Troubleshooting Microsoft OAuth 2.0 Token Generation

This troubleshooting article will help TDX Admins to generate clean tokens for email auth accounts. The user must have the following settings enabled within the Security Role: Organization Admin rights. 

Overview

Sometimes you will setup tokens for a Microsoft OAuth 2.0 account and yet it is still not working.  This is often indicated by an error stating lack of connection/access to the mailbox.  This can happen when Microsoft provides tokens against credentials that are not that of the mailbox being monitored or of an account that does not have full rights to that mailbox.  This process below can help to provide the best practice to ensure the tokens pulled from Microsoft are correct for the mailbox.

Process

The process for pulling a clean token for your Microsoft Email Auth Account is best assured by following this process:

1. Gather the following pieces of data before you begin:
   1. The Client ID and Client Secret from the associated app in Microsoft Admin (note that the client secret generated by Microsoft is only visible one time; if you do not have it saved you will need to generate a new one).  If you have not completed the development work in the administrative sections of your Microsoft environment you will need to start there first.  See this article for more information: Email Authentication Accounts
   2. The username and Microsoft credentials for the monitored account (ex: helpdesk@domain.com)
   3. The username and local TDX password (not SSO) for an Admin User.  If you don’t know your local password, you can reset it on the user record at TDAdmin> Users and Roles> Users; open the user record and use the Action> Reset Password (this only impacts your local TDX password; not your external configured authentication)
2. Very Important: Ensure a clean browser with no Microsoft authentication logged in the cache (use an alternate browser, clear cache and cookies, and/or try using incognito window)
3. Navigate to https://yourdomain.teamdynamix.com/TDAdmin/LoginTDAuth.aspx - This is the SSO Bypass for administrators.  See the article on the SSO bypass for more information: SSO Bypass Knowledgebase
4. Login with your username and local TDX password
5. Navigate to your Email Auth Account configuration page that you plan to work on (ex. TDAdmin> Email> Email Reply Auth Accounts)
6. Click +New
7. Give it a name, set the account type to Microsoft OAuth 2.0, add a description if desired, set as active
8. Enter the Client ID and Client Secret values
9. Click the green Generate Tokens button
   1. At this point you should get a Microsoft pop up and be prompted to enter Microsoft credentials; if it automatically pushes you a token without asking for a password then there is still a login cached in your system.  It might work but there is no guarantee as we don’t know for sure what credentials the token was granted to.
10. On the Microsoft popup enter the Microsoft credentials for the account being monitored (ex. helpdesk@domain.com) ; OR enter credentials for an account that has full rights to that mailbox.
11. Save the Auth