MS Graph - preparing the mailbox

In general

TAS can connect to the Microsoft Graph API through our integration. This integration allows downloading and moving emails and attachments into defined mailboxes, which are then handled according to set business rules.

In order for TAS to successfully connect and manipulate the contents of these mailboxes, the integration must be granted sufficient permissions for the mailboxes (whether your own or shared).

Ensuring authorization

Login with name and password is still supported only for On-Premise servers. Microsoft no longer officially supports this method. Read the official article .
  1. Sign in to https://portal.azure.com/#home .
  2. Select Azure Active Directory from the menu.
  3. Select Add - Application Registration to start the application registration (TASu).
  1. Enter a Name and leave the Only accounts in this directory option checked. Complete the registration by clicking Register .
  1. For email read permissions, select API Permissions in the left menu.
  2. In the Request API Permissions window, click Add Permissions and under Microsoft APIs , select Microsoft Graph .
  3. Then, in Request API permission, select Delegated permissions .
  4. Here you need to assign permissions to the MS Graph application, see the image.
  5. Confirm by clicking Add Permissions .
  6. Select Certificates and Secrets .
  1. In the Client Secret Codes tab (0), select New Client Secret Code . Enter the required information and add the code by clicking the Add button . Note: after this code expires, you must add a new one, otherwise the application (TAS) will lose access to the mailbox.
  1. Permission approval by the administrator. Once approved, the warning triangle next to API Permissions changes.
  1. Restrict access to a specific mailbox
    The permission set above gives the application access to all mailboxes in the domain. To restrict access to only the intended mailbox, you must set access rules using PowerShell.
    Connect-ExchangeOnline -UserPrincipalName admin@domain.xyz
     New-ApplicationAccessPolicy -AppId CLIENT_ID -PolicyScopeGroupId email@domain.xyz -AccessRight RestrictAccess -Description "Restrict this app to email@domain.xyz."
    If you are setting up access to a shared mailbox, you must first create the appropriate Security Principal. For this purpose, a Mail-enabled Security Group must be created, and the shared mailbox must be set up as a member of it. In the example above, the name of the created group is then used in the PolicyScopeGroupId.
  2. Then, you can change the login script in cron in the application (TASu).
    "auth": {
     "emailAddress": "faktury@firma.cz",
     "tenantId": "123-abc-456-def",
     "clientId": "987-cba-321-ijk",
     "clientSecret": "xxx-yyy-zzz",
     "type": "secret"
     }
    • You can find tenant_id here:
    • You can find client_id here:
    • client_secret alias secret code:
Creating (so-called registration) an Azure application with the appropriate permissions is entirely up to the client and its administrators. The entire procedure is performed on the Azure Portal or in the Remote Shell.

Mailbox settings

The only requirement for a clipboard is the existence of two folders:

  • TAS input
  • TAS output

The names of these folders are not important, but both folders must be a subfolder of the inbox. We also recommend setting up rules in Outlook to ensure that incoming mail is sorted into these folders (e.g. by recipient).

Entering the configuration

Specifying the cron configuration for handling incoming emails is explained in this manual .

Frantisek Brych Updated by Frantisek Brych

MS Graph - cron configuration

Contact

Syca (opens in a new tab)

Powered by HelpDocs (opens in a new tab)