Configuring MS Graph OAuth Provider

Microsoft Graph activities in Infor RPA support these two authorization models:

  • Delegated Permissions: User-specific access where the application acts on behalf of a signed-in user.
  • Application Permissions: Generic access to resources without requiring a specific user context (recommended for unattended automation).

These pre-requisites are required before you configure MS Graph OAuth Provider:

  • Azure Account

    Access to an Azure account with permissions to create and manage Azure App registrations. This task is typically managed by the IT Team.

  • Permission to register applications in Azure Active Directory
  • Global Administrator or Application Administrator role in Azure (required for granting admin consent)
  • Microsoft 365 Account

    An account with permissions to access emails (current) and other relevant Microsoft Graph resources (future).

  • RPA Mastermind

    Authentication and Token Management with Azure App to interact with MS Graph resources (related to emails).

  • RPA Studio installed.
  • SCIM Service

    The IFS SCIM (System for Cross-domain Identity Management) process is used for managing RPA user provisioning and synchronization between existing Azure organizations and target systems such as IFS (Infor Federation Service).

    The SCIM service is an optional but recommended configuration and is required if the organizations and specific users such as “rpa@acme.com or invoices@acme.com” are intended to be used for RPA flows.

    To configure the SCIM service, navigate to OS Portal > Managing user permissions and Security > Security Administration > Settings > General Settings > Manage Features > SCIM Service.

    You can use the SCIM Service option in the Manage menu to enable or disable SCIM accounts. When disabled, the SCIM Service option is not displayed in the Manage menu.

    For more information, see https://docs.infor.com/inforos/2024.x/en-us/useradminlib_cloud/default.html?helpcontent=inforospag/mrh1493236771582.html&hl=scim

Configuring MS Graph OAuth Provider includes these steps:

  1. Azure App Registration
    1. Log on to the Azure portal (https://portal.azure.com/).
    2. Navigate to Microsoft Entra admin center.
    3. Select App registrations.
    4. Click New registration.
    5. Provide this information:
      • Name: The name of the application. For example, GraphAPI-App.
      • Supported account type: Typically Accounts in this organizational directory only.
      • Click Register. A new application registration is created.
    6. Open the newly created application.
    7. Navigate to Authentication.
    8. Click Add a platform.
    9. Select Mobile and Desktop Applications and configure the required Redirect URI.
    10. Specify a name for your application.
    11. Select Accounts in this organizational directory only account or any other appropriate account.
    12. Specify the Redirect URI.
      Note: 
      • The Redirect URI can be copied from the API Gateway > Authorized Apps > RPA OAuth provider page.
      • Note the Application (Client) ID, Directory (Tenant) ID, and generate a Client Secret
  2. MS Graph Permissions
    1. Navigate to Azure App registration.
    2. Click API permissions.
    3. Click Add a permission > Microsoft Graph.
    4. Select the appropriate permission type. Possible values:
      • Delegated permissions: user required
      • Application permissions: user not required

      These are the minimum permissions that must be provided for the activities based on the functionality:

      • OneDrive activity:
        • Files.Read.All: Read files in all site collections
        • Files.ReadWrite.All: Read and write files in all site collections
        • Sites.Read.All: Read items in all site collections
        • Sites.ReadWrite.All: Read and write items in all site collections
        • Sites.Selected: Only applicable in case of Application permission. This permission covers Onedrive, Sharepoint and Excel
      • Outlook or Email activities
        • Mail.Read: Read mail in all mailboxes
        • Mail.ReadWrite: Read and write mail in all mailboxes
        • Mail.Send: Send mail as any user
        • Mail.Send.Shared: This is required if you are using Delegated permissions and need to work shared or service mailboxes
        • Mail.Read.Shared: This is required if you are using Delegated permissions and need to work shared or service mailboxes
        • Mail.Read.Write.Shared: This is required if you are using Delegated permissions and need to work shared or service mailboxes
      • SharePoint activities
        • Sites.Read.All: Read items in all site collections
        • Sites.ReadWrite.All: Read and write items in all site collections
      • Excel Online activities
        • Files.Read.All: Read files in all site collections
        • Files.ReadWrite.All: Read and write files in all site collections
    5. Click Grant admin consent.
      Note: Administrator consent is mandatory for using application permissions.

      All new permissions are listed with the Not Granted status.

    6. Confirm that a green check mark is displayed for all permissions marked as “Granted for [Your Organization]”.
      Note: Administrator consent can only be granted by Global Administrators or Application Administrators. Contact your Azure AD administrator for these permissions.
    7. Navigate to Certificates & secrets.
    8. Click New client secret.
    9. Copy and securely store the secret value for use during authentication.
    10. Specify these details required for integration:
      • Client ID
      • Tenant ID
      • Client Secret
  3. RPA Mastermind Configuration

    Microsoft Graph API can be configured using one of these permission types:

    • Application Permissions

      When configured with application permissions, the Microsoft Graph API operates independently without requiring user sign-in. Permissions are granted directly to the application at the tenant level, enabling the application to access data based on the permissions assigned. This configuration requires tenant-level authorization.

    • Delegated Permissions

      When configured with delegated permissions, the Microsoft Graph API operates in context of the authenticated signed-in user. The application accesses Microsoft Graph APIs on behalf of the user. The application performs only the actions that the user is authorized to perform. This configuration requires explicit user authorization.

    Configuring with Application Permissions

    1. Log on to RPA Mastermind.
    2. Navigate to Settings > Configuration > OAuth Provider on the Configuration page.
    3. Click Add Oauth Provider and add Microsoft Office 365 application.
    4. Select Application Permissions.
    5. Specify the Information Name, ( Application (Client) ID, Directory (Tenant) ID, and Client Secret) displayed when registering the Azure App .
    6. Specify the TenantId in the Auth Host field. For example, https://login.microsoftonline.com/ %20%3CTenantId%3E/oauth2/v2.0/
      Note: The TenantId (also known as DirectoryId) is displayed in the overview section of the Azure app. Replace “%3CTenantId%3E” with TenantId or DirectoryId.
    7. Select the required API Permissions to enhance security. Possible values:
      • For Mail service
        • Mail.Read
        • Mail.ReadWrite
        • Mail.Send
      • For Files
        • Sites.Selected

    Configuring with Delegated Permissions

    1. Logon to RPA Mastermind.
    2. Click Settings > Configuration > Oauth Provider Settingspage.
    3. Click AddOauth Provider and add Microsoft Office 365 application
    4. Select Delegated Permission.
    5. Specify the information ( Application (Client) ID, Directory (Tenant) ID) displayed when registering the Azure App
    6. Specify the TenantId in the Auth Host field. For example, https://login.microsoftonline.com/ %20%3CTenantId%3E/oauth2/v2.0/.
      Note: TheTenantId (also known as DirectoryId) is displayed in the overview section of the Azure app. Replace “%3CTenantId%3E” with TenantId or DirectoryId
    7. Specify the Redirect URL.
      Note: TheRedirect URL can be copied from the APIGateway > Applications > > RPA OAuth provider page.
    8. Select the required API Permissions to enhance security. Possible values:
      • ForMail service
        • Mail.Read
        • Mail.ReadWrite
        • Mail.Send
        • Offline_Access
        • User.Read
        • Mail.Read.Shared
        • Mail.ReadWrite.Shared
        • Mail.Send.Shared
      • ForFiles or one drive access
        • Files.Read
        • Files.Read.All
        • Files.ReadWrite
        • Files.ReadWrite.All
        • Sites.Read.All
        • Sites.ReadWrite.All

    On the Authorization page, Microsoft Office 365 is disabled by default for Application Permissions and enabled by default for Delegated Permissions at the tenant level. Enabling Microsoft Office 365 with Application Permissions for a tenant makes the integration available to all users within that tenant. However, Delegated Permissions are granted at the individual user level.

    Note: Additionally, you must also authorize the RPA application to perform action on your behalf. See, Authorize user for details