to use the ICCApp OAuth (Microsoft Azure Active Directory) application for Microsoft Exchange Online authentication.
Steps
The ICCApp OAuth application needs to be registered with Microsoft Exchange Online.
Prerequisites to registering
- Enable JavaScript in the browser.
- Run the following command with Administrator privileges to set the Execution Policy:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
- Ensure that the PowerShell script, configureICCApp.ps1 is available in the following location:
<ICC_installation_directory>\tools\ExchangeOnlineAzureAdApp
Registering ICCApp OAuth application
Once the application is registered, a browser window of the Microsoft Azure portal is opened for signing in.
- Run the PowerShell script, configureICCApp.ps1 to register the application.
- Sign in when prompted.
- The script is run as the signed-in user and it uses the tenant in which the user is defined.
- This script creates a client secret that is valid for a duration of 5 years. After 5 years, you need to deregister the application and repeat the registration process. For more information on the deregistering process, refer to the Readme document (PDF) in Download IBM Content Collector 4.0.1.10 interim fix 13.
- The application permission, full_access_as_app is assigned for the Exchange API, which allows the app to have full access via the Exchange Web Services to all the mailboxes without a signed-in user.
- Sign in with administrator privileges to grant Admin consent to all the accounts in the tenant for the requested permissions.
- Click Grant admin consent for <tenant_name> to provide the consent.
- Once done, all the related objects (client ID, tenant ID, and client secret) are copied into the ews.properties file located at the following location:
<ICC_installation_directory>\ctms - Client ID (application ID): A globally unique identifier (GUID) that uniquely identifies the registration of the application in your Active Directory tenant.
- Tenant ID (directory ID): A GUID that is different than your organization name or domain.
- Client secret: It is associated with the client ID and is valid for a duration of 5 years.
- Once done, all the related objects (client ID, tenant ID, and client secret) are copied into the ews.properties file located at the following location:
The ICCApp OAuth application should now be displayed under App registrations on the Microsoft Azure Portal:
Additional Information
OAuth 2.0 is the industry-standard protocol used for authorization. It does not share password data but instead uses access tokens to make API requests on behalf of a user.
Prior to IBM Content Collector 4.0.1 fix pack 10 (4.0.1.10) interim fix 13, a basic authentication was used to connect to the Microsoft Exchange Online. As Microsoft has announced the end of support for basic authentication with Exchange Online to improve security, Content Collector now supports OAuth for connecting to Microsoft Exchange Online.
IBM Content Collector for Exchange Online uses ‘OAuth 2.0 client credential’ grant type to access web-hosted resources by using the identity of an application.
The OAuth 2.0 client credentials grant flow permits a confidential client (daemon services or web sites) to use its own credentials. Instead of impersonating a user, it uses its own credentials to authenticate while connecting to Microsoft Exchange Online. This grant type uses APIs to expose a set of application permissions.
An application permission is granted to an application by the Exchange Online administrator and can be used to access data owned by that domain and its users.
Access tokens are acquired to access secured web APIs using Microsoft Authentication Library (MSAL) which is also capable of refreshing the tokens when they are close to expiry.
Reference
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSAE9L","label":"Content Collector"},"ARM Category":[{"code":"a8m50000000L1KJAA0","label":"Installation"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.0.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
26 August 2021
UID
ibm16259361