Microsoft 365 OAuth Email Monitoring
Last updated on 03 October, 2024Microsoft 365 has announced deprecation of basic authentication in Exchange Online. Due to these changes, basic email monitoring now requires OAuth token validation for IMAP, POP3, and SMTP. To authenticate LogicMonitor with Office 365, you need to update the app registration in Microsoft Azure.
Note: For more information, see Authenticate an IMAP, POP or SMTP connection using OAuth in the Microsoft 365 documentation.
Requirements
- You must be an administrator of the Microsoft Azure account to make configuration changes.
- Upon initial setup of the App Registration in Azure:
- The Supported account type must be Multitenant.
- The Redirect URI must be left blank.
- For more information about Azure app registrations, see Adding Your Azure Environment to LogicMonitor.
- Install the LogicModules for Email Service Monitoring. For more information, see Email Service Monitoring.
Adding Authentication to the App Registration
- In Microsoft Azure, navigate to the App registration page.
- From the Manage menu, select Authentication.
- Under Platform configurations, select Add a platform.
- On the Configure platforms panel, select Web.
- On the Configure web panel, for the Redirect URI, enter:
http://localhost/
- Select Configure.
- Navigate to Certifications & Secrets and select New client secret.
- On the Add a client secret panel, enter a Description and an Expires time-range and then select Add.
- Copy the Value and Secret ID and save them to a secure location.
- Navigate to Manage > API permissions.
- Select Add permissions to enable the following:
- Microsoft Graph (Delegated)
IMAP.AccessAsUser.All
SMTP.Send
- Office 365 Exchange Online (Application)
IMAP.AccessAsApp
POP.AccessAsApp
ReportingWebService.Read.All
- Microsoft Graph (Delegated)
- Navigate to Manage > App roles and select Create app role.
- On the Create app role panel, enter the following:
- Display Name: AppAdmin
- Allowed member types: Applications
- Value: Enter the role that corresponds with the protocol permission (for example,
IMAP.AccessAsUser.All
). - Description: Enter a description for the new role.
- Do you want to enable this app role? Enable
- Select Apply.
- Create a service principle. For more information, see Create an Azure service principle with Azure PowerShell.
Azure Integration Assistant
You can use the Integration assistant in the Azure portal (App registrations > Integration assistant) for guidance and verification.
Assigning Properties to the Resource
The following custom properties must be set in LogicMonitor for the device associated with the Microsoft 365 Office OAuth resource. For more information on setting properties, see Resource and Instance Properties .
Property | Value (Azure App Registration) |
office365.client | Application (client) ID |
office365.clientsecret.pass | Value (Certificates & secrets) |
office365.tenantid | Directory (tenant) ID |
Next Steps
For troubleshooting, use LogicMonitor’s email monitoring to review any error codes. The expected behavior for Microsoft 365 is to show success on the obtained token and cached token. The obtained token value changes each time the token expires or is refreshed.
Note: Manual troubleshooting of the API endpoint can be managed through CURL commands. Endpoints are located in Azure > App registrations > Overview > Endpoints.