Azure Configuration for Modern Authentication

Due to a recent upgrade in Microsoft, multi-factor authentication (MFA) was added as additional security to the username and password authentication.

To enable the cross-platform Exchange Web Services (EWS) and Nintex RPA to work with modern authentication without MFA, it is necessary to configure Azure AD.

Modern authentication methods currently supported:

  • Exchange Web Services (EWS) with modern authentication without MFA

  • Exchange Web Services (EWS) with modern authentication and client secrets (MFA alternative)

Modern authentication methods currently not supported:

  • Regular MFA
You need to have Admin access to Microsoft Azure Portal for Office 365 and access to the Nintex Studio for this configuration.

Versions Supported: 21.10.7 and above.

If you are not using the versions listed above, your platform cannot support modern authentication. Please reach out to your Account Manager/Customer Success Manager to discuss upgrading your product.

The following sections detail the steps to enable and configure modern authentication in Azure AD to use with Nintex RPA:

Follow these steps to configure Azure AD for Nintex RPA OAuth Modern Authentication:

  1. Sign in to your Microsoft Azure Active Directory portal.

  2. Search for and select Azure Active Directory to enter the Home page.

  3. Select App registration from the left menu.

  4. If a registration was not previously created for the Nintex application, select New registration.

  5. Select Create new registration.

    • Give a name for the application such as Nintex RPA.

    • Select the option Accounts in this organizational directory only.

    • Click Register.

  6. Once the app is created, the Application (client) ID and Directory (tenant) ID becomes visible. Take note of them as they will be required for configuring modern authentication in the Nintex RPA platform.

  7. Navigate to the new App registration.

  8. Select API permissions from the left menu.

  9. Select Add a permission.

  10. Select APIs my organization uses.

  11. Search for and select Office 365 Exchange Online.

  12. Select the type of permission that your application requires:

    Scenario - If you are using: Permissions to select:
    Username and password with MFA disabled Delegated permissions
    Username and client secret Application permissions
    Username, password, and client secret

    Delegated and Application permissions
    Client secret with MFA enabled or disabled Application permissions

    Select Delegated permissions when your application requires specific user permissions to access the API online. When attempting to access the application, it impersonates the user to gain access. This process involves using credentials like the username and password associated with the user. If the necessary permissions are not granted, the application will deny access to the API.

    1. Select Delegated permissions.

    2. Search for EWS.

    3. Select EWS.AccessAsUser.All.

    4. Click Add permissions.

      All added permissions should appear in the Configured permissions list.

    5. Check the Grant admin consent checkbox to successfully grant these permissions.

    Select Application permission to enable the application to operate as a background service independently, without relying on a specific user. This means the application can run and perform its tasks without requiring user authentication.

    1. Select Application permissions.

    2. Search for Other permissions.

    3. Select full_access_as_app.

    4. Click Add permissions.

      All added permissions should appear in the Configured permissions list.

    5. Check the Grant admin consent checkbox to successfully grant these permissions.

  13. Select Authentication from the left menu.

  14. Select Advanced settings.

  15. Confirm that Enable the following mobile and desktop flows is enabled.

    Click Save to commit any changes.

  16. Search for and select Tenant properties.

  17. Under Access managements for Azure resources, select Manage security defaults.

  18. Confirm that Enable security defaults is set to No.

    Click Save to commit any changes.

Follow these steps to add users or groups to your newly created Nintex application:

  1. Sign in to your Microsoft Azure Active Directory portal.

  2. Search for and select Azure Active Directory to enter the Home page.

  3. Select Enterprise applications from the left menu.

  4. Select the Nintex application that was created in Configuration.

  5. Select Users and groups from the left menu.

  6. Add users or user groups to the application as needed.

Follow these steps to turn on modern authentication for email accounts:

  1. Sign in to Microsoft 365 admin center.

  2. Select Show All on the left menu.

  3. Select Settings.

  4. Select Org settings.

  5. Under the Services tab, select Modern Authentication.

  6. Confirm that Turn on modern authentication for Outlook 2013 for Windows and later is selected.

    Click Save to commit any changes.

Follow these steps to disable MFA for any email accounts used by Nintex RPA:

  1. Sign in to Microsoft 365 admin center.

  2. Select Users from the left menu.

  3. Select Active users.

  4. Select the Multi-factor authentication tab.

  5. Select your user.

  6. Click Disable on the right side under quick steps options.

  7. Select yes in the confirmation popup.

    The MFA status for this user should now show as Disabled.

  8. Repeat steps 5,6, and 7 for each user that needs MFA disabled.

Follow these steps to set up email functions in the Nintex RPA platform to work with modern authentication:

  1. Log in to the Nintex Studio.

  2. Access the Credentials Vault.

    For details, see Accessing the Credentials Vault.

  3. From the Credentials Vault main window, select the OAuth Authentication tab.

  4. Click the button.

    The following dialog opens:

  5. Create your credentials by entering a Display name and the Domain, Application ID (Client), and Directory ID (Tenant) as given in Step 6 of Configuration.

  6. Select the credential from the vault that you want to use modern authentication for.

  7. Open any wizard that uses an email Advanced Command.

  8. For the Get Email Advanced Command:

    1. In the Email Account settings for the Advanced Command fill in these details:

      • Email Server Type: Exchange (EWS: 2007 and above).

      • Server: https://outlook.office365.com/ews/exchange.asmx.

      • Credentials: Choose the credential from the vault that is being linked to modern authentication.

        OR

      • Enter manually: Enter the credential details.

        Details of the Application ID (Client), and Directory ID (Tenant) are seen in Step 6 of Configuration.

        You only have access to the client secret Value when you create it. If you did not copy the value when creating the client secret, you need to create a new one by selecting New client secret.

        1. Sign in to your Microsoft Azure Active Directory portal.

        2. Search for and select Azure Active Directory to enter the Home page.

        3. Select App registration from the left menu.

        4. Select the registration that was created in Configuration.

        5. Select Certificates & secrets from the left menu.

        6. The client secret is listed under Value.

    2. Click Test.

      If all configurations are performed correctly, you should get the Connection successful message.

      For more information about the Get email messages Advanced Command, see Get Email Messages.

  9. For the Send Email Advanced Command:

    1. In the Email Account settings for the Advanced Command, fill in these details:

      • Email Server Type: Exchange (EWS: 2007 and above).

      • Server: https://outlook.office365.com/ews/exchange.asmx.

      • Credential: Choose the credential from the vault that is being linked to modern authentication.

        OR

      • Enter manually: Enter the credential details.

        Details of the Application ID (Client), and Directory ID (Tenant) are seen in Step 6 of Configuration.

        You only have access to the client secret Value when you create it. If you did not copy the value when creating the client secret, you need to create a new one by selecting New client secret.

        1. Sign in to your Microsoft Azure Active Directory portal.

        2. Search for and select Azure Active Directory to enter the Home page.

        3. Select App registration from the left menu.

        4. Select the registration that was created in Configuration.

        5. Select Certificates & secrets from the left menu.

        6. The client secret is listed under Value.

    2. Click Send a test email....

      For more information about the Send email messages Advanced Command, see Send Email Messages.

Follow these steps to set the email triggers:

  1. Log in to Nintex RPA Console Plus, see Accessing Console Plus.

  2. Select Triggers from the left navigation menu.

  3. Choose an email trigger to edit.

  4. In the Trigger Events section, fill in these details:

    • Email Server Type: Exchange (EWS: 2007 and above).

    • Server: https://outlook.office365.com/ews/exchange.asmx.

    • Credentials: Choose the credential from the vault that is being linked to modern authentication.

      OR

    • Enter manually: Enter the credential details.

      Details of the Application ID (Client), and Directory ID (Tenant) are seen in Step 6 of Configuration.

      You only have access to the client secret Value when you create it. If you did not copy the value when creating the client secret, you need to create a new one by selecting New client secret.

      1. Sign in to your Microsoft Azure Active Directory portal.

      2. Search for and select Azure Active Directory to enter the Home page.

      3. Select App registration from the left menu.

      4. Select the registration that was created in Configuration.

      5. Select Certificates & secrets from the left menu.

      6. The client secret is listed under Value.

      • For more information about email triggers, see Creating email triggers.

  5. Save and publish the trigger.

    Check that the trigger has been published successfully.