Configuring MS Graph OAuth Provider

These pre-requisites are required before you configure MS Graph OAuth Provider:

  • Azure Account

    Access to an Azure account with permissions to create and manage Azure App registrations. This task is typically managed by the IT Team.

  • Microsoft 365 Account

    An account with permissions to access emails (current) and other relevant Microsoft Graph resources (future).

  • RPA Mastermind

    Authentication and Token Management with Azure App to interact with MS Graph resources (related to emails).

  • RPA Studio installed.
  • SCIM Service

    The IFS SCIM (System for Cross-domain Identity Management) process is used for managing RPA user provisioning and synchronization between existing Azure organizations and target systems such as IFS (Infor Federation Service).

    The SCIM service is an optional but recommended configuration and is required if the organizations and specific users such as “rpa@acme.com or invoices@acme.com” are intended to be used for RPA flows.

    To configure the SCIM service, navigate to OS Portal > Managing user permissions and Security > Security Administration > Settings > General Settings > Manage Features > SCIM Service.

    You can use the SCIM Service option in the Manage menu to enable or disable SCIM accounts. When disabled, the SCIM Service option is not displayed in the Manage menu.

    For more information, see https://docs.infor.com/inforos/2024.x/en-us/useradminlib_cloud/default.html?helpcontent=inforospag/mrh1493236771582.html&hl=scim

Configuring MS Graph OAuth Provider includes these steps:

  1. Azure App Registration
    1. Log on to the Azure portal (https://portal.azure.com/).
    2. Navigate to Microsoft Entra ID.
    3. Click App registrations > New registration.
    4. Select Mobile and Desktop Application.
    5. Specify a name for your application.
    6. Select Accounts in this organizational directory only account or any other appropriate account.
    7. Specify the Redirect URI.
      Note: 
      • The Redirect URI can be copied from the API Gateway > Authorized Apps > RPA OAuth provider page.
      • Note the Application (Client) ID, Directory (Tenant) ID, and generate a Client Secret
  2. MS Graph Permissions
    1. Navigate to Azure App registration.
    2. Click API permissions.
    3. Click Add a permission > Microsoft Graph.
    4. Select the required permissions with appropriate scope for email automation For example, Mail.Read, Mail.ReadWrite, Mail.Send and so on.
    5. Grant admin consent.
  3. RPA Mastermind Configuration
    Microsoft Graph API can be configured using one of these permission types:
    • Application Permissions

      When configured with application permissions, the Microsoft Graph API operates independently without requiring user sign-in. Permissions are granted directly to the application at the tenant level, enabling the application to access data based on the permissions assigned. This configuration requires tenant-level authorization.

    • Delegated Permissions

      When configured with delegated permissions, the Microsoft Graph API operates in context of the authenticated signed-in user. The application accesses Microsoft Graph APIs on behalf of the user. The application performs only the actions that the user is authorized to perform. This configuration requires explicit user authorization.

    Configuring with Application Permissions

    1. Log on to RPA Mastermind.
    2. Navigate to Settings > Configuration > OAuth Provider on the Configuration page.
    3. Click Add Oauth Provider and add Microsoft Office 365 application.
    4. Select Application Permissions.
    5. Specify the Information Name, ( Application (Client) ID, Directory (Tenant) ID, and Client Secret) displayed when registering the Azure App .
    6. Specify https://login.microsoftonline.com/%3CTenantId%3E/oauth2/v2.0/ in the Auth Host field.
      Note: The TenantId (also known as DirectoryId) is displayed in the overview section of the Azure app. Replace “%3CTenantId%3E” with TenantId or DirectoryId.
    7. Select the required API Permissions to enhance security. Possible values:
      • For Mail service
        • Mail.Read
        • Mail.ReadWrite
        • Mail.Send
      • For Files
        • Sites.Selected
    Configuring with Delegated Permissions
    1. Logon to RPA Mastermind.
    2. Click Settings > Configuration > Oauth Provider Settingspage.
    3. Click AddOauth Provider and add Microsoft Office 365 application
    4. Select Delegated Permission.
    5. Specify the information ( Application (Client) ID, Directory (Tenant) ID) displayed when registering the Azure App
    6. Specify https://login.microsoftonline.com/%20%3CTenantId%3E/oauth2/v2.0/ in the Auth Host field.
      Note: TheTenantId (also known as DirectoryId) is displayed in the overview section of the Azure app. Replace “%3CTenantId%3E” with TenantId or DirectoryId
    7. Specifythe Redirect URL.
      Note: TheRedirect URL can be copied from the APIGateway > Applications > > RPA OAuth provider page.
    8. Select the required API Permissions to enhance security. Possible values:
      • ForMail service
        • Mail.Read
        • Mail.ReadWrite
        • Mail.Send
        • Offline_Access
        • User.Read
        • Mail.Read.Shared
        • Mail.ReadWrite.Shared
        • Mail.Send.Shared
      • ForFiles or one drive access
        • Files.Read
        • Files.Read.All
        • Files.ReadWrite
        • Files.ReadWrite.All
        • Sites.Read.All
        • Sites.ReadWrite.All

    On the Authorization page, Microsoft Office 365 is disabled by default for Application Permissions and enabled by default for Delegated Permissions at the tenant level. Enabling Microsoft Office 365 with Application Permissions for a tenant makes the integration available to all users within that tenant. However, Delegated Permissions are granted at the individual user level.

    Note: Additionally, you must also authorize the RPA application to perform action on your behalf. See, Authorize user for details