Modern Authentication – Oauth 2.0 Configuration WITH MFA

First published on: 03/14/2025/10:39 am

Access the admin portal.

Browse to https://portal.azure.com and log in with an administrator account.

Follow the steps below (which can also be found in the link below).

https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth

Step 1 – Register the application

• Select 'Identity' in the left-hand navigation, then select app registrations under Applications.
• Select new registration.
• On the 'Register an Application' page, set the values as follows:
  • Name = iDocuments OCR Mailbox
  • Supported account types = Accounts in this organizational directory only (xxxxxxx only - Single tenant)
  • Redirect URI = “Public client (mobile & desktop)” with https://login.microsoftonline.com/common/oauth2/nativeclient
• Click Register
• Copy the values of the application (client) ID and directory (tenant) ID and save them. (You'll need them later.)

Step 2 – Configure authentication

• Select 'Manifest' in the left-hand navigation under 'Manage'
• Locate the “requiredResourceAccess” property in the manifest
• Add the following inside the square brackets ([]):

{

    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",

    "resourceAccess": [

        {

            "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",

            "type": "Role"

        }

    ]

}

• Save.
• Select API permissions under Manage.
  • Confirm that the full_access_as_app permission is listed.
• Select 'Grant admin consent for org and accept the consent dialog.
• Select Certificates & Secrets in the left-hand navigation under Manage
• Select New client secret, enter a short description and select Add
• Copy the Value of the newly added client secret and save it. You will need it later.

Step 3 – Restrict the accounts enabled

Once the above steps have been completed, all mailboxes within the tenant can be accessed via the app registration, which is not always desirable.

We advise following the steps at the following link to restrict access to only those mailboxes iDocuments should be able to connect to and download from: https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access

Step 4 – Apply conditional access policies

If required, conditional access policies can be applied to the registered application from within the Entra Admin Portal under the Enterprise applications section after selecting the app and following the menu 'Conditional Access' within the 'Security' section.

For IP addresses, please contact your consultant.

Step 5 – Share details

For us to link up your accounts, please provide the following, which can be done using https://onetimesecret.vision33.com/. 

• Directory (tenant) ID
• Application (client) ID
• Secret
• Email address to download from (one per company per document type)

.

Previous

Next