An authenticated connection to Office 365 is required to access emails or files from Microsoft services or use the connection as a login provider. Connecting to Office 365 displays the configuration dialog as seen in the image below. There you have to fill in the missing information.

This guide is a walk-through to establish an OAuth application connection, based upon Microsoft's interface in the year 2025. It focuses on the general connection required for standard user authentication. Microsoft Office 365 offers an alternative, App-Only authentication method that can improve the resilience of email connections due to less restrictive polling limits. Please check the settings required for Email Integration as well.

Note: All changes made in the Microsoft portals may take several tens of minutes to take effect and be correctly used by i-net PDFC.

The following prerequisites must be fulfilled for a successful connection to Microsoft Office 365 authentication service:

• The i-net PDFC server must be secured with HTTPS
• The i-net PDFC server and browser client must be able to reach ​https://login.microsoftonline.com
• You have to be authorized to create an Azure Entra ID Application at https://entra.microsoft.com
• For email integration, check the corresponding prerequisite.

You are about to create a new application now. This application will provide the authentication credentials for the OAuth connection we want to add to i-net PDFC.

• Go to https://entra.microsoft.com and log in
• Select App registrations from the sidebar menu
• Click New registration from the menu

In the newly opened page, you have to configure your application (see image below):

• Enter a meaningful name to distinguish the application
• Select the Supported account types - there is a Help me choose... link describing the differences of the options. Usually the first (Single Tenant) option should suffice
• Enter the Redirect URL displayed in the configuration dialog of the i-net PDFC server, where a new connection is created (see above). Check that you selected Web as the Redirect URL type.
• Click Register at the bottom of the dialog

Note: After creating the application, the default API permission is User.Read for the Microsoft Graph API. This permission is sufficient for authenticating against this application.

After preparing the application, you can now fill in the required information in the configuration dialog.

Note: If you selected Single Tenant in the account type configuration, you have to enter the Tenant's id in the respective field of the configuration. Otherwise, it must be left empty.

The Client and Tenant IDs are displayed in the overview, directly after creating the application. They are displayed as Application (Client) ID and Directory (Tenant) ID in the Essentials section of the application, directly below the applications name. Paste the Client and the Tenant IDs into the OAuth Connection dialog.

The Client Secret has to be created separately. You can use the link Add a certificate or secret in the essentials section to navigate there.

• Navigate to the Certificates & Secrets section of the application.
• Click New client secret in the Client secrets tab.
• Enter a Description and set the Expiration time in the side panel.
• Click Add.

You must now copy the new entry from the Value column from the table and paste it into the OAuth Connection dialog.

Note: The Secret ID is considered a password, so please keep it in a safe place.

The OAuth connection can also be used to authenticate against Office 365 email services for sending and receiving emails. The following additional requirements must be met:

• The server must be able to call the following domains:
  • For MSN connection type: smtp-mail.outlook.com, imap-mail.outlook.com
  • For Office 365 connection type: outlook.office365.com, smtp.office365.com.
• SMTP AUTH protocol must be enabled for your organization.
• You must be an organization administrator with configuration permissions in the Exchange Admin Center.

The default setup from above can be used for either the user-based or the app-only authentication flow. The differences between the two methods are:

• User-Based: When creating the connection for either incoming or outgoing emails, the connection must be established by logging into the respective email account user. You can do that by clicking the Set up OAuth connection button after selecting the Office 365 (As User) provider. Using this method, a specific user is directly connected with either the incoming or the outgoing settings.
• App-Only: The App-Only authentication flow does not require establishing a direct account connection. Here, the connection of the registered application in the Microsoft portal with the respective email account must be configured using additional PowerShell commands. The App-Only authentication flow has less restrictive polling limitations, resulting in fewer connection outages.

The OAuth connection can be used for authenticating against SMTP, too. But it should be noted that only the modern SMTP Auth is supported, not the Graph API method of sending emails. Therefore, you have to either configure your organization or the account used for sending emails to support SMTP AUTH.

To complete this, you have to access Microsoft Exchange Admin Portal, navigate to Mail Flow and uncheck Turn off SMTP AUTH protocol for your organization.

As already mentioned, the setup of email integration using user-based authentication requires you to Set Up OAuth Connection using the respective button. Once set up, the button changes to Renew OAuth Connection. It is advised to make this setup in a private browser tab so that you can authenticate with the specific mail account user.

The App-Only Authentication Flow requires additional setup for receiving emails using IMAP. The specific email account has to be pre-authenticated. Here are the actions that you need to take:

• In your Application Registration that you just created (see above).
• Click API permissions and Add a permission.
• Select the tab APIs my organization uses, search for and select Office 365 Exchange Online
• Select Application permissions
• Search and select IMAP.AccessAsApp and SMTP.SendAsApp
• Click Add permissions
• The permissions have been added now. An additional step may be required:
  • Click Grant admin consent for ...

The result should be the assigned API permissions as seen in the screenshot.

Note: The instructions are derived and shortened from Microsoft IMAP/POP/SMTP OAuth instructions.

The pre-authentication now takes place in the Microsoft Exchange Admin Portal. You must be an organizational admin. Open the Cloud Shell using a PowerShell. This shell has all the Exchange Online tools preloaded.

• Open https://admin.exchange.microsoft.com/
• After a short wait, the Cloud Shell should appear as an icon in the toolbar (see below).
• If necessary, select PowerShell as the working environment.
• Execute the following commands.

# Connect your Tenant to the console
Connect-ExchangeOnline
 
# APPLICATION_ID - The app registrations application / client id (see "Obtaining the Client and Tenant ID")
# OBJECT_ID - The object id from the "Managed application in local directory" link in the Essentials section
New-ServicePrincipal -AppId <APPLICATION_ID> -ObjectId <OBJECT_ID>
 
# ACCOUNT_EMAIL - The users email account you want to send/receive emails from
# SERVICE_PRINCIPAL_ID - The ObjectId from the result of the previous command
Add-MailboxPermission -Identity "ACCOUNT_EMAIL" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess

Note: The instructions are detailed in the Microsoft IMAP/POP/SMTP OAuth instructions, too. But they are lined out in a way so you can run them from a local computer PowerShell instead of the online PowerShell.