- Office 365 Service Account
- Tenant ID
- Application ID
- Custom Key Identifier
- Key/Pem files
To use OAuth with EWS for Office 365, You have to register a custom application in Azure Active Directory for Office 365 tenant and gather some information.
Follow this guide to gather the information for the setup wizard.
Office 365 Service Account
This is an account which is used to impersonate the resource accounts when calling EWS with oAuth authentication. This is only used in the initial setup process and when changing EWS related settings like importing meeting rooms.
It is recommended that you create a dedicated mailbox for this purpose.
- Login to Office 365 Admin Portal
- Open Azure AD Admin Portal by clicking “Azure Active Directory” under Admin Centers
This will open the Azure Active Directory admin center Dashboard. You can also visit this dashboard by opening this url: https://aad.portal.azure.com
- Click Azure Active Directory in left panel and click Properties under “Manage” section.
Make a note of the Directory ID, in this example
459dde7d-be02-4767-933d-76263442fb00. This is your “Office 365 Azure AD Tenant ID”.
- In the Azure AD portal, click on “App Registrations” to open App Registrations blade.
- Click on New Application Registration (existing applications can be viewed by clicking the “View all applications” button).
- Fill in the necessary information and click Create.
- Once the application is created, you can see the details page. Click the “Settings” button.
- In the settings blade, click "Required permissions".
- Click “Add” in the Required permissions blade, then click on "1 Select an API" and select "Office 365 Exchange Online (Microsoft.Exchange)".
- Click select and then click “2 Select permissions” if it is not selected automatically
- Under “Application Permissions” inside Enable Access blade, enable “Use Exchange Web Services with full access to all mailboxes” then click select
- Click done
- We also need to grant the privilege to app using admin consent, to do this without needing to open the consent screen by app, click "Grant Permissions” after selecting "Office 365 Exchange Online (Microsoft.Exchange)" in the "Required Permissions" blade.
- Click yes to grant required permission. It may take a few minutes to grant permission and propagate the new settings to all Azure systems.
- Open Keys blade by clicking Keys in Settings blade. Then click on “Upload Public Key”. You will need to generate a public private key pair to use with oAuth.
- Click inside the field or folder icon button for selecting certificate public key file (cert.pem as generated per instruction) from disk.
- Once selected file in file browser, it will upload key file and wait for save action.
- Click Save button on Keys blade, public key hash will be shown under Thumbprint section after saving.
- Close Keys and Settings blade.
Make a note of the Application ID on the application details page. In this example it's
Custom Key Identifier
- Click the Manifest button which will open the Manifest blade.
Make a note of the value for "customKeyIdentifier" under the "KeyCredentials" node. If you have multiple certificates uploaded, select the one with the correct "startDate" and "endDate" values.
You need openssl available on your machine. Please see https://www.openssl.org/ for more information on openssl.
- Generate a ~10 years certificate pair.
openssl req -x509 -days 3650 -newkey rsa:2048 -keyout cert.key -out cert.pem
- Decrypt the private key
openssl rsa -check -in cert.key -out cert-plain.key
- you can use cert-plain.key for “key” file and cert.pem for “pem” file in the setup wizard.