How to configure Office365/Outlook Online email servers (IMAP and SMTP) with Oauth 2

Davin2 · ‎01-28-2020

Hello Community,

Has anyone had any success connecting their instance mail account to a Azure cloud hosted Office365 IMAP or SMTP server while using Oauth 2.0 for authentication? I've followed the docs (steps below) and gotten as far as getting an access token returned, but the "Test Connection" still fails authentication. I suspect the problem may be with the Oauth scopes I'm requesting and/or some setup missing on the Office365 side. The problem is the docs aren't very specific to Office365, and I can't find any definitive walk-thrus on the Office365 side in terms of setting up the application there (and not a lot on Communities dealing with Oauth and IMAP/SMTP). Add to that a basic lack of detailed debugging (why was the authentication failed?) and I'm stuck.

Thanks in advance,

Davin

These are the steps taken (referencing https://docs.servicenow.com/bundle/newyork-servicenow-platform/page/administer/notification/task/t_SetUpOAuth2ForEmail.html )

First installed the "Email - OAUTH support for IMAP and SMTP" plugin, then:

1. In the Azure Office 365 side created an application scope for the ServiceNow instance including the redirect URI for the instance. Also obtained the Client ID, Client Secret, authorization URLs needed for next step.
2. In the instance, created an System Oauth > Application Registry entry for the Office 365 instance.
3. Created Oauth Entity Profile and scopes under the Application Registry. I'm using: Mail.ReadWrite, profile, email, Mail.Send, openid, offline_access for scopes
4. Created an entry in System Mailboxes > Email Accounts for IMAP and SMTP services, selecting Oauth 2.0 as auth type and the right application scope
5. Clicked the "Authorize Email Account Access" button. Entered the Office 365 user credentials in the tab that opened and authorized access. When the email account screen refreshes, I noted a message about Oauth Refresh Token expiring soon.
6. Noted that a new record is created in System Oauth > Manage Tokens. So it's clearly communicating!
7. Clicking the Test Connection link results in authentication failed: (Account name: Office 365 IMAP, Type: imap, sys_id: f25687e51be6401409114229bc4bcbb0) Email account connection test completed with result: error, msg: Connection failed: AUTHENTICATE failed. (screenshot).

pawel_staszewsk · ‎04-02-2020

Finally resolved.

See KB0820012

View solution in original post

pawel_staszewsk · ‎11-16-2022

Hi.

In global.OAuthUtil()

I added paramMap for

preprocessAccessToken: function(requestParamMap) {
	requestParamMap.put("resource", "https://outlook.office365.com");
},

But I am not sure if this mapping is still needed (it was before Rome). Also don't know how it may impact other entities.

New Developer_S · ‎10-10-2022

Hi ,
Can anybody provide provide the code for Extending / Overriding ScriptInclude here ? how to do it ?

I am getting the following error when I am trying to test the connections :

No OAuth refresh token for active email account. Manual reauthorization required. Account="OAuth 2.0 SMTP server"

AADSTS900144: The request body must contain the following parameter: 'scope'.

Attached is the error I am getting when I test the connection.

Could anyone please help on this.

pawel_staszewsk · ‎07-02-2020

Lot of thing need proper configuration on Azure side. It took me a bit to find all pieces I had to check for Azure Auth Application.

In Service Now it is hard to make mistake.
You need Azure Client ID and Azure Application ID

You define oAuth Provider, default profile and entity scope.
Remember to update script includes as mentioned in KB

Autorization URL should be: https://login.microsoftonline.com/[Azure Application ID]/oauth2/authorize
Token URL: https://login.microsoftonline.com/[Azure Application ID]/oauth2/token
Token Revocation: https://login.microsoftonline.com/[Azure Application ID]/oauth2/token
Redirect URL: {Instance_URL}/oauth_redirect.do
Send Credentials: In Request Body
Default Grant Type: Authorization Code

Once you put all needed parts, you change or define new IMAP email accountwith Authentication "OAuth 2.0" type IMAP, Port 993 - this part is trivial.

If you still cannot successfully "Test Connection", you may try to look at active tokens

/oauth_credential_list.do

There is expiration date and Scopes. I have these scopes:

EWS.AccessAsUser.All IMAP.AccessAsUser.All Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared User.Read

But I think only "IMAP.AccessAsUser.All" is required. Ensure your Azure application has the same scope access granted to user who connects to O365.

I can only say that you may need to work with Microsoft Support rather than ServiceNow Support.
Most of the configuration mistakes I've made on Azure side.

Also try using POSTMAN to generate token - it it works with POSTMAN but not with ServiceNow, it should not be big issue to fix. But if token is not generated via POSTMAN, you need to work with Microsoft on Azure configuration.

If you would like me to look at your ServiceNow configuration - send me private message, I do not guarantee any availability, but may look at your records.

danr2c2 · ‎10-09-2020

We had a bunch of authentication errors and the tokens would never completed no matter what we did. Turns out the fix was to remove v2.0 from the authorization and token URLs. Most guides asked us to use the v2.0 endpoint URLs, but these are the ones that worked for us:

Autorization URL should be: https://login.microsoftonline.com/[Your Azure Tenant ID]/oauth2/authorize
Token URL: https://login.microsoftonline.com/[Your Azure Tenant ID]/oauth2/token

We removed the v2.0 (...oauth/v2.0/token) part in each one and it worked in conjunction with the API script from KB0820012.

Everything else was configured per this guide: https://hi.service-now.com/kb_view.do?sysparm_article=KB0816072

oli6 · ‎04-01-2022

Danr2c2,

I was having a similar problem today and I found your post which solved the problem for me. Thank you so much.

Oliver