Jump to content

Microsoft 365 Mail Connector application authenticates as the account used to create it.


Martyn Houghton

Recommended Posts

Microsoft 365 Mail Connector application authenticates as the account context used to create it, so when you remove permissions from the Office 365 application to use the account, the Test Connection then fail.

This is linked to post below where the you have to create the KeySafe using the global admin user to get it to create, but obviously we do not want leave the Office 365 application with rights to use the global admin user account. 

Cheers

Martyn

 

Link to comment
Share on other sites

Hi Martyn,

 

The typical process is to create an account that would be used as the designated shared mailbox for the system. ( ie. helpdesk account, with the email address being helpdesk@somewhere.company.com ).  This account doesn't have to be the admin account nor should it be.  This account would then be assigned credentials( email address/password. 2FA can optionally be employed ) that would then be also used to create the KeySafe entry. This is also where the required rights would be requested from the person managing the account.  These rights are needed or the system will not be able to function as intended. 

image.png

Once this keysafe entry is created, it will then be used to setup the POP3 or IMAP service connector of the shared mailbox.  Note, use the same email address used in creating the keysafe entry.  The system should then be able to "impersonate" that account in retrieving the emails.

I am unsure how this process would need the approval process?  Could you clarify the process that you have in mind?

Cheers!

 

Best regards,

Michael

  • Like 1
Link to comment
Share on other sites

@Michael M

Our Initial issue is that unless we authenticate as an account which has the admin privileges to accept the permissions, MS365 will submit the request for approval, but the session being used to create the KeySafe item will not pick this up even if it is done straightway, so no keysafe value is able to be created/stored in Hornbill. i.e. the mailbox user will not have the privileges to get to the screen above.

Also are you saying that a 'Hornbill Office365 Mail Connector' has to be set individually for each mailbox?

Cheers

Martyn

Approval screenshot

image.png.65e6e0ac1f406b5c211e29f59c8e06c3.png

Link to comment
Share on other sites

1 hour ago, Martyn Houghton said:

Appreciate that you are still working on this, but is the idea that we would create a Hornbill Office365 Mail Connector for each email address/shared mailbox?

Cheers

Martyn

@Martyn Houghton

Yes, you would need a mail connector for each email address/shared mailbox you want to be associated with or used by Hornbill.  Hornbill needs to know which mailbox it needs to retrieve emails from and a connector can only connect Hornbill to one mailbox.

Thanks for understanding.

Cheers!

Michael

  • Thanks 1
Link to comment
Share on other sites

Hi @Martyn Houghton,

Do you have access to the Azure portal  ( https://portal.azure.com/#home ) by any chance?

If you do, could you select Enterprise applications, and in the list of All applications, search for Hornbill Office365 Mail Connector.  Once the page has finished loading the overview for the application, please select Permissions under Security on the left hand side menu.  Once the permissions page has loaded, please click on the Grant admin consent for Hornbill Corporate Limited item/button.  When the authentication page opens please provide the admin credentials to allow/consent to the Hornbill application in granting it permission to the listed accesses.

If you don't, are you able to provide the above instructions to the administrator?

Once the steps above are done, re-connecting the KeySafe should now be possible with the account's credentials and without requiring the admin credentials.

This would be a viable method to obtaining admin consent to grant the Hornbill Mail Connector access to the account's emails for processing by Hornbill.

Cheers!

 

Best Regards,

Michael

PS Could you let me know how it turned out?

 

Link to comment
Share on other sites

@Michael M

The only way we been able to get this to work is to disable the Microsoft 365 Authentication Workflow process and follow the steps below.

  1. In an incognito window log into Hornbill using a Hornbill Direct Login (i.e. not authenticated via SSO to Azure).
  2. After selecting Connect log in as the mailbox user themselves.
  3. As authentication workflow process is turned off, they will then be prompted to grant permission to the Hornbill Microsoft 365 Mail Connector.
  4. KeySafe is item is successfully created and saved.

We have also identified a separate OAuth issue with outgoing smtp connections where the mail connector is not passing the OAuth credentials when polling normally. We can see it does when you use the Test Connection option, but that fails as SMTP best practice is not allow relaying of unknown mail addresses due to not being able to specify the from address, which was raised sometime ago as an enhancement. Seem there is a difference in the process between the Test and the normal mail connector process. We will log a support incident for this .

 

Cheers

Martyn

Link to comment
Share on other sites

Hi @Martyn Houghton,

Would you be able to try the following?

With Azure portal  ( https://portal.azure.com/#home ),  please select Enterprise applications, and in the list of "Admin consent requests (Preview)", search for Hornbill Office365 Mail Connector.  Select "Hornbill Office365 Mail Connector".  A detail section should appear below the list.  Please select "Review permissions and consent".  This would then produce another web page signing you in.  Please use your global administrator in this instance.  You will be presented with the list of permission requested.  Please approve the requests, and the page should close.

Once the steps above are done, re-connecting the KeySafe should now be possible with the account's credentials and without further requiring the admin credentials.

 

Please let me know if this method is workable.

 

Cheers!

 

Best Regards,

Michael
 

PS With regards to the Outbound Mail Routing, I will need to discuss this further with the team.   I will let you know what will be decided upon.  Thank you very much.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...