Modern Authentication and Google Authentication FAQs
Find information about securing credentials-based email accounts and answers to frequently-asked questions about Modern Authentication and OAuth 2.0.
Currently, provider limitations require you set the following permissions for CSM email credentials to function:
- Enable Domain Wide Delegation in G Suite. The G Suite service account is not a member of your G Suite domain, unlike other user accounts. You must grant it explicit permission to access user accounts by enabling domain-wide delegation. See Control G Suite API access with domain-wide delegation.
- Full access as app in Office 365 Exchange Web Services (EWS). You must grant the Azure app full access to the EWS API. This API does not allow selection of more granular permissions like mail.read or mail.write. See Daemon app that calls web APIs - app registration.
CSM uses server-side authentication to manage email primarily through the Automation Process service and the Email and Event Monitor. Office 365 and G Suite do not offer account restrictions for this flow, so we use a service account for G Suite and an Azure app with application permissions for Office 365. Neither provider allows us to configure access to specific accounts.
CSM keeps credential-based email accounts secure through encrypted access tokens stored on CSM servers.
Refer to Configure Email Credentials to see our recommended settings for securing credentials-based email accounts.
Can I use Modern Authentication or OAuth 2.0 with my CSM implementation?
Versions of CSM older than CSM 10.1 do not support credential-based email account management. For more information on upgrading CSM, refer to Upgrade CSM.
For more information on Microsoft's plans to deprecate Basic Authentication, see https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508. For more information on Google's plans to deprecate less secure app (LSA) access, see https://gsuiteupdates.googleblog.com/2020/03/less-secure-app-turn-off-suspended.html.
What's the difference between Modern Authentication and OAuth 2.0?
Microsoft 365 Exchange Online utilizes Modern Authentication, which is a combination of authentication and authorization methods between a client and a server, as well as additional security measures that rely on access policies. Its authentication method is a mix between multi-factor authentication, smart card authentication, and client certificate-based. Its authorization method is an implementation of OAuth and the access policies are Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access.
Google utilizes the OAuth 2.0 protocol for both authentication and authorization.
Can I convert existing email accounts that use passwords to use credentials?
Yes. After you set up credentials in CSM Administrator, manually update the password-based email accounts to use credentials.
How do I create an Azure app?
When Modern Authentication is enabled, background applications (example: Automation Processes and the Email and Event Monitor) will need to use credentials from an Azure app. A user that has access to this application will be able to read and send emails.
- Log into Azure AD and register an app https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps.
- Follow the steps in this link to create an app. https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-registration. A callback URI is not required.
The App must have full access to Exchange Web Services (EWS). In the App, select API Permissions > Add a Permission and select APIs my organization uses.
- In the search prompt, enter Office. When Office 365 Exchange Online appears, select it.
- Select App Permissions, then select full_access_as_app. In the Configured Permissions section, select the Grant admin consent for <your server> button.
For information on restricting access based on policy groups, see https://forums.ivanti.com/s/article/Restricting-Access-to-a-Modern-Authentication-Application.
- Once the app is created, retrieve the app id, tenant id, and client secret. These will be used to configure the Cherwell email account.
- You can now add the secret/certificate information. Navigate to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
- Navigate to Certificates & Secrets to upload a certificate or add a secret.
How do I set up a service account on the Google platform?
- Create a new project on the Google Cloud Platform (see https://console.developers.google.com/).
- Enable access to the Gmail API.
- Create a service account that will authenticate Cherwell with G Suite.
- Download the JSON/ PFX file that contains the credentials for the account.
- Enable G Suite domain wide delegation. To do this, add the client ID of the service account, then grant access to supported Google APIs.
How do I configure G Suite with the service account?
- In the G Suite account, select Security > Advanced Settings.
- Select App Access Control.
- Select Manage Domain Wide Delegation.
- Select Add New.
- Paste the unique ID from service account creation in the Client ID field.
- Add https://mail.google.com to the Scopes field.
- Select Authorize.