Outlook Add-In with MFA

Purpose

This procedure specifies the steps to set up the Outlook Add-In with MFA.

Scope

This procedure applies to the NFE 2017.1.31 version and later.

Prerequisites

• Need to have Azure account with valid subscription to create App Registration.

Procedure

Step 1. Register the add-in with Microsoft identity platform

1. Sign into the Azure portal with the admin credentials.
2. Select App registrations. If you don't see the icon, search for "app registration" in the search bar.
3. Select New registration.                                                                                                         
4. On the Register an application page, set the values as follows.

   1. Enter a display name for your application in the Name field.

   2. Set Supported account types to Accounts in any organizational directory (any Azure AD directory - multitenant) and personal Microsoft accounts (e.g., Skype, Xbox).
   3. Set Redirect URI to use the platform Single-page application (SPA) and the URI to https://<fully-qualified-domain-name>.                                                                                           
5. Select Register.
6. Copy and save the values for the Application (client) ID and the Directory (tenant) ID. You'll use both in later procedures.                                                                                           
7. From the left pane, select Certificates & secrets. Then on the Client secrets tab, select New client secret.                                                                                                       
8. Add a description for your client secret.
9. Select an expiration for the secret or specify a custom lifetime.
10. Select Add.
11. From the left pane, select Expose an API.
12. Select Add to generate an application ID URI.
13. Update the Application ID URI to api://<fully-qualified-domain-name>/<app-id>.
14. Click Save.
15. On the Expose an API page, select Add a scope.                                                             
16. Click Add Scope.                                                                                                         
17. Select Add a client application.
18. In the Client ID enter “xx1x00x1-b6f3-1111-b000-x666xxc3xx8x”. This value pre-authorizes all Microsoft Office application endpoints.
19. In Authorized scopes, select the api://<fully-qualified-domain-name>/<app-id>/access_as_user checkbox.                                                 
20. From the left pane, select API permissions.
21. Select Add a permission.
22. Select Microsoft Graph.                                                                                                           
23. Select Delegated permissions.
24. In the Select permissions search box, search for the permissions your add-in needs. For example, for an Outlook add-in, you might use profile, openid, Files.ReadWrite, Mail.Read, Files.Read.All and ConsentRequest.ReadWrite.All.                                                                                           
25. Select Grant admin consent for [tenant name]. Select Yes for the confirmation that appears.

Step 2. Setting up NFEOutlookAAD.xml values for App Registration

• In WebApplicationInfo sectin of NFEOutlookAAD.xml change the values in following tags.
  • Id Tag: Add the value for Application (client) ID of the app registration.
  • Resource Tag: {api://Addin URL/ClientId of App Reg}

Step 3. Setting up Config value in xWeb Web.config to validate JWT token:

• In the appsettings section of Web.config in xWeb we need to set below 3 values for JWT token Authentication:
  • jwtWellKnownConfigUrlOutlook: “.well-known/openid-configuration”
  • issuerOutlook:  “https://login.microsoftonline.com/{tenant-id}/v2.0”
  • audienceOutlook: Value for Application (client) ID of the app registration