How to Setup SMTP and IMAP email accounts via Oauth 2.0 Authentication on ServiceNow using MS O365

Vishal Jawalka1 · ‎10-13-2022

Follow the Below:

1. Install Plugin - Email - OAUTH support for IMAP and SMTP

2. Contact the O365 Admin and have him perform the below :

a. register Oauth Authentication.

b Create Certificates and Permission on the Mailbox to generate Application ID, Client secret ID and Client ID and Value ( all these will be provided by the admin ).

c. Create a API scopes on MS graph

3. Configure Oauth entity(application Registry) on ServiceNow

map details shared :

Client ID == Application ID

Client Secret == Value

Authorization URL: https://login.microsoftonline.com/[Azure Tenant ID]/oauth2/v2.0/authorize
Token URL: https://login.microsoftonline.com/[Azure Tenant ID]/oauth2/v2.0/token
Redirect URL: {Instance_URL}/oauth_redirect.do

4. Create Oauth Entity Profile Scopes as below and map the O auth Entity.

a.
OAuth scope: "https://outlook.office.com/IMAP.AccessAsUser.All"

b.
OAuth scope: "https://outlook.office.com/SMTP.Send"

c.
OAuth scope: "offline access"

5. This should create Oauth Entity Profile, make sure Oauth Entity profiles also have the above scope mapped.

6. Create Email accounts Selection type as SMTP <> user connection security as STARTTLS (this is for email sending )

7. Create email accounts Selection type as IMAP <> connection security as SSL/TLS ( this is for receiving )

8. Before clicking on Authorize Email account access, please open a browser in incognito mode and then apply. This should open a MS SSO window where you enter credentials of the mailbox you are trying to authorize

note : Failing to do so or if your authentication passes without an MS SSO window, please understand that your account has been validated instead of the mailbox.

9. once your mailbox account is validated with MS, your tokens will be refreshed.

10. in case of any errors please grant permissions to mailbox, validate email diagnostics and check if sender and reader jobs are properly running.

note:

for SMTP : once configured, you will have to use your mailbox when authorizing the access, better to use incognito mode. This will allow the you to enter the mailbox credentials and create authentication

for IMAP: please follow the above, and also check if the mailbox has IMAP scope set up, get the O365 admin to validate and enable the IMAP scope, this should fix receiving issues as the Email reader will start reading emails from your Mailbox.

We do have a KB article : KB0816072 for reference, however it does not give the details on how to set up correctly.

Vishal Jawalka1 · ‎12-21-2022

few things to note @Daniel R2 - The application that you have set up in Azure, does it have all the delegated access granted like SMTP, IMAP, offline-access?

When you are creating application registry in ServiceNow in ServiceNow for Oauth, what are the details that you are using? are you using Application ID and Secret Value instead of client id and secret ID.

I can certainly help you with this.

Daniel R2 · ‎12-22-2022

@Vishal Jawalka1 - thanks for your reply, we have managed to make some progress with this.

Upon selecting 'authorize email account access' (in incognito/private window) on the IMAP email account, we entered the email credentials on the MS SSO pop up and did not receive any of the previous errors we were receiving. We were directed to the following page, showing a "HTTP Error 401 - Unauthorized" error.

When selecting to go back, we were then directed back to the IMAP email account on ServiceNow. Here we were prompted with "OAuth Refresh token is available and will expire at ***************". When we tested the connection on the email account, the connection was also successful.

We just wanted to get further confirmation here, if this is now set up correctly. Because even though we receieved the HTTP Error, we were then prompted with the OAuth refresh token is available, as well as a successful test connection.

Can you please advise here. If possible can you also please advise if there is any next steps.

Daniel R2 · ‎01-03-2023

We have now set this all up on the Development environment.

If we now wanted to progress with configuring this for the Test and Production environments - do separate Azure Enterprise applications need to be created for the Test and Production environments? So in summary, for this type of configuration, is it best practice to have 1 Azure Enterprise application set up for each environment? or is it possible to use the same Azure Enterprise application that was used for the Development Environment and just add 2 additional redirect URLs (a test redirect URL and a prod redirect URL) to the 1 Azure application?

Community Alums · ‎01-05-2023

You can have 1 azure app with multiple redirect URLS, don't need to have multiple ones.

Daniel R2 · ‎01-05-2023

Hi, we are working on configuring an SMTP email account, however when we test the connection we get the following error: "Connection Failed Email sender connection invalid.: Cannot connect to SMTP server: smtp.office365.com".

We were able to authorize the email account, however its when we test the connection, we get the error. IMAP is working perfectly

It is advised to check the email mailbox has an E5 license and providing it with an E5 license would fix the issue. However, the mailbox we have does have an E5 license, however the issue still persists, and we still receive the error when testing the connection.

Can any body please advise here on how to get a successful test connection on our SMTP email account