Skip to main content
Matrix42 Self-Service Help Center

E-mail Robot Tenant Configuration for Microsoft 365 Service Connection

To register DWP for Microsoft 365 Service Connections integration, start with registering DWP at the Microsoft identity platform.

  1. On the Microsoft Azure Portal home page, go to the Azure services section or use the Search resources search bar and open App registrations.
    01Azure_app_registration.png
    Microsoft Azure Portal: App registrations

  2. Provide a Name for the application. The DWP users will see the display name when applying the Setup Authentication for the configured Service Connection.
  3. Choose Supported account types.
  4. Add a Redirect URI: select Web and enter Redirect URI, for instance, https://{your_domain_name}/wm/externalAuth/redirect.html.
  5. Click Register.
    02_register_an_app.png
    Microsoft Azure Portal: Register an application
     
  6. Click on your new App Registration (in our example it is DWP App) and go to the Overview section. Here you can find the following data for the E-mail Robot tenant configuration in DWP Service Connections:
    Microsoft Azure Portal Application field name DWP tenant configuration field name
    Application (client) ID Client ID
    Directory (tenant) ID  Tenant

    03_client_tenant_ids1.png
  7. Enter the data to the corresponding fields in the Administration application → Integration → Service Connections → Tenants configuration:
    tenants_tenant_client_ids.png
  8. In your registered application, go to the Certificates & secrets section and click + New client secret. Provide a description and then copy the value of the generated Client secret because later it will be encrypted and shown in the Certificates & secrets section as on the image below.
    04_client_secret1.png
  9. Enter the copied Client secret value in the E-mail Robot tenant configuration in DWP Service Connections:
    tenants_tenant_client_ids.png
  10. Add API permissions. API Permissions can be configured in either Delegated or Application mode:
    • Delegated mode permissions are used together with DWP Service Connections.
    • Application (standalone) mode permissions are used with direct E-mail Robot configuration for Exchange / Office 365 and Exchange / Microsoft Graph connection types.

    Required API Permissions depend on E-mail Robot mailbox connection type and authentication mode: direct or Service Connection.

    1. For Exchange / Microsoft Graph connection type using Service Connection, in your registered application, go to the API permissions section and click + Add a permission, choose Microsoft Graph > Delegated permissions > Mail.ReadWrite and click Add permissions.
      05_access_web_api.png
    2. For Exchange / Microsoft Graph connection type using direct configuration, in your registered application, go to the API permissions section and click + Add a permission, choose Microsoft Graph > Application permissions Mail.ReadWrite and click Add permissions. Then click Grant admin consent for <organization> and accept the consent dialog.
      05_access_web_api.png

    Azure Portal does not provide Office 365 Exchange Online permissions in permission list for new Application registrations. Required permissions are provided by manual editing of Application Manifest.

    1. For Exchange / Office 365 connection type using Service Connection, in your registered application, go to the Manifest, locate the requiredResourceAccess property in the manifest and add the following code inside the square brackets ([]):
      {
          "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
          "resourceAccess": [
              {
                  "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
                  "type": "Scope"
              }
          ]
      }

      Edit Application Manifest
      Click Save, go to the API permissions section and check that the EWS.AccessAsUser.All permission is listed.
      Edit Application Manifest
    2. For Exchange / Office 365 connection type using direct configuration, in your registered application, go to the Manifest , locate the requiredResourceAccess property in the manifest and add the following inside the square brackets ([]):
      {
          "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
          "resourceAccess": [
              {
                  "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
                  "type": "Scope"
              }
          ]
      }

      Edit Application Manifest
      Click Save, go to the API permissions section and check that the full_access_as_app permission is listed. Then click Grant admin consent for <organization> and accept the consent dialog.
      Edit Application Manifest
  11. Add the corresponding permissions to the Scope area for your Service provider configuration: open the Administration application > Integration Service Connections > Services > Microsoft 365 > Capabilities section > Scope.
    • For Exchange / Microsoft Graph: 
      offline_access+User.Read+Mail.ReadWrite
    • For Exchange / Office 365 (EWS): 
      offline_access+EWS.AccessAsUser.All

      06_scope_onedrive.png

For more information on how to add a scope, see also Microsoft Documentation Quickstart: Configure an application to access a web API.