The following instructions will assist with setting up OAUTH2 in GoAnywhere for the purpose of collecting email attachments from an IMAP mailbox in Office365.

Note. The Microsoft Azure interface is updated and improved periodically, which could result in some of the button selection references in this guide becoming incorrect.

1. Log in to the Microsoft Azure portal at https://portal.azure.com.
2. Select App Registrations.
3. Select New registration.
4. Define the Name for the application, which is the user-facing display name. This name can be changed later.
5. In the Supported account types section, choose who can use this application or access this API by selecting the radio button next to one of the three account types. The Help me choose... link supplies definitions for the different account types.
6. Select Register to register your new application.
7. On the Overview page, you will see your Application (client) ID.
8. Copy the Tenant ID.
9. Copy the App ID.
10. Go to the Enterprise Applications view.
11. Find your Application registration just created.
12. Select the Application to open the Enterprise Apps > Properties view and copy the object ID from here. Do not use the Object Id on the Application registrations page.
13. Navigate back to App Registrations.
14. Add a Client Secret – copy this before it is hidden. It is the Value field we need not the Secret ID field.
15. In the Azure portal, choose the API Permissions blade in your Azure AD application's management view.
16. Select Add permission.
17. Select the APIs my organization uses tab and search for "Office 365 Exchange Online".
18. Click Application permissions (not delegated permissions).
19. For POP access, choose the POP.AccessAsApp permission. For IMAP access, choose the
    IMAP.AccessAsApp permission.
    NOTE:
    GoAnywhere MFT Mailbox Resources do not support POP-3 with OAuth.
20. Select Add permissions.
21. Select the ‘Grant Permissions’ tick button to accept the Permissions. This requires Admin Access in Azure.
    Next, register your AAD application's service principal in Exchange via Exchange Online PowerShell. This is enabled by the New-ServicePrincipal cmdlet.
    To use the New-ServicePrincipal cmdlet, install the ExchangeOnlineManagement and connect to your tenant using the three commands shown in the following snippet. Note. The TENANT_ID is the same as identified in step 8 above.
22. Open PowerShell.
23. In PowerShell, run the following 3 commands one by one:

    Install-Module -Name ExchangeOnlineManagement

    Import-module ExchangeOnlineManagement

    Connect-ExchangeOnline -Organization {TENANT_ID}

24. In the two following Cmdlet steps DO NOT USE the Object Id shown in the App Registrations screen. Use the Object Id collected from Enterprise Applications View in step 12, an example of which is detailed below:
    
    DO NOT USE THE OBJECT ID FROM THE APP REGISTRATIONS PAGE
    
    If you get an error running the New-ServicePrincipal Cmdlet after you perform the steps below, it is likely because the user doesn't have the permissions in Exchange online to perform the operation.
25. Type the following command into PowerShell: 

    New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]

    Where App ID is the App Id, and the Service Id is the Enterprise Application’s Object ID. Tenant ID is the Tenant (Client ID) from App Registrations.
26. Type the following command into PowerShell:  

    Add-MailboxPermission -Identity "john.smith@contoso.com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess

    …where -Identity is the email account to be accessed, and -User is the Enterprise Application’s Object ID.
27. Wait a few minutes for Azure to synchronise with the new permissions in the Connector app being tested within GA. It could take some time – up to 24 hours.
    Then set up the connector in GoAnywhere with the correct Tenant, App Id (client) and the Client Secret from steps 8, 9 and 14, and then Test the Resource to see that it generates a token.
28. Copy the entire token to notepad
    Create a GoAnywhere Mailbox Resource using the following:
    1. Server Type: IMAP
    2. Authentication Type: OAuth2
    3. Host: in this case for Office 365 this is outlook.office365.com
    4. User: the email account permissioned in the Azure cmdlet (identity)
    5. Password: [may not be required depending on Account source]

       

29. Test that a connection succeeds by entering the token value generated and copied in step 28.
    
    If the resource test fails, this is likely to be related to Azure permissions or an incorrect user in the user account field. The user referenced should be the same as the user permissioned in PowerShell Permissions cmdlet.
    
    To link the Cloud connector to the mailbox is a project, use the Authenticate command available from the component library.
30. From within the Project Designer page, expand the Cloud Connectors folder in the Component Library, expand the Microsoft OAuth Online Connector menu, and then drag the Authenticate action to the Project Outline.
31. On the Authenticate action, specify a value for the following fields:
    1. Microsoft OAuth Online Connector Resource – Select a pre-configured Microsoft OAuth Resource.
    2. Access Token – Add a Variable name in which to store the Access Token.
       
32. From within the Project Designer page, expand the Email & SMS folder in the Component
    Library and then drag the Retrieve Email action to the Project Outline
33. On the Retrieve Email action, specify a value for the following fields:
    1. Mailbox - The Mailbox resource to use.
    2. Destination Directory - The file path where the attachments should be saved.
    3. Save Attachments - Whether to save the attachments to the destination directory.
34. On the Retrieve Email action Advanced panel, specify the variable containing the
    Authentication Access Token, as was added in step 31.
    
35. Select Save when done.

Using the OAuth Connector Authenticate enables a token to be automatically generated and authenticated for the Mailbox tasks to be used within the project.