How to configure OAuth on the Kace SMA Service Desk for email communications using Office365 (4318726)

Create an Azure Active Directory App

1. Go to the Azure Active Directory Admin Portal and log in with a Microsoft account (Note: This does not need to be the same account that we are going to use on the Service Desk queue. It is an account that will administer the Azure App)
   • https://portal.azure.com/
2. Go to "Azure Active Directory" (now called Microsoft Entra ID).
3. In the secondary navigation under Manage select "App Registrations".
4. Click on "New Registration".
5. Give the App a display Name (The name is not important but it should be something recognizable to be used later).
6. Select "Accounts in any organizational directory - Multitenant".
7. Provide a Redirect URI
   1. Click the dropdown menu "Select a platform" and select "Web".
   2. The redirect UI format must be: https://”KACESMAWEBSERVERNAME”/common/authorize.php
   3. The URL must be https.
   4. The hostname provided must be the same one that will be used to access the Kace SMA admin UI when requesting a new access code.
   5. The hostname does not have to be externally accessible.
8. Click "Register" to save.
9. Note the "Application (client) ID"; we are going to need it later.
10. Select "Certificates & Secrets" in the “Manage” section to the left of the screen.
11. Click the “New Client Secret” Button.
12. Enter a Description.
13. Select an expiration (selecting an option other than Never will require the OAuth credentials to be update in the SMA when the secret expires).
14. Click "Add".
15. Copy the new client secret Value to be used later (Note: This can only be copied right after creating the secret).

Additional configuration required for outbound email sending (SMA 14.1 and up)

1. In Azure, navigate to the application you created for the inbound OAUTH in the SMA.
   https://portal.azure.com | Microsoft Entra ID | (left menu) Manage | App registrations | Click the name of your APP
2. Next click (left menu) Manage | API permissions
3. In the API permissions screen click Add a permission and add: Microsoft Graph: Mail.Send
   1. In certain environments, configuring the API type as 'delegated' may be necessary. For additional information on MS Graph mail.send permissions, refer to the Microsoft documentation here.
4. Once the new permission has been added, admin consent must be granted for it to be enabled.

Use the App Client ID and Client Secret Value to create an OAuth token Credential in the SMA

1. Navigate the SMA Admin UI (https://”KACESMAWEBSERVERNAME”/adminui)
2. On a multi org system select the ORG required.
3. In the navigation panel on the left select Settings | Credentials.
4. Select “Choose Action” in the dropdown select “New”.
5. In the Add Credential dialog, give the new Credential a Name.
6. Select "Office365 OAuth" as the Type.
7. Enter the Client ID from the Azure portal.
8. Enter the Client Secret Value from the Azure portal.
9. Select the Tenant type. Make sure the Tenant Type matches what is configured on Azure AD (Multitenant).
10. Click on "Authorize Credential".
11. A new window will open.
12. Log in with the email address that is going to be used on the Service Desk queue.
13. Verify the app asking for permission matches the name of the app configured above.
14. Verify that "Read and write access" permission is being requested.
15. Click "Accept".
16. The authorization will show on Status with "Stored As Token: queueemailaddress@domain.com" .
17. Click "Save".
18. The new credential can now be used for a Service Desk Queue with Office365 OAuth.

NOTE: As an initial setup in Office 365, multiple email accounts might be required for the KACE SMA appliance depending on the number of queues in use. These should be full standard mailboxes accounts and not shared mailboxes or just contacts. Kace SMA will be using one email account for network settings, and one per helpdesk queue.

 

Troubleshooting

• If the following message is displayed after clicking on the Generate a new code link.
  • AADSTS700016: Application with identifier 'xxxxxx' was not found in the directory.
    • Verify the correct Application (client) ID from the Create an Azure Active Directory App section above was entered.
• AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application.
• Verify the Redirect URI entered in the Create an Azure Active Directory App section was entered correctly.
• Verify the SMA Admin Console is being accessed with the same host name used in the Redirect URI.
• Verify the SMA Admin Console is being accessed using HTTPS (Note: Using the self-signed certificate wizard in the SMA to enable HTTP will work for this).
• The supplied client id or secret is invalid.
  • Verify that the Client Secret entered matches the one created in the Create an Azure Active Directory App section above.
• If the following message is displayed while saving the new Office365 OAuth credential after successfully requesting an access code.
• Configuring K1000 appliance for email connectivity to Office 365 (114347) - https://support.quest.com/kb/114347
• Port 443 (https) need to be open for login.microsoft.com
• Whenever Microsoft Graph or Azure permissions or configurations change, reauthorization of the credentials in the SMA is required.