Email Account Using Microsoft Graph As Receiver With Office 365 Email Provider In 8.4.3 Doesn't Work

Giri_Konatham · January 10, 2021, 12:10am

Hello All,

Our organization is migrating from the IMAP (using user name and password) approach to Microsoft Graph with Office 365 using OAUTH 2.0.

Hence, my application built on PegaRules 8.4.3 Cloud, has to upgrade all the current email account rules that were configured with IMAP (using user name and password) to Microsoft Graph with Office 365 email provider using OAUTH 2.0.

We came to know from the help that Pega is limiting the grant type of the OAUTH profile to either Client Credentials or Password Credentials. Clearly we cannot use the Password credentials as this is what our organization messaging team are deprecating, hence the only option left for us it to set up the OAUTH 2.0 profile with Client credentials.

Hence, we started this migration procedure with the help of messaging team and we have created the new OAUTH 2.0 profile with grant type as Client credentials.

We have configured OAUTH2.0 profile as below:

Client Identifier = Messaging team provided by creating app in their Azure
Client Secrete = Messaging team provided by creating app in their Azure
Scope = https://graph.microsoft.com/.default (this is mandatory, without this, we cannot establish connection, and the value is generic provided by Microsoft)
Access token end point URL = Sign in to your account (this is mandatory, without this, we cannot establish connection, and the value is generic provided by Microsoft)

Now, when we tested our connection from email account rule using “Test Connectivity” in the receiver section, then we get the exception which is attached as a screen shot.

Response code 401, Unauthorized
Handling error response
Deserializing type GraphErrorResponse
Graph service exception Error code: NoPermissionsInAccessToken
Error message: The token contains no permissions, or permissions can not be understood.

We tried the same in postman tool and get the same error.

When messaging team tries to get Microsoft support teams help, they claimed that they cannot configure an app in Azure without a re-direct URL.

Which is available only if OAUTH2.0 profile is configured with grant type as "Authorization code, which is limited when Microsoft Graph is selected via email account rule.

Now, we are kind of in a confusion state and kind of stuck here and neither team (Pega or Messaging team) know how to resolve this issue.

If this feature was provided by Pega, then

How they tested this?
Are we missing any permissions or configuration setting either from app or cloud perspective?
Did anyone implemented Microsoft Graph option from email account?

Any assistance or hint here is much appreciated.

VikasRaidhan · January 12, 2021, 6:20am

@guptr2 can you please comment.

Giri_Konatham · January 14, 2021, 9:53pm

Hello All,

The problem is resolved. Thanks to the Pega support team for helping me to resolve this issue. The incident ticket that was created for this issue is INC-151612 if anyone want’s to refer.

After we follow the attached document and especially provided the required permissions as per the document in Azure app configuration, this problem is resolved.

MS Graph with Email Server Reciver.docx (513 KB)

Sivaraman · January 15, 2021, 5:41pm

@GiriKonatham: Hi, I have tried to use the Microsoft Graph API and found that the Pega Email Listener when configured using this protocol is not able to read emails wherein there is an email attachment. It only processes the parent email and the attachments inside it which in this case is an email is not being able to be read. Could you please confirm if an email with an email as an attachment is being able to be processed by the Pega Listener which is using the Microsoft Graph API from your end ?

Thanks,

Siva

Avinash.Haridasu · August 22, 2021, 7:18am

@GiriKonatham Can you share the document

Saravanan_Nalendran · June 7, 2022, 6:19pm

@GiriKonatham I’m trying to configure the same. I have followed all the steps and still getting 401.

“Access token endpoint invocation failed : {ErrorMessage=Response status : 401 Unauthorized, statuscode=401}”

Not sure if any other configuration from Azure AD is needed. Can you add the platform configuration that needs to be done in Azure AD (like what is the redirect URI for web platform)?

kuman34 · May 16, 2021, 5:39pm

@Sivaraman This was supposedly a bug in PEGA 8.4 version. This was resolved to some extent in 8.5.2 but further we identified issue with attachment getting dropped. Finally we got hotfix to resolve all attachment issue after lots of tracing and digging the services calls.

Conversation		Replies	Views
How to integrate with email accounts using MS Graph instead of IMAP? General system-architect , partners-and-integrations , other-industry , 8-6-3	4	2184	March 14, 2023
Reading Email from Microsoft365 with some limitations General security , installation-and-deployment , email , government , pega-customer-service	5	151	August 18, 2022
Failure to integrate Microsoft Office 365 Email Account with Microsoft Graph General senior-system-architect , data-integration , client-managed-cloud , insurance , 8-6-1	6	2422	March 29, 2023
Issue with gaining access to email account via Microsoft Graph API General senior-system-architect , security , insurance , 8-7-1	6	1586	June 16, 2022
Send email using MS graph General lead-system-architect , email , financial-services	3	477	August 29, 2024

Email Account Using Microsoft Graph As Receiver With Office 365 Email Provider In 8.4.3 Doesn't Work

Related topics