Office 365 best practice enforces multi-factor authentication. The following explains the configuration requirements so Jim2 can retrieve Office 365 email using the Microsoft Graph API, and how to configure within Jim2 (both Jim2.Cloud and Jim2 on premises).
Note: If you wish to use Microsoft Products via Jim2 Cloud, it is recommended to obtain an E3 licence or above.
Set up application
1.Create an application at admin.microsoft.com, logged in with suitable access to Azure Active Directory.
2.Select Azure Active Directory.
3.Select App registrations, then New registration.
4.Enter a name for the application. It is suggested to name it Jim2 Email. Select Accounts in this organisation directory only (<name> only – single tenant).
Remember the Application and Directory ID, as these need to be entered when setting up email accounts in Jim2.
5.Create a secret for the application. Select Certificates & secrets, then New client secret. It is suggested to choose 24 months. If the secret is set to expire, a new secret needs to be created and then updated in Jim2 before the secret expires.
If this is not done, Jim2 will fail to retrieve emails once the secret has expired.
6.Copy this secret and keep it for entry into Jim2.
7.Go to API Permissions, click Add a permission, then select Microsoft Graph.
8.Select Application permissions.
Search for Mail and tick the 4 boxes as in the below image.
9.Click Add permissions. In this area, grant the application access to the accounts Jim2 will download emails for.
Name and Email Address
If it is not required to have an email address available for staff to select when sending emails, so leave the email address blank. If left blank, enter the email address in Mailbox where the emails are to be retrieved from, ie. firstname.lastname@example.org. If emails are to go out as email@example.com, but they are forwarded by email servers to a mailbox of firstname.lastname@example.org, set the email address and Mailbox to email@example.com.
Received Enabled must be ticked. SMTP details are not to be entered here.
▪Tenant – Enter the Directory (tenant) ID from above.
▪Client – Enter the Application (client) ID from above.
▪Pwd – Enter the Secret from step 6 above.
▪Mailbox – Enter the email address where the emails are to be retrieved from.
▪After Processing – Choose an action to take:
–Move To processed folder – After the email is downloaded it is moved to the nominated folder in Office 365.
–Delete – After the email is downloaded, it is deleted from the mailbox.
–Do nothing – Email is left in mailbox (the last checked date is used to determine which emails to download).
This is not recommended.
▪Move To – it is recommended to create a folder such as DownloadedtoJim and have emails moved here.
▪Last Checked – This is the last date and time Jim2 checked for emails (as long as None is not selected above).
▪Server – Enter the email server here
▪User – Enter the email address here
▪Pwd – enter the password for the email address.
Once set up, click Test to ensure everything is correct.
To avoid interruption to incoming email reception:
▪A new Client Secret will need to be created before the expiry 24 months (2 years).
▪Each mailbox in Jim2 must be updated with the new Client Secret (password).
Limiting access to specific Exchange Online mailboxes
Administrators who want to limit access to specific mailboxes can create an Application Access Policy for the Jim2 App Registration.
Please refer to the Microsoft documentation:
Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Docs: https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access (copy and paste into a browser).