OAuth settings
Use the following fields to configure the OAuth settings for your mailbox. User name and Protocol fields are populated from the Mailbox settings window.
-
If the computer on which KC Plug-In is installed is running under a proxy, configure the
Proxy settings.
When using MS Graph with Resource Owner Password Credentials grant type, configure these in the Message Connector Configuration tool.
Field name Description Proxy server address IP address or host name of the local proxy server. If this field is empty, local proxy server will not be considered to contact the OAuth authorization server. For Microsoft Exchange Online, this is Microsoft Entra ID.
User name User name of the proxy server.
Password Password to connect to the proxy server.
Proxy settings are not available for
-
Configure the following OAuth settings.
Setting Description Authorization server Select the required OAuth authorization server.
For MS Graph, authorization server is always MICROSOFT.
Manage Click to add, edit, or delete authorization servers using the Manage authorization servers window. Grant type Select the required grant type:
-
Resource Owner Password Credentials: This option is only available for MS Graph.
-
Resource Owner Password Credentials (Deprecated): This option is only available for MS Graph.
-
Authorization Code: This is available for IMAP, POP3, SMTP Outbound, and MS Graph.
-
Client Credentials: This is available for IMAP, POP3, SMTP Outbound, and MS Graph.
Authorization endpoint URL The URL to get an authorization code from the authorization server.
When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.
This text box is enabled only for the Authorization Code grant type.Token endpoint URL The URL to get the OAuth tokens, such as, access token, its expiry time.
When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.
Scopes Scopes are the access permissions to access specific resources. For example read access to user’s mailbox, read/write access to user’s mailbox.
When you select an authorization server, this field is populated from the authorization server settings configured using the Manage authorization servers screen.
Tenant ID Enter the directory/tenant ID which is generated while creating the tenant in Microsoft Entra ID. Client ID or Application ID Enter the Client ID or Application ID which is generated after registering the application in Microsoft Entra ID. Authentication Mode Select the required authentication mode: Client Secret: This option is available for Client Credentials, Authorization Code, and Resource Owner Password Credentials grant types.
Certificate Based: This option is available for Client Credentials and Authorization Code grant types.
Certificate Thumbprint Enter the certificate thumbprint of the client application. As a prerequisite, this client certificate must be installed first on the local machine certificate store (under Local Machine location or Current User location) where the plug-in is installed. Also, the certificate must be uploaded to the cloud client application. Client secret Enter the secret string which is generated in the Certificates and secrets section of your application in Microsoft Entra ID. KC Plug-In uses this secret string to prove its identity at the Azure application level when requesting a token. Redirect URI Enter the redirect URI configured in your Microsoft Entra ID of your application. The redirect URI specified here must be the one selected in your application in Microsoft Entra ID. You can also specify a custom URI created in Microsoft Entra ID application.
-
This field is applicable only for Authorization code grant.
-
If you want to provide Redirect URI created for Web platform inside Azure portal, then it is mandatory to provide Client Secret.
-
If you want to provide Redirect URI created for Mobile/Desktop platform inside Azure portal, then Client Secret must be left blank.
Authorization code If the authorization server is configured to redirect URI, you must copy the entire URL from the address bar of the browser and paste it into the Authorization code field.
This field is enabled only for non-Microsoft authorization servers, such as Google.Authorize Click to send all the configured input values to the OAuth authorization server and receive the respective OAuth tokens from it.
However, the behavior might change depending upon the grant type selected:
-
Resource Owner Password Credentials: Acquires the tokens from the server. These tokens are sent to the Message Connector to connect to the configured mailbox and download email messages from it.
-
Resource Owner Password Credentials (Deprecated): In this case, Message Connector acquires the tokens directly to connect to the configured mailbox and download the messages from it without authorization.
- Authorization code: Enter the mailbox user credentials in the pop-up window displayed. On a successful validation, server returns the respective OAuth tokens. A confirmation message is displayed after successful login.
-
Client Credentials: All the configured input values are sent to the OAuth authorization server. On a successful validation, server returns the respective OAuth tokens. A confirmation message is displayed after successful login..
-
Following table summarizes the grant types and their respective configuration.
| Resource Owner Password Credentials grant | Resource Owner Password Credentials grant (Deprecated) | Authorization Code | Client Credentials | |
|---|---|---|---|---|
| MS Graph | Supported | Supported | Supported | Supported |
| IMAP over OAuth | Not Supported | Not Supported | Supported | Supported |
| POP3 over OAuth | Not Supported | Not Supported | Supported | supported |
| SMTP Outbound | Not Supported | Not Supported | Supported | Supported |
| Authorization endpoint URL | NA | NA | Mandatory | NA |
| Token endpoint URL | Supported | NA | Mandatory | Mandatory |
| Scopes value in Configure OAuth screen | Supported | NA | Mandatory | Mandatory |
| Configuration of API permissions in Azure portal | Mandatory | Mandatory | Mandatory | Mandatory |
| Tenant ID | Recommended | Recommended | Mandatory | Mandatory |
| Client ID | Mandatory | Mandatory | Mandatory | Mandatory |
| Client Secret | Optional
If Allow public client flows is set to YES, then do not specify the Client secret. Else, Client secret is mandatory. See Configure public client flows in Azure. |
Optional
If Allow public client flows is set to YES, then do not specify the Client secret. Else, Client secret is mandatory. See Configure public client flows in Azure. |
Optional (based on Redirect URI Platform) | Mandatory |
| Certificate Thumbprint | NA | NA | Mandatory for certificate based authentication mode. | Mandatory for certificate based authentication mode. |
| Redirect URI | NA | NA | Mandatory | NA |
| Username | Mandatory | Mandatory | Mandatory | Mandatory |
| Password value in KC Plug-In | Mandatory | Mandatory | NA | NA |
| Mailbox password change impact | Update new password in KC Plug-In | Update new password in KC Plug-In | Authorize again in KC Plug-In | NA |
| Login using a popup window | NA | NA | Mandatory | NA |
| Authorization level | User level | User level | User level | Application level |
| Proxy | Supported | NA | Supported | Supported |
| Polling shared mailboxes | Supported | Supported | Supported | Supported |
| Federation Security | Not Supported | NA | Supported with MS Graph, IMAP and POP3 protocols. | Supported only with MS Graph protocol. |