Mail Server

The Mail Server page is used to configure integration with an email provider to Send and/or Read emails using PAM. Sending emails uses the SMTP configuration and reading emails uses the IMAP configuration. PAM sends emails for functions including, but not limited to, user notifications, report delivery via email, and workflow notifications. PAM reads emails from an IMAP enabled mailbox for functions including, but not limited to, processing workflow approvals via emails.

Please use this Mail Server page to provide the configuration details required for your intended PAM use.

Configuration to Send Emails

This section is required for PAM to use your SMTP server to send emails to users. Please populate the entire SMTP Server section with the required values and use the Test button to confirm connectivity.

Optionally, for Office 365 Mail Server integration, check the OAuth2 Setup button and populate the required Tenant ID, Client ID, and Secret Value parameters to use Modern Authentication. Please review the OAuth2 Setup section of this guide for more information.

Configuration to Read Emails

This section is required for PAM to use an IMAP-enabled mailbox to read emails. Please populate the entire IMAP Mailbox section with the required values and use the Test button to confirm connectivity.

Optionally, for Office 365 Mail Server integration, check the OAuth2 Setup button and populate the required Tenant ID, Client ID, and Secret Value parameters to use Modern Authentication. Please review the OAuth2 Setup section of this guide for more information.

Please note that Microsoft intends to disable Basic Authentication for IMAP in Office 365 beginning October 2022. When Basic Authentication for IMAP is disabled in Exchange Online, it will be required that you enable OAuth2 Setup for the IMAP Mailbox configuration if you are using the Office 365 Exchange Online service.

Configure OAuth2 Setup for SMTP and IMAP in Microsoft Azure AD

As an alternative or requirement, to basic authentication for IMAP and/or SMTP to connect an Office 365 mailbox in PAM, we can use an OAuth2 access token.

To generate an OAuth2 access token and authenticate Office 365 Mailboxes, the following information needs to be provided from Microsoft Azure AD. This section will help you register the required application in Azure and gather the required values are defined below:

• Directory (Tenant) ID – The ID of the Microsoft Azure Active Directory to retrieve information from.

• Application (Client) ID – The ID of the application that will connect to Microsoft Azure Active Directory, which in this case is the integration connector.

• Application (Client) Secret Value – The key that will be used as the secret in the connection to Microsoft Azure.

Register a new application in the Azure portal

1. Sign in to the Azure Portal as a User Administrator role for the organization.

2. In the Azure services panel, select the Azure Active Directory service, and then select App registrations > New registration.

   

   



3. When the Register an application page appears, enter your application's registration information:

   1. Name - Enter a meaningful application name that will be displayed to users of the app.

   2. Supported account types - Accounts in this organizational directory only.

   3. Redirect URI - ‘http://localhost’.

      

Locate Tenant ID and Client ID

1. In the Microsoft Azure portal, navigate to the application you created in the previous step.

2. Copy the IDs from Directory (tenant) ID and Application (client) ID boxes.

Locate Application Secret Value

1. In the Microsoft Azure portal, navigate to the application you created in the previous step.

2. Select the Client credentials parameter.

   

3. Create a new client secret by navigating to the Client secrets tab and click on New client secret.

   

4. Complete this new client secret process to generate a Secret Value for this registered application.

Configure Required Application Permissions

To authenticate SMTP and IMAP by OAuth2 access token requires certain delegated permissions from the Microsoft Graph section. Set permissions by navigating to the app’s API permissions section and clicking Add permission as shown below.

1. Find and select the application you created previously.

2. Select the API permissions option and then Add permission.

   



3. From the Microsoft APIs section, select Microsoft Graph.

   

4. For the permission type, select Delegated permissions.

   

   1. For IMAP, in the Select permission parameter, select IMAP > IMAP.AccessAsUser.All

   

   2. For SMTP, in the Select permission parameter, select SMTP > SMTP.Send

   

5. Back on the Configured permissions page, click the Grant admin consent for <CompanyName> option.

NOTE: this step must be done by admin user.

Complete the PAM Mail Server OAuth2 Setup

Return to the PAM Mail Server page, enable the OAuth2 Setup checkbox for the SMTP Server and/or the IMAP Mailbox sections and populate the required Tenant ID, Client ID and Secret Value values as generated and configured in the previous steps. Be sure to Save and then Test your configuration before completing this process.

 

 

Additional links for more information:

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#get-an-access-token