Hello experts,
I’ve encountered an issue with getting access to email account via Authentication Profile configured with a Microsoft Graph client credentials flow. I’ve already studied, hopefully, throughly documentation on how to configure a Microsoft Graph compliant OAuth 2.0 authentication profile (Configuring OAuth 2.0 authentication for sending and receiving emails by using Microsoft Graph | Pega).
I did add 3 privilleges + 1 extra in Azure App Registration as stipulated in the documentation:
- Mail.Send
- User.Read
- User.Read.All
- Mail.ReadWrite
The remaining configuration (client ID, client secret, scope and access token endpoint) also appears to be correct from my understanding:
As you can see from the enclosed screenshot the token is being downloaded, however when I’m trying to test connection to either receiver or sender account I get the following error:
Error during http request
Unfortunately, there’s nothing specific in tracer to indicate an issue, e.g. exact request being sent by Pega.
Any ideas what might be going on here? Your help will be highly appreciated.
KR,
Robert
@RobertW6776 “Failed to connect to email server”
Can you share some details (smtp server info, etc) for the email account that you created for this? From the page that you linked to:
What to do next: Create an email account using Microsoft Office 365. For more information, see Creating an email account in Dev Studio.
thank you
@shanp hi, sorry, I passed a wrong documentation reference. I meant this article: Configuring OAuth 2.0 authentication for sending and receiving emails by using Microsoft Graph | Pega
The email account configuration itself only contains the following for receiver for instance:
- Receive Using → “Microsoft Graph”
- User principal name → that’s just an email address in the company domain
- Connection → reference to an OAuth 2.0 authentication profile rule
- timeout advanced parameter → set to 30000 as per the default setting
For sender that’s essentially the same
@RobertW6776 Is it possible to share the configurations done in Azure AD please? I’m trying in personal edition 8.7.
I have created a tenant with client id and object id as part of the app registration. Added needed permission and Web platform with http://localhost as redirect uri (I’m using personal edition at the moment to test). Still not successfull. Getting 401 when I do test connectivity.
Thanks in advance.
@shanp thank you for your reply. I’ve tried to get support from Pega Support service but they actually failed to provide any solid assistance which is a pity.
Fortunately, I figured out the problem. The issue lied in a missing SSL certificate for the graph.microsoft.com domain. I tried adding this via a jks uploaded to keystore rule and then add a reference to it as a trustore in the authentication profile rule but it did not work. Eventually, we ended up adding the certificate directly to cacerts of java that is used by tomcat on which our app is running and then restarted the tomcat app server. Worked like a charm.
Hope this post also helps anyone who might be facing a similar problem. Cheers.
@RobertW6776 Can you confirm that the support ticket you logged INC-226967?
I believe the last update was that the tracer did not show any errors so the support team were waiting for you to provide the XML file containing information about your email account to investigate further.
Please let the support engineer know if you require any further help or whether you are happy to close the incident now that you found the solution. Many thanks for having provided the details - I’m sure that this will help many future forum users,.
If you could mark Accept Solution to your comment then that will show the issue was resolved by that.
@SARAVANANN The configuration process for setting up your application registration in MS Azure is quite well described here: How to register an app in Microsoft Entra ID - Microsoft identity platform | Microsoft Learn
Basically, once you register an app, you need to have administrator consent granted for each application privilege granted. If you’re following client credentials flow, I believe you might be missing either client secret (that’s essentially taken from “Certification & Secrets” tab for your Pega application) or your endpoint might be incorrect. Make sure it’s directing to login.microsoft.online and not graph.microsoft.com URL (something like https://login.microsoftonline.com/<>/oauth2/v2.0/token) + make sure to add the following scope: https://graph.microsoft.com/.default (OAuth 2.0 client credentials flow on the Microsoft identity platform - Microsoft identity platform | Microsoft Learn). Worked for me.
