Open Authentication (aka OAuth) is an open-standard authorization protocol that simplifies the SAML SSO approach without needing a third-party service. This article will walk you through configuring OAuth with Microsoft 365 and VIPRE Email Archiving.

Step 1: Log in to Microsoft 365

You must use an account with administrative access to your organization’s Microsoft 365 subscription.

1. Navigate to the long menu to find the link to Azure Active Directory
2. Open the Azure Active Directory App Registrations 
   1. Any existing applications will be listed here, and there are 2 key areas - App registrations list / Add new registration and Endpoints
      • You may already have an application that is being used for OAuth / SSO purposes; you can edit this for VIPRE Email Archiving if you prefer, rather than adding a new application; however, we will show you here how to add a new registration
   2. Create an App by entering the following: 
      1. Name (any name will do)
      2. Type (Web app / API)
      3. Sign-on URL (this is also known as the “Reply URL”; for VIPRE Email Archiving, it must be in the following format: https://www.your-region.archive.mailanyone.net/company.tag/microsoftoauth.do
         1. To find your regional URL, visit Email Archiving Addresses 
3. Secret Key Creation 
   • It's important that a remote application can acknowledge an encrypted message sent from the OAuth provider (in this case, Azure AD) by decrypting it via a secret key; without this, it will not be allowed
   • Secret Keys are only displayed on-screen once, so it is extremely important that you record this immediately
   • Enter a name for the key – any name will do - then set the duration for the key
4. Reply URLs
   • OAuth’s security is ensured by the Azure AD only responding to requests coming from Web addresses that have been registered - the Reply URLs; you may only need one URL - the one added when you created above in step 2.b.iii, ending in “/microsoftoath.do”
5. Required Permissions
   1. During and after VIPRE Email Archiving > OAuth > Azure AD completes its verification steps, you can control who/where/how the login phases will be conducted, if Multifactor Authentication is to be used for certain user types, or depending on their location.
   2. After a successful login, VIPRE Email Archiving will connect to the Microsoft Graph API, passing the user credentials returned from OAuth to obtain essential details about the user, such as:
      • Secondary email addresses
      • First and last name
      • Account creation date
      • UPN (User Principal Name)
      • GUID (Globally unique identifier)
   3. The User Account “read” permission must be granted; this is the default setting for all new apps and does not need to be altered for VIPRE Email Archiving
   4. Please note that the Graph API may be used to obtain data from Azure AD in the same way that LDAP was used for on-premise services and is not only used for Active Directory
6. Endpoints
   1. When logging in, VIPRE Email Archiving needs to know where to redirect the user to perform the OAuth sequence and where to obtain the user's account details; these are known as endpoints and are web service URLs
   2. If you have set up an Azure AD-hosted developer application, these are common, fixed URLs and can be left blank on the VIPRE Email Archiving side; however, for the app registration described in this article, we will need to obtain 3 specific endpoints
      1. Endpoints are defined for your organization's Microsoft 365 subscription, not per app registration, so you will need to navigate back to the list of App Registrations panel; at the top, you will see the link to Endpoints
   3. The final 3 entries in the Endpoints list that are needed by VIPRE Email Archiving are OAuth 2 Authorization Endpoint, OAuth 2 Token Endpoint, and Graph API Endpoint
   4. That is all you need from the Microsoft 365 / Azure AD / OAuth side. Now, we can take the values highlighted in these steps and register them in VIPRE Email Archiving

Step 2: Set up OAuth in VIPRE Email Archiving

1. Log in to VIPRE Email Archiving as an Administrator
   1. Under the Adv. Configuration menu, you will see SSO OAuth
   2. Click Create New Connection
      1. Each entry added here will create an OAuth Login button on the Login page
      2. Use a name that your users may understand
      3. The remaining five entries are obtained from the Azure AD sections shown earlier in this document:
         1. Provider Type is Microsoft 365
         2. Client ID is the Azure app registration’s Application ID
         3. Client Secret is the key value that was displayed when you created the key
         4. Authorization URL is the OAuth 2 Authorization Endpoint (mentioned in step 6.c above)
         5. Access Token URL is the OAuth 2 Token Endpoint (mentioned in step 6.c above)
         6. User Detail URL is the Graph API Endpoint (mentioned in step 6.c above)

Once this connection is added, it will immediately appear on the VIPRE Email Archiving login panel.