Microsoft 365 Configuration for OAuth 2.0

Do not proceed until you have completed everything described in the topic Preparation

These instructions are provided as a convenience for customers using Microsoft® 365® (formerly Office 365®)as an OAuth 2.0 provider. Trihedral has no relationship with Microsoft and makes no claim that the information provided here is the best process to use.
The following steps were found to work at the time of writing.

  1. Open the Microsoft Azure Active Directory App registration in a browser:
    https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
    (You will need to sign in to your account.)
  2. Select "New registration"
  3. Give the application a suitable name.
  4. Set the supported account types to "Accounts in this organizational directory only"
  5. Optionally add the redirect URIClosed The URL identifying a server registered as a potential system to receive the single use code during the OAuth 2 consent flow. for the VTScada server using redirect type "Web".
    Add Redirect URIs as appropriate. These will be the FQDN's of the VTScada OAuth servers along with the VTScada OAuth path (/vtscada/oauth/return), e.g. https://scada.example.com/vtscada/oauth/return. This can also be added later.
  6. Select "Register".
    The newly created application will open
  7. On the left-hand side menu select "Authentication"
  8. Under "Web", add Redirect URIs as appropriate.
    These will be the FQDN's of the VTScada OAuth servers, along with the VTScada OAuth path which is "/vtscada/oauth/return". Do not include the realm name for your application. Do not include the port number unless it is non-standard.
    e.g. https://myscada.example.com/vtscada/oauth/return
  9. Select "Save" at the top of the page.
  10. On the left-hand side menu select "API permissions", then "Add a permission".
    Request API permissions will open
  11. Select "Microsoft Graph", then "Delegated permissions"
  12. Expand "OpenId Permissions" and select "offline_access".
  13. Expand "POP" and select "POP.AccessAsUser.All" (Receiving email only)
  14. Expand "SMTP" and select "SMTP.Send" (Sending email only)
  15. Select "Add permissions".
  16. On the left-hand side menu select "Certificates & secrets"
  17. Under "Client secrets", select "New client secret"
  18. Add a description that identifies the client or purpose.
  19. Select an appropriate expiry for the client secret.
    "Never" is likely to be the best choice.
  20. Select "Add", then copy the client secret to a secure location as it will be masked after leaving the page and is required later when configuring VTScada.
  21. On the left-hand side menu select "Overview" and copy the "Application (client) ID" value.
  22. Select "Endpoints", then the "OAuth 2.0 authorization endpoint (v2)" and "OAuth 2.0 token endpoint (v2) values".
  23. You should now have the following information, to be used when configuring VTScada:
Name in Azure Name in VTScada Example value
OAuth 2.0 authorization endpoint (v2) Authorization Endpoint URL https://login.microsoftonline.com/ 236fb237-d18f-42c0-b59a-845ad5e04584 /oauth2/v2.0/authorize
OAuth 2.0 token endpoint (v2) Token Endpoint URL https://login.microsoftonline.com/ 236fb237-d18f-42c0-b59a-845ad5e04584 /oauth2/v2.0/token
Application (client) ID Client ID 07d3c8b3-6d4f-4b0b-b5a0-348a82977e0d
Client secret Value Client Secret Slb3-e3J2c-UwCzVdBv8-Hadun_374
Configured Permissions name Requested Scopes offline_access
POP.AccessAsUser.All SMTP.Send Web Redirect URIs
Redirect URIs https://scada.example.com/vtscada/oauth/return  

In VTScada:

  1. Enable the OAuth 2.0 option in Security, Administrative options, Advanced.
  2. Ensure the appropriate server list has been configured.
    (Referring here to a Client / Server Configuration list, not a VTScada Thin Client Server server list.)
    An OAuth specific list may be configured if required. For resilience, two OAuth servers are recommended.
  3. Open the OAuth 2.0 settings dialog.
    Available from either the drop-down security menu in the screen or the Security page of the Application Configuration dialog.
  4. Create a new Provider by selecting the "+" under the providers list.
  5. Set the Provider name to something appropriate, e.g. "Microsoft".
  6. Set the Authorization Endpoint URL to the value recorded above.
  7. Set the Token Endpoint URL to the value recorded above.
  8. Leave the Revocation Endpoint URL blank.
  9. Set the Client ID to the Application (client) value recorded above.
  10. Set the client secret to the value recorded above.
  11. Set the Refresh Token Lifetime to 1209600
    This is measured in seconds and matches the 2-week token lifetime that is the default for Microsoft Azure.
  12. Using the Scopes editor (the Pen icon next to the Provider Scopes field), add the following scopes: https://outlook.office.com/SMTP.Send, https://outlook.office.com/POP.AccessAsUser.All, offline_access.
  13. Using the Redirect URIs editor set the OAuth Redirect URIs to the Web URIs recorded above.
  14. Create a new Grant by selecting the "+" under the grants list.
  15. Set the Grant name to something appropriate such as "Outlook".
  16. Set the Grant bearer to the Office365 account name (full email address) of the user that will be running the consent operation
  17. Using the Grant Scopes editor select the https://outlook.office.com/SMTP.Send, https://outlook.office.com/POP.AccessAsUser.All, and offline_access scopes.
  18. Select the Apply button.
  19. Select the Consent button to grant authority for VTScada to access the designated email account.