Introduction

Spindle Requisitions offers an optional feature which allows user's not accessing the Local Area Network to authorise or reject a requisition remotely by email rather than logging into the Spindle Requisitions Portal. This is known as Remote Auth.

This is achieved via an incoming mailbox, which needs to be configured with App-only authentication as no user will be present. As an unattended application Remote Auth will authenticate using client secrets (application credentials) to receive an access token, which is then used to gain access to a mailbox using IMAP, POP3 or EWS protocols.

Before Spindle Requisitions Remote Auth can start accessing mailboxes, you have to register it with Microsoft, assign the relevant permissions and configure mailbox access. The guide below describes what needs to be done to enable EWS access for unattended apps (app-only mode). 

Applies To

Spindle Requisitions

Process

Register yourself and your company

1. Log into Azure Portal. If you don't have an account there yet, create it. You also have to set up a tenant that represents your company.
   
   

2. If you administer more than one tenant, use Directories + subscriptions filter to select the tenant for whom to register an application.

   

Register your application

3. In Azure Portal ⇒ expand the left menu ⇒ select Azure Active Directory ⇒ select App registrations ⇒ click + New registration. (Azure Portal is constantly evolving, so if you cannot find this page, use the search bar.)
   
   
   

4. Name your application, choose which kind of accounts are going to use it, and click Register.

   Note: This guide is suitable for single tenant account types. For other types, further steps might be different.
   
   
   

5. You successfully registered your application and you can view its associated IDs. Some of them will be needed later to obtain an OAuth 2.0 token.
   

Set up client secret (application password)

6. In the left menu, select Certificates & secrets ⇒ click + New client secret.
   
   
   

7. Provide some description for this secret, choose expiration period, and click Add.
   
   
   

8. Immediately copy and save the newly created client secret's Value (not Secret ID). You will not be able to view the Value later anymore.
   

Add app permissions

9. In the left menu, select API permissions ⇒ click + Add a permission.
   
   
   

10. Navigate to APIs my organization uses tab ⇒ type Office 365 Exchange in the search bar or select the Office 365 Exchange Online entry.
    
    
    

11. Click Application permissions ⇒ check full_access_as_app ⇒ click Add permissions.

    Note: Mail.Read, Mail.ReadWrite, Mail.Send permissions are not suitable for EWS.
    
    
    

12. The newly-added full_access_as_app permission has to be approved by your organization's administrator. Ask them to grant consent to your application by clicking Grant admin consent for [organization].

    Note: This grants read-write access to all Exchange Online mailboxes in your organization. To restrict this, use New-ApplicationAccessPolicy cmdlet.
    
    
    

13. Application permissions have been granted. Optionally, you can remove the delegated User.Read permission which is not needed for app-only application - click the context menu on the right side of the permission and select Remove permission.
    
    
    

14. When using Exchange Webservices (EWS) from a service or application such as Spindle Requisitions, the following three permissions are required:
    
    
    
    
15. If Mail.ReadWrite and User.ReadBasic.All permissions are not available in the Office 365 Exchange Online section they may instead be available in the Microsoft Graph section:
    
    

16. You have now registered an application for accessing Office 365 mailboxes via EWS protocol and received its Application (client) ID, Client secret and Directory (tenant) ID.

    These strings are going to be used by Spindle Requisitions to authenticate to Microsoft 365 via OAuth 2.0 and receive an OAuth token. This token is then used to authenticate to Exchange Online using the EWS protocol.
    
    
    

17. These settings will be added to the Spindle Requisitions Portal in Settings ⇒ Email Configuration ⇒ Remote Authorisation:

• This guide is only suitable for EWS. 

• Microsoft 365 does not support app-only authentication for SMTP.
  
  

Knowledge Base Article Details