This documentation supports the 20.02 version of Remedy Action Request (AR) System.

To view an earlier version, select the version from the Product version menu.


Registering Remedy Email Engine with Microsoft Azure for OAuth 2.0 authentication

You must register Remedy Email Engine with Microsoft Azure to configure OAuth 2.0 authentication for the Exchange Web Services (EWS) protocol for your mailbox.

Important

BMC has tested and certified the following procedure to register Remedy Email Engine with Microsoft Azure to configure OAuth 2.0 authentication. To complete this procedure, you must add the full_access_as_app permission to the EWS API permissions. Any other configuration to register Remedy Email Engine with Microsoft Azure for OAuth 2.0 falls into an unconfirmed configuration. The support policy for such unconfirmed configurations is documented in the Remedy AR System Compatibility Matrix and is added here for your reference:

The Supported Configurations are those where the configuration is expected to work correctly based on design, testing or general understanding of the interaction between products. For supported configurations, BMC Customer Support will work with customers on an issue involving the configuration until either the issue is resolved or a defect/enhancement is logged.

Configurations not listed may still operate correctly with AR System and thus customers may choose to run AR System in a configuration not listed as supported. Such configurations would be considered as “unconfirmed”. BMC Remedy will accept issues reported in unconfirmed configurations but we reserve the right to request customer assistance in problem determination, including recreating the problem on a supported configuration. Reported defects either found to be unique to an unconfirmed configuration or not reproducible within a supported environment will be addressed at the discretion of BMC Remedy. Defects requiring time and resources beyond commercially reasonable effort may not be addressed. If a configuration is found to be incompatible with AR System or ITSM applications, support for that configuration will be specifically documented as not supported (or unsupported – c.f. Known Issues below).

Before you begin

Make sure that you perform the following steps before you register your Email Engine for OAuth 2.0 authentication:

  1. Make sure that you've a valid Microsoft Subscription. For more information, see Introducing Microsoft 365 for Home, Business, and Enterprise .
  2. Log in to the Microsoft Azure portal, and then access your Azure Active Directory (Azure AD). See Microsoft Azure Portal .
  3. Create a licensed user account on the Azure Active Directory Console, which is to be used in Email Engine.

To register Microsoft Azure AD application to enable Remedy Email Engine communicate by using OAuth 2.0 authentication

  1. On the left pane of the Azure AD Console, click App registrations.



  2. On the App registrations screen, click Register an application.



  3. On the Register an application screen, follow these steps:
    1. In the Name box, type a user-facing display name for your client application.
    2. In the Supported account types section, select Accounts in any organizational directory (Any Azure AD directory - Multitenant).
    3. Click Register.
      The client application is registered.
  4. Click the name of the newly registered application.



  5. To add the Email Exchange-specific permissions, click View API permissions.



  6. On the API permissions screen, click Add a permission.
  7. On the Request API permissions blade, click the APIs my organization uses tab.
  8. In the search box, type "Office 365", and then from the list displayed, click Office 365 Exchange Online.



  9. Click Application permissions. In the Select permissions section, under Other Permissions, select the full_access_as_app permission, and then click Add permissions.
    If you have multiple mailboxes and if you provide the API with full app permission, Remedy Email Engine connects only to the mailbox configured on the AR System Email Mailbox Configuration form. 
  10. Remove the User.Read permission because it is not required to register your Microsoft Azure AD application.
  11. To know how to authenticate an EWS application by using OAuth, see Authenticate an EWS application by using OAuth .



    At this stage, the Status column displays the "Not granted for <your Microsoft Azure account name>" message.



  12. To grant admin permission, click Grant admin consent for <your Microsoft Azure account name>.
    The Status column displays the "Granted for <your Microsoft Azure account name>" message.



  13. To generate a new client secret, on the left pane, click Certificates & secrets.



  14. On the Certificates & secrets screen, click New client secret, and then follow these steps:
    1. In the Description box, type the description for the client.
    2. In the Expires section, select Never.
    3. Click Add.




    The client secret is generated.



    Your Microsoft Azure AD application is registered. Your Email Engine can now communicate by using OAuth 2.0 authentication.

    Best Practices

    The following best practices are for setting up Microsoft Azure for OAuth 2.0 when there are multiple mailboxes in Remedy:

    • Define the mailbox to which the EWS portal should connect.
      Before configuring the EWS portal configuration in AR System Email Mailbox Configuration form, enter the mailbox to which the EWS portal should connect in the
      AR System Email Messages form, Email Server User field.
    • To configure more than one incoming mailbox using EWS protocol for incoming and outgoing mailboxes, use the same Tenant ID, Client ID and Client Secret registered for the Email Engine for different mailboxes created for the same domain.
      For example, if you have five mailboxes to be configured as incoming as well as outgoing, create a different user mailbox on the Exchange server which you want to configure in the AR System Email Mailbox Configuration form.
    • Do not configure the same mailbox as incoming and outgoing.
      Configuring the same mailbox as incoming and outgoing may cause a circular mail chain and cause the following error:
      Incoming Message's From Or Reply-To is same as Incoming MailBox's User configured in AR System Email Mailbox Configuration form which may cause circular mails

To get configurable parameters for Remedy Email Engine mailbox configuration

Important

Certain parameters such as Tenant ID, Client ID, and Client secret are required to configure outgoing and incoming mailboxes in Email Engine.

  1. On the AR System Email Mailbox Configuration form, enter the https://outlook.office365.com/EWS/Exchange.asmx URL in the Exchange Service URL field.
  2. To know your Tenant ID, go to the Azure Active Directory home page.
    In the Tenant information section, you can view your Tenant ID.



  3. To know the user details, in the Azure Active Directory Console, click All users (Preview).



  4. To know your Client ID, go to Azure Active Directory Console > App Registration.
  5. Select the client application that you've created.
    You can find the Client ID on the screen.



  6. To know your Client secret, go to Azure Active Directory Console > App Registration > Client App > Certificates & secrets.




    Important

    Your Client secret is not available for you to copy. You must keep it with you after you create it. If you haven't copied your Client secret after creating it the very first time, delete the existing one and then create a new one. Make sure to copy and keep it safe somewhere.

Related topics

Configuring basic outgoing mailbox properties

Configuring basic incoming mailbox properties

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Levi Lippincott

    I am in the process of setting this up and at step 12 where I need to "Grant admin consent" I am receiving a warning message that reads: Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers.

    It wants me to go to the Branding page and input a Microsoft Partner Network (MPN) ID. Is this something that my organization needs to obtain or is there a MPN that BMC has we are supposed to input there?

    Apr 12, 2021 07:40
    1. Onkar Telkikar

      Hello Levi,

      Thank you for your comment on the documentation. We are working on your query.

      Regards,
      Onkar

      Apr 12, 2021 10:57
      1. Onkar Telkikar

        Hello Levi,

        Please note that BMC does not provide an MPN ID to any customer. Customers need to obtain it themselves.

        For more information about publisher verification, see:
        https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview.

        For further assistance, please contact BMC Support at:
        https://www.bmc.com/support/support-central.html

        Thanks,
        Onkar 

        Apr 22, 2021 11:09