Hi,
This is just an extended tutorial of whatever is already available in UiPath Docs. One of the easiest approaches to get authentication done is by using App ID and Secret when it comes to Unattended Automation. Though it has certain limitations such as some of the Graph permission won’t work, App ID and Secret supports most of the tasks.
What are the steps to be done to get the App ID & Secret?
- App Registration in Azure AD
- Limiting application permissions to specific Exchange Online mailboxes
You will find the part 1 in many tutorials, I just wanted to add the second part as well.
App Registration in Azure AD
- Go to your organization’s Azure Portal and navigate to Azure Active Directory
(I m using a dummy account for demo)
- Click on App Registration
- Click of New Registration
- Provide a name of your choice for the Application. Under supported types, choose the type. It’s better to choose the Single Tenant if you have the Bot id of same domain and to restrict outside access. Then click Register. (We will add re-direct url later)
- You should get a successful message and App is created.
- Click on Add a Redirect URI option
- Select Add a platform on the page
- Choose Mobile and Desktop applications
- Select " https://login.microsoftonline.com/common/oauth2/nativeclient" as well as add “urn:ietf:wg:oauth:2.0:oob” as shown below and Configure.
- You should see a successful message
- Go back to Application homepage and click on Add a certificate or secret (You can use Certificates & secrets on the left panel as well)
- Click on New Client Secret
- Provide a description and choose an expiry of your choice and Click Add
- You should see a successful message and secret created as shown below. Note down the Value field as it’s the secret we are going to use in Studio.
- We need to add the required API permissions to the App. Click on API Permissions on the left panel.
- Click on Add a Permission
- Choose Microsoft Graph
- Choose Application Permissions as we are not going to use an interactive auth method
- Search for the required API permissions you need.
- We are going to use Email APIs. Minimum required permissions for email automation are
Mail.Read
Mail.ReadWrite
Mail.Send
and click on Add permissions.
- You should see a successful message as below.
- Since we need to use the APIs without interaction, Admin Consent is required. Click on Grant admin consent for .
- You should see a successful message and status change.
- You App is successfully registered in Azure with App ID and Secret.
You can use App ID, App Secret and Tenant ID with Office365 activities in Studio and Bot.
Now there is a catch to this, if you use these credentials, you have access to the entire mailboxes of your tenant. You can use any email id to read, write or send emails. How to restrict the access?
Limiting application permissions to specific Exchange Online mailboxes
To limit app access, there are two steps.
- Create a new mail-enabled security group with the Email ID you want to provide App access
- Create an application access policy and apply it on the above mail-enabled security group
Create a mail-enabled security group
- Go to EAC (Exchange Admin Center) - https://admin.exchange.microsoft.com/
- I have 3 Users here (1 Admin + 2 Domain Users). I want to provide App access only to one user (testuser@kannipoyil.com)
- Go to Recipients → Groups
- Go to Mail-enabled security and click on Add a group
- Select Mail-enabled security as group type
- Provide a name and description of your choice and click Next
- Click on Assign Owners and choose an owner to the group. This can be an IT admin or RPA CoE
- Add the Owner and click Next
-
Click on Add Members and choose the Users you want to provide the App access to.
- I want to add only 1 user so that the other won’t have access.
- Member is added. Click Next
- Provide an Email address to identify the group. This email is mandatory to execute the Application Policy further.
- Create the Group
- You should have a successful message and Group is created.
Create an application access policy
- Open PowerShell with administrator privileges
- We need to Connect to Exchange Online PowerShell to create the application policy. If you haven’t installed Exchange Online PowerShell module, use the below command to install it first.
Install-Module -Name ExchangeOnlineManagement
- Load the module
Import-Module ExchangeOnlineManagement - Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName - A window will prompt to sign-in. Complete the connectivity
- Create an application access policy by running the following command, replacing the arguments for AppId , PolicyScopeGroupId , and Description
New-ApplicationAccessPolicy -AppId f66ec237-5844-4fbb-a2d9-4482c4f99d8a -PolicyScopeGroupId uipathoffice365group@kannipoyil.com -AccessRight RestrictAccess -Description “Restrict this app to members of distribution group UiPath Office365 API Group.”
- You should get a successful message similar to below,
- To test whether access is granted for a mail id or not, execute the below command.
Test-ApplicationAccessPolicy -Identity testuser@kannipoyil.com -AppId f66ec237-5844-4fbb-a2d9-4482c4f99d8a
- Change the mail id on above command and see access is denied or not
As per the above results, only testuser@kannipoyil.com has app access now.
One point to note here is, changes to application access policies can take longer than 1 hour to take effect in Microsoft Graph REST API calls, even when Test-ApplicationAccessPolicy shows positive results. You need to wait an hour minimum to see the results reflected.
Testing with UiPath Studio
- Install the required Office365 activity package.
- Use Office365 Scope activity and provide the required parameters. Make sure authentication type is selected as ApplicationIdandSecret. App Secret, App ID, Tenant ID needs to be provided which was created before.
- Here I am just using a Get mail and writing the count of unread emails and a Send mail to check the mail is being send or not. For App ID and Secret, the Account field is mandatory. Use the mail id you have provided access as Account.
- I could get the count of emails with Get Mail and a test mail was sent using Send Mail.
- Replace the Mail ID with another mail. You should get an Access Denied error as shown below. App access works only for the allowed email id.
Hope this helps.
Yoichi
Anil_G
AJ_Ask
George_Knott
ppr
gorby
adi.mehare
Daniel_Santos1
alexander.deuschlinger
yangyq10