Configure Capture Plug-InManage connectionsAdd a connectionConfigure mailboxesMS Graph mailboxesOAuth settings

OAuth settings

Configure the OAuth settings for your mailbox.

  1. The User name and Protocol fields are populated from the Mailbox settings window.
  2. Configure the Proxy settings if the computer on which Capture Plug-In is installed runs under a proxy.

    When using MS Graph with Resource Owner Password Credentials grant type, configure these settings in the Message Connector Configuration tool.

    Setting Description
    Proxy server address

    IP address or hostname of the local proxy server. If this field is empty, the local proxy server is not considered to contact the OAuth authorization server. For Microsoft Exchange Online, this is Microsoft Entra ID.

    User name

    Username of the proxy server.

    Password

    Password to connect to the proxy server.

  3. Configure the following OAuth settings.

    Setting Description
    Authorization server

    Select the required OAuth authorization server.

    For MS Graph, the authorization server is always Microsoft.

    Manage Click to add, edit, or delete authorization servers using the Manage authorization servers window.
    Grant type

    Select the required grant type:

    • Resource Owner Password Credentials: This option is only available for MS Graph.

    • Resource Owner Password Credentials (Deprecated): This option is only available for MS Graph.

    • Authorization Code: This option is available for IMAP, POP3, SMTP Outbound, and MS Graph.

    • Client Credentials: This option is available for IMAP, POP3, SMTP Outbound, and MS Graph.

    Authorization endpoint URL

    The URL to get an authorization code from the authorization server.

    When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.

    This text box is enabled only for the Authorization Code grant type.

    Token endpoint URL

    The URL to get the OAuth tokens, such as, access token, its expiry time.

    When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.

    Scopes

    The access permissions to access specific resources. For example, read access to the user’s mailbox, and read/write access to the user’s mailbox.

    When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.

    Tenant ID Enter the directory/tenant ID. This ID is generated while creating the tenant in Microsoft Entra ID.
    Client ID or Application ID Enter the Client ID or Application ID. This ID is generated after registering the application in Microsoft Entra ID.
    Authentication Mode Select the required authentication mode:

    Client Secret: This option is available for Client Credentials, Authorization Code, and Resource Owner Password Credentials grant types.

    Certificate Based: This option is available for Client Credentials and Authorization Code grant types.

    Certificate Thumbprint Enter the certificate thumbprint of the client application. As a prerequisite, install this client certificate on the local machine certificate store (under Local Machine location or Current User location) where the plug-in is installed upload it to the cloud client application.
    Client secret Enter the secret string. This string is generated in the Certificates and secrets section of your application in Microsoft Entra ID. Capture Plug-In uses this secret string to prove its identity at the Azure application level when requesting a token.
    Redirect URI

    Enter the redirect URI configured in your the Microsoft Entra ID of your application. The redirect URI specified here must be the same as in your application in Microsoft Entra ID. You can also specify a custom URI created in Microsoft Entra ID application.

    • This field only applies to the Authorization code grant.

    • If you want to provide a Redirect URI created for the Web platform inside the Azure portal, you must provide a Client Secret.

    • If you want to provide a Redirect URI created for Mobile/Desktop platform inside the Azure portal, leave the Client Secret blank.

    Authorization code

    If the authorization server is configured to redirect URI, you must copy the entire URL from the address bar of the browser and paste it into the Authorization code field.

    This field is enabled only for non-Microsoft authorization servers, such as Google.

    Authorize

    Click to send all the configured input values to the OAuth authorization server and receive the respective OAuth tokens.

    However, the behavior may change depending on the selected grant type:

    • Resource Owner Password Credentials: Capture Plug-In the tokens from the server. These tokens are sent to the Message Connector to connect to the configured mailbox and download email messages from it.

    • Resource Owner Password Credentials (Deprecated): The Message Connector acquires the tokens directly to connect to the configured mailbox and download the messages without authorization.

    • Authorization code: Enter the mailbox user credentials in the pop-up window displayed. On successful validation, the server returns the respective OAuth tokens. A confirmation message is displayed after successful login.

    • Client Credentials: All the configured input values are sent to the OAuth authorization server. On successful validation, the server returns the respective OAuth tokens. A confirmation message is displayed after successful login..

The following table summarizes the grant types and their respective configuration.

Resource Owner Password Credentials grant Resource Owner Password Credentials grant (Deprecated) Authorization Code Client Credentials
MS Graph Supported Supported Supported Supported
IMAP over OAuth Not Supported Not Supported Supported Supported
POP3 over OAuth Not Supported Not Supported Supported supported
SMTP Outbound Not Supported Not Supported Supported Supported
Authorization endpoint URL NA NA Mandatory NA
Token endpoint URL Supported NA Mandatory Mandatory
Scopes value in Configure OAuth screen Supported NA Mandatory Mandatory
Configuration of API permissions in Azure portal Mandatory Mandatory Mandatory Mandatory
Tenant ID Recommended Recommended Mandatory Mandatory
Client ID Mandatory Mandatory Mandatory Mandatory
Client Secret Optional

If Allow public client flows is set to YES, do not specify the Client secret. Else, the Client secret is mandatory. See Configure public client flows in Azure.

Optional

If Allow public client flows is set to YES, do not specify the Client secret. Else, the Client secret is mandatory. See Configure public client flows in Azure.

Optional (Based on Redirect URI Platform) Mandatory
Certificate Thumbprint NA NA Mandatory for certificate based authentication mode. Mandatory for certificate based authentication mode.
Redirect URI NA NA Mandatory NA
Username Mandatory Mandatory Mandatory Mandatory
Password value in Capture Plug-In Mandatory Mandatory NA NA
Mailbox password change impact Update new password in Capture Plug-In Update new password in Capture Plug-In Authorize again in Capture Plug-In NA
Login using a popup window NA NA Mandatory NA
Authorization level User level User level User level Application level
Proxy Supported NA Supported Supported
Polling shared mailboxes Supported Supported Supported Supported
Federation Security Not Supported NA Supported with MS Graph, IMAP and POP3 protocols. Supported only with MS Graph protocol.