Configure OAuth Authentication

To retrieve information from Exchange you must go to the Azure portal and register an application to represent the connector. You must then configure the connector to authenticate using OAuth.

To do this, use one of the following procedures:

For more information about creating applications and using OAuth, refer to the Microsoft documentation.

Set up an OAuth Service Application

To set up an OAuth Service Application

  1. Go to the Microsoft Azure Portal.
  2. Click New registration.

    1. Type a name for the new application.
    2. Specify a redirect URL. The "type" of the redirect URL should be "Web".

      • To use the NiFi Ingest connector, the redirect URL must match the URL shown in the advanced configuration dialog of the NiFi processor.
      • To use the standard connector, the redirect URL must match the value of the RedirectUrl parameter in the OAuth tool configuration file, oauth_tool.cfg. The default value is http://localhost:7878/oauth.
  3. Click Certificates and Secrets and upload a certificate to use to authenticate the connector. You can use a self-signed certificate.

  4. Click API Permissions > Add a permission.

    The Request API permissions dialog box opens.

  5. Click Microsoft Graph, followed by Application permissions and select the following permissions.

    Permission Required For
    User.Read.All  
    Mail.Read/Mail.ReadWrite mail
    Calendars.Read/Calendars.ReadWrite calendars
    Directory.Read.All Mapped Security
    Group.Read.All Mapped Security
    MailboxSettings.Read Using the parameters UserPurposeCantHaveRegex and UserPurposeMustHaveRegex.
  6. Run the OAuth configuration tool that is supplied with the connector.

    • To configure the NiFi Ingest connector

      1. In the NiFi web interface, right-click the processor and click Configure.
      2. Click ADVANCED, and complete the guided setup wizard. Then configure OAuth using the OAUTH SETUP > SERVICE ACCOUNT tab.
    • To configure the standard connector

      1. Open the folder where you installed the connector.
      2. Open the OAuth tool configuration file, oauth_tool.cfg, in a text editor.
      3. In the [Default] section, set any SSL or proxy settings that are required to access the repository:

        SSLMethod The version of SSL/TLS to use.
        ProxyHost The host name or IP address of the proxy server to use.
        ProxyPort The port of the proxy server to use.

        For example:

        SSLMethod=NEGOTIATE
        ProxyHost=10.0.0.1
        ProxyPort=8080
      4. In the [OAuthTool_ServiceApp] section, set the following parameters:

        AdminConsentUrl Replace the placeholder {tenant} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        TokenUrl Replace the placeholder {tenant} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        AppKey The application key of the application you created to represent the connector.
        CustomValue0 The path to the .pfx file that contains the certificate and private key to use to authenticate the connector.
        CustomValue1 The password for the private key.
      5. Open a command-line window and run the following command:

        oauth_tool.exe oauth_tool.cfg OAuthTool_ServiceApp

        A web browser opens, asking you to log in and grant admin consent.

      6. Log in and grant admin consent.

        The web page displays a message stating that the OAuth details have been successfully stored, and the OAuth tool creates the files oauth.cfg and oauth2_sites.bin. When you configure the connector, import the parameters from oauth.cfg into your task configuration. For more information about including parameters from another file, see Include an External Configuration File.

Process Data from a Single User

To process data from a single user

  1. Go to the Microsoft Azure Portal.
  2. Click New registration.

    1. Type a name for the new application.
    2. Specify a redirect URL. The "type" of the redirect URL should be "Web".

      • To use the NiFi Ingest connector, the redirect URL must match the URL shown in the advanced configuration dialog of the NiFi processor.
      • To use the standard connector, the redirect URL must match the value of the RedirectUrl parameter in the OAuth tool configuration file, oauth_tool.cfg. The default value is http://localhost:7878/oauth.
  3. Click Certificates and Secrets and create a new client secret.
  4. Click API Permissions > Add a permission.

    The Request API permissions dialog box opens.

  5. Click Microsoft Graph, followed by Delegated permissions and select the following permissions.

    Permission Required For
    Mail.Read/Mail.ReadWrite mail
    Calendars.Read/Calendars.ReadWrite calendars
    Directory.Read.All Mapped Security
    Group.Read.All Mapped Security
    User.ReadBasic.All Mapped Security
    User.Read  
    offline_access  
  6. Run the OAuth configuration tool that is supplied with the connector.

    • To configure the NiFi Ingest connector

      1. In the NiFi web interface, right-click the processor and click Configure.
      2. Click ADVANCED, and complete the guided setup wizard. Then configure OAuth using the OAUTH SETUP > SINGLE USER tab.
    • To configure the standard connector

      1. Open the folder where you installed the connector.
      2. Open the OAuth tool configuration file, oauth_tool.cfg, in a text editor.
      3. In the [Default] section, set any SSL or proxy settings that are required to access the repository:

        SSLMethod The version of SSL/TLS to use.
        ProxyHost The host name or IP address of the proxy server to use.
        ProxyPort The port of the proxy server to use.

        For example:

        SSLMethod=NEGOTIATE
        ProxyHost=10.0.0.1
        ProxyPort=8080
      4. In the [OAuthTool] section, set the following parameters:

        AuthorizeUrl Replace the placeholder {tenant} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        TokenUrl Replace the placeholder {tenant} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        RefreshUrl Replace the placeholder {tenant} with your Microsoft 365 Tenant, for example mydomain.onmicrosoft.com.
        AppKey The application key of the application you created to represent the connector.
        AppSecret The client secret you obtained in step 3.
      5. Open a command-line window and run the following command:

        oauth_tool.exe oauth_tool.cfg OAuthTool

        A web browser opens, asking you to log in and grant consent.

      6. Log in and grant consent.

        The web page displays a message stating that the OAuth details have been successfully stored, and the OAuth tool creates the files oauth.cfg and oauth2_sites.bin. When you configure the connector, import the parameters from oauth.cfg into your task configuration. For more information about including parameters from another file, see Include an External Configuration File.