Register Microsoft Azure application for email delivery

Owned by Simone Conrad
Last updated: Feb 26, 2024
4 min read

In order to be able to use the mail function of the tia® H5 Viewer, the company must have implemented user administration via Office 365/Azure.

The KGS tia® H5 Viewer is able to fill and open Office 365 Outlook Online independently. However, the following steps must be carried out on the Azure side:

Creating an application

 

  1. Login at https://portal.azure.com/#home

The administrator who has access to the MSOffice wide Azure portal must have the following authorizations:

  • Register the application

  • Granting API permissions

 

2. Navigate to "App registrations" → "New registration"

 

3. Select a name and keep the default settings (for instance: emailapp-keycloak)

The name can be changed later, the fact that keycloak appears in the name in this example is irrelevant, the procedure for Keycloak and directly OIDC is identical as far as app registration is concerned.

Configuration of the application

Some settings must be made to the application.

Authentication:

 

The path to the Keycloak realm is not required for OpenID Connect Only

 

There are two URIs, as the authentication is triggered by two places.

These are redirect URIs. The client must have access to the stored address in the network from its computer. HTTPS must also be used.

This is therefore the address to which you want to be sent back after a successful login.

For instance:

https://IP-Address:HTTPS-Port/[Applikation]/contentserver (CSV - “ContentServer incl. tia® H5 Viewer”)

https://IP-Address:HTTPS-Port/[Applikation]/viewer (V - “Viewer standalone” and for using the tia® H5 Viewer from within SAP)

Certificates & secrets

We need a client secret for our application. This can also be seen as the application password. This always has an expiration date.

 

API Permissions

To ensure that the application only receives the permissions it needs, the permissions can be restricted or allowed in detail under Azure. The Email Azure app must receive three authorizations: Read and write email, send email and retrieve user information. This is required for OpenID Connect. The viewer is therefore able to read the user's full name or email address, etc.

The following authorizations must be granted to the application under "API Permissions":

  • Mail.ReadWrite

  • Mail.Send

  • User.Read

These can be found under "Add a permission" → "Microsoft Graph" → "Delegated permissions" → "Mail" | "User"

 

The final authorizations must be as follows:

Overview

For KGS tia® H5 Viewer we need the following parameters from this view:

authority: This is the directory (tenant) ID. Can be viewed under "Overview"

The parameter is made up as follows = BaseURL + Directory (tenant) ID

For instance: https://login.microsoftonline.com/tenantID

ClientId: This is the application identity. Can be viewed under "Overview"