How to use Microsoft Modern Authentication with FME

Merline George
Merline George
  • Updated

Introduction

As of October 1, 2022, basic authentication is disabled for the IMAP and the SMTP protocol in Microsoft Exchange Online. This article will provide guidance on how to create an App in Microsoft Azure to enable Microsoft modern authentication for use with FME. This involves performing an Azure Active Directory(AD) App Registration and giving it SMTP and IMAP permissions. After configuring this app registration,  a client ID is provided that can be used in FME Server.

FME Server supports the IMAP email protocol in Automations (and Notifications), and when configured, FME Server can monitor an external mail server for incoming emails. 
FME Server and FME Desktop support the SMTP email protocol in Automations (and Notifications) and the Emailer transformer, respectively, and when configured, FME can send emails from this account.

The Emailer transformer comes with a Web Service definition that points to a common app for Authentication. As long as your organization grants admin consent to the application from the Exchange Server Tennant then you can use the default application on both FME Desktop and FME Server. If your organization wishes to use its own application then you can follow the below steps to set up an Azure AD app.

 

Prerequisites

FME version 2022.2 or newer should be installed and a Microsoft Azure account should be set up to use the Azure AD service. 
 

Step-by-Step Instructions

Part 1: Disabling Basic Auth

Basic authentication would already be permanently disabled by Microsoft in all tenants, regardless of usage. Manual disabling is done by enabling security defaults on the Azure AD tenant, as seen here. Please note this is not required on new Microsoft 365 tenants, as these are created with basic authentication already turned off.

Note: One of the features of the security defaults is to enable MFA for users. Therefore, a prompt to configure 2-step verification will pop up on the next user login attempt. The complete list of security defaults is listed here.
 

Part 2: Registering Azure AD App and API Permissions

For FME Server Automations (Notifications) 

An Azure AD app should be registered per this Microsoft article. Adding a certificate, client secret or redirect URI during this app registration is not required for the setup with FME. The client ID that is created upon app registration should be recorded for use in the FME configuration. 

After registration, you’ll need to configure the following “delegated permission” to Microsoft Graph :

  • IMAP.AccessAsUser.All
  • SMTP.Send


Please ensure to grant admin consent for your AD tenant name after adding the permissions. This enables FME to perform operations on behalf of the logged-in user. 

Lastly, we must allow the Azure AD tenant application to function as a public client by allowing public client flows.
 

For the Emailer Transformer

An Azure AD app should be registered per this Microsoft article. In particular, set the redirect URI to "http://localhost/" and select type ‘Web’. The client ID that is created upon app registration should be recorded for use in the FME configuration.

After registration, you’ll need to configure the following “delegated permission” to Microsoft Graph:

  • offline_access
  • User.Read
  • Mail.Send


Please ensure to grant admin consent for your AD tenant name after adding the permissions.
Lastly, create a client secret to put in the FME Desktop web service definition. This client secret should also be recorded for use in the FME configuration. Please note that the client secret lifetime is limited to two years or less. You can't specify a custom lifetime longer than 24 months.
Therefore, select the expiry to the maximum time period and set a reminder to update the web service. Workspaces associated with this web service will stop working after the expiry.
 

Part 3: Enabling SMTP in Microsoft 

The SMTP AUTH protocol is used for SMTP client email submissions and supports modern authentication through OAuth. SMTP Auth for the organization and  SMTP Auth for the specific mailboxes should be enabled via Exchange Admin Center and via the Microsoft 365 Admin Center, respectively. 

Note: This is only required if you want to use FME to send emails. 

 

Part 4: FME Configuration

For FME Server Automations (Notifications)

When using the “Email-IMAP(received)” Trigger or “Email (send)” External Action in Automations, you'll see an additional field 'Client ID', which can be obtained after Part 2 of this article. The rest of the configuration should be the same as basic authentication with an email address and password. As mentioned previously, you do not need to provide the client secret.

imap.png
 

For the Emailer Transformer

When using the “Emailer”  transformer in your workspaces, the Microsoft Mail(safe.emailer) web service template under  Tools > FME Options> Web Connections>Manage Services… should be edited with app parameters created in MS Azure. 

Set the Client ID and Client Secret as generated for the Azure App. In the URL fields under “Authorization Parameters”, “Retrieve Token Parameters” and “Refresh Token Parameters”,  replace [TENANTID] with your Azure AD Tenant ID found on your Azure AD Overview webpage.

imap 3.png

This connection can then be used when setting up the Emailer transformer. The rest of the configuration should be the same as basic authentication​​​​​​.

imap 4.png
 

Part 5: Troubleshooting

We can inspect the “Sign-In logs” for modern and legacy login attempts made by FME to the Azure AD tenant. 
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.