Contents x
    Multi-Factor Authentication Email (2FA/MFA)
      • Print
      • Dark
        Light
      • PDF
      Contents

      Multi-Factor Authentication Email (2FA/MFA)

        • Print
        • Dark
          Light
        • PDF
        Article summary

        Multi-Factor Authenticated Emailing for Microsoft

        Utilize App Passwords for Gmail
        MFA passwords for Gmail utilize Google App Passwords functionality, and are entered in the password field by utilizing the SMTP Autheticated Emailing steps

        Microsoft Server email relay platform has begun rolling out blocking outbound SMTP connections on TCP port 25. Microsoft claims this is to ensure better security for Microsoft partners and customers, protect Microsoft’s Azure platform, and conform to industry security standards. 

        What this means is that in order to prepare for email out of the Campus Cafe system in the near future when Microsoft completely cuts off the use of port 25, each user that will be using the email functions from their address will need to input their credentials.

        In order to prepare for this change we have added new "User Specific" Multi-Factor Authentication configuration.

        Web App Configuration for Office 365 Multi-Factor Authentication

        Log In to Azure Portal

        Navigate to portal.azure.com and log in. At the landing page, type “app registrations” in the search box on the header bar:

         

        Register a new App

        In the “App Registrations” screen, click “New Registrations”:
        Give the Application a name, set the supported account type, the redirect URI (https://xxx-web.scansoftware.com/cafeweb/tl/tokenResponse) where XXX is your 3-digit school codeAPI Permissions

        Click on API permissions, and add permissions, All of which come from Microsoft Graph:
        Select each of the permissions listed below, and add them to the API Permissions (the Type will be the next option after selecting Microsoft Graph – Application or Delegated):
        Microsoft Graph permissions:

         

        PermissionTypeDescriptionAdmin Consent Required
        Directory.Read.AllApplicationRead directory dataYes
        Mail.ReadWriteApplicationRead and write mail in all mailboxesYes
        Mail.SendApplicationSend mail as any userYes
        Sites.Read.AllApplicationRead items in all site collectionsYes
        User.Read.AllApplicationRead all users’ full profilesYes
        EmailDelegatedView users’ email addressNo
        IMAP.AccessAsUserDelegatedRead and Write access to mailboxes via IMAPNo
        Mail.ReadWriteDelegatedRead and write access to user mailNo
        Mail.SendDelegatedSend mail as a userNo
        Offline_accessDelegatedMaintain access to data you have given it access toNo
        OpenidDelegatedSign users inNo
        SMTP.SendDelegatedSend emails from mailboxes using SMTP AUTH.No
        User.ReadDelegatedSign in and read user profileNo


        Once the Permissions are added, click the Grant Admin consent button to approve the permissions for the API connection.

        Add Logout URI

        Click “Authentication” and add a logout URI (https://xxx-web.scansoftware.com/cafeweb/logout) where xxx is your three digit school code.

         Click the checkboxes next to Access Tokens and ID Tokens, select Single Tenant, and Click Yes to allowing Public Client Flows:

        Create an App Secret 

        Create an App Secret by going clicking Certificates & Secrets, then click (New client Secret) and fill out the information in the pop-out window (Recommended expiration is 730 days):

        Copy the Secret Value (not the Secret ID):

        Set up Web App Configurations in Campus Cafe

        Navigate to Admin>Web App, and enter "OFC365" into the search bar.

        Enter the client secret generated above in OFC365_CLIENTSECRET:

        OFC365_CLIENTID

        Office365 Client Id

         

        OFC365_CLIENTSECRET

        Office365 Client secret

         

        OFC365_TENANTID

        Office365 Tenant Id

         

        IMAP_HOST

        IP or Domain Name of IMAP Host

        outlook.office365.com

        IMAP_PORT

        Port Number of IMAP Host

        993

        IMAP_TLS

        Enable TLS IMAP encryption? Y or blank

        Y


        The values for OFC365_CLIENTID and OFC365_TENANTID are located on the App Registration Overview page for the App:

        The IMAP_HOST value should be set to outlook.office365.com

        IMAP_PORT value should be set to 993

        IMAP_TLS should be set to Y


        Refresh Data Cache

        Once the values are updated, run the Refresh Data Cache (Admin Menu>Refresh Data Cache>Reload Data)

        User Authentication

        Once the MFA Azure App has been created, and the appropriate values linked to Campus Cafe via Web App configurations, users will be able to authenticate their Office 365 email accounts with the MFA Azure authentication button:

        To validate, enter the email (or select the email to be authenticated), click "Usage Preferred", and enter the Email account's password (not the user's Campus Cafe password) and click Save in the lower right hand corner. Click the "Test" button. A Success message should appear below the Test button, and an email should send to the account being authenticated. Click Save. Then, click the "Uses MFA" checkbox, and click the "Authenticate with MFA" button. If the email account successfully authenticates, a green "success" message will appear near the Authenticate with MFA button. If not, a red "failure" message will appear. Click Save upon a successful authentication.  

        Be careful that, during the MFA authentication process, you are only logged in to the Microsoft account for which you are authenticating your MFA tokens; the system may automatically authenticate you based on an existing connection to the Azure environment and provide tokens that do not belong to the account you are attempting to authenticate in Campus Cafe.  You may want to log out of all Microsoft accounts and authenticate in an private or incognito browsing mode. Once your tokens are active, you may log back in to all other Microsoft accounts.

        Generic Department Email Address
        Under this email relay process for Campus Cafe to send emails from the generic department email address like admissions@campuscafe.edu or billing@campuscafe.edu a non-student account must be created for the email address, and the MFA credentials process completed.
        Common Error Message for SMTP Disabled for Tenant
        If you receive the following Error Message upon sending an email from the system:
        535 5.7.139 Authentication unsuccessful, SmtpClientAuthenticationis disabled for the Tenant.

        Please Follow the Following Steps to enable SMTP Authentication for your Organization:

        As the error message indicates, the root cause of the error is due to the SMTP Protocol being disabled in Exchange Online. To resolve the error, You must enable the SMTP protocol in Microsoft 365 Exchange Online Admin Center. Here is how:

        1. Login to Exchange Online Admin Center at: https://admin.exchange.microsoft.com 
        2. Click on Settings >> Mail flow
        3. In the Mail flow settings, under security: Uncheckthe “Turn off SMTP AUTH protocol for your organization” check box and click the “Save” button.

        Alternatively if that does not work please try this configuration:

        1. Next login to or navigate to the Microsoft 365 Admin Center https://admin.microsoft.com/

        2. Select Settings > Org Settings

        3. Under Services, select Modern Authentication 

        4. Ensure Authentication SMTP is checked





        Was this article helpful?
        What's Next

        This Knowledge Base is no longer supported please refer to the following link for the most up to date documentation:

        Knowledge Base - Campus Cafe

        Need Translation?