How to configure Office365/Outlook Online email servers (IMAP and SMTP) with Oauth 2

Davin2 · ‎01-28-2020

Hello Community,

Has anyone had any success connecting their instance mail account to a Azure cloud hosted Office365 IMAP or SMTP server while using Oauth 2.0 for authentication? I've followed the docs (steps below) and gotten as far as getting an access token returned, but the "Test Connection" still fails authentication. I suspect the problem may be with the Oauth scopes I'm requesting and/or some setup missing on the Office365 side. The problem is the docs aren't very specific to Office365, and I can't find any definitive walk-thrus on the Office365 side in terms of setting up the application there (and not a lot on Communities dealing with Oauth and IMAP/SMTP). Add to that a basic lack of detailed debugging (why was the authentication failed?) and I'm stuck.

Thanks in advance,

Davin

These are the steps taken (referencing https://docs.servicenow.com/bundle/newyork-servicenow-platform/page/administer/notification/task/t_SetUpOAuth2ForEmail.html )

First installed the "Email - OAUTH support for IMAP and SMTP" plugin, then:

1. In the Azure Office 365 side created an application scope for the ServiceNow instance including the redirect URI for the instance. Also obtained the Client ID, Client Secret, authorization URLs needed for next step.
2. In the instance, created an System Oauth > Application Registry entry for the Office 365 instance.
3. Created Oauth Entity Profile and scopes under the Application Registry. I'm using: Mail.ReadWrite, profile, email, Mail.Send, openid, offline_access for scopes
4. Created an entry in System Mailboxes > Email Accounts for IMAP and SMTP services, selecting Oauth 2.0 as auth type and the right application scope
5. Clicked the "Authorize Email Account Access" button. Entered the Office 365 user credentials in the tab that opened and authorized access. When the email account screen refreshes, I noted a message about Oauth Refresh Token expiring soon.
6. Noted that a new record is created in System Oauth > Manage Tokens. So it's clearly communicating!
7. Clicking the Test Connection link results in authentication failed: (Account name: Office 365 IMAP, Type: imap, sys_id: f25687e51be6401409114229bc4bcbb0) Email account connection test completed with result: error, msg: Connection failed: AUTHENTICATE failed. (screenshot).

pawel_staszewsk · ‎04-02-2020

Finally resolved.

See KB0820012

View solution in original post

The Machine · ‎03-10-2020

We ran into the same issue to be compliant with modern auth and was not successful. Because it was critical, we ultimately had to rebuild email using REST and the Outlook/Graph APIs.

A lot of work to accomplish that.

pawel_staszewsk · ‎03-11-2020

The only scope you need is IMAP.AccessAsUser.All (in Azure Exchange group of consents under IMAP, not Mail)

Token received will have all consents assigned to Azure application.

If you get proper scopes in your token, you have first success.

When you get proper token you should successfully test Email Account

I am currently working with Support to find out why tokens are not stored properly in Service-Now. The successful check I got only when I generate token with PostMan and paste them into SN "token received".

But generally it may work.

pawel_staszewsk · ‎04-02-2020

Finally resolved.

See KB0820012

Adam Obuchowsk1 · ‎06-15-2020

Hi Pawel,

Currently I'm trying to achieve the same, to switch mail servers from servicenow owned, to our own mail servers (office 365) with OAUTH. Unfortunately I cannot get them to to connect properly.

While I understand the KB you linked, I'm not sure how does it help, or rather how to obtain the necessary customized parameters. Could you elaborate what did work for you exactly or provide additional pointers?

This mind boggling, it seems it supposed to be easy to achieve, yet it does not work...

---

My config consist of:

- OAUTH Provider record (configured with endpoints to microsoftonline)

- OAUTh Entity Profile (listing the scopes being requested)

- OAUTH Scopes to be used (offline_access, openid, https://outlook.office.com/IMAP.AccessAsUser.All, https://outlook.office.com/SMTP.Send)

- Mailbox Accounts (configured to use the OAUTH profile to get tokens)

With this, the instance is able to ask, and retrieve, access token and refresh token. The email traffic however is not working. Mailbox diagnostics page reports connection to mail accounts is not successful.

---

Murugan Kanpa · ‎06-24-2020

Same here. 'Authorize Email Account Access' works and generates Refresh and Access Token records. But, when clicking on "Test Connection", get connection failure with error message:

"Email account connection test completed with result: error, msg: Connection failed: Couldn't connect to host, port: outlook.office365.com, 993; timeout 20000; Using socket factory class com.glide.certificates.DBKeyStoreSocketFactory".