Setup Simple Application on Azure for MSGraph polling in KIC 2.8 or KTA 7.8
Disclaimer:
This article was created for and based on KIC 2.8 and KTA 7.8.
KIC 2.8 and KTA 7.8 only supported the Resource Owner Password Credentials (ROPC) Grant method at the moment of writing.
Both Kofax and Microsoft currently recommend to not use this Grant method anymore.
Issue
The first part of this article will guide you in setting up a simple Azure application and setting up the needed/documented permissions for allowing your KTA or KIC installation to poll mailboxes via MS Graph.
In part two, at the end of this article, I will quickly show how to setup the newest/more secure method of connecting MS Graph using the Tenant ID and Client Secret.
Solution
This guide is based on the following documentation:
- KIC admin guide chapter “Permissions for Azure Active Directory application”
- KTA admin guide chapter “Permissions for Azure Active Directory application”
- KB article 3031220
- KB article 3023690
Things to keep in mind:
- KIC 2.8 and KTA 7.8 currently only support 'ROPC grant' which means that username and password still have to be provided. With KIC 2.9 and KTA 7.9 support for 'Authorization Code grant' and 'Client Credentials grant' will be introduced.
- The currently documented rights might be changed in the near future. Customers have been giving feedback and development is reviewing these comments.
- A new (more secure) implementation of MS Graph has been included in KIC 2.8.0.1 and will be included in KTA 7.8.
- The Azure side of things is usually something for the customer and his IT to deal with.
There will be a lot of screenshots with as little text as possible.
Zooming in is possible by holding Ctrl+Scrolling or you can simply click on an image to open it in a new window for more detail.
Part one: Simple setup
Browse to: https://portal.azure.com and login with your O365 Admin account.
Navigate to “Manage Azure Active Directory”.
Click on "App registrations"
Click on “+ New registration”.
Give your new application a name and click “Register”.
You should’ve landed in the Overview of your new Application.
Here you can see the Application (client) ID which you will need to setup your KTA or KIC MS Graph import… but you can ignore this for now.
Click on “API permissions”.
Here you can see 1 API permission already in place. Simply leave it in place.
Click on “+ Add a permission”.
Here we’ll be adding the permissions as documented in KB article 3031220.
NOTE: Not all of the following permissions are still required. You only need to add the permissions that can be found in KB article 3031220 in Mindtouch.
Select the “Microsoft Graph” API.
Click on “Delegated permissions”.
Under “Select permissions” you can enter a search term.
Search for “mail.read” and select the documented delegated permissions for Microsoft Graph.
Don’t click “Add permissions” yet.
Click on “Application permissions”.
The filter for “mail.read” should still be active.
Select the documented Application permissions for Microsoft Graph and click “Add permissions”.
Here you can see the list of added permissions.
Here’s where you need the admin privileges.
Click on “Grant admin consent for YourDomain”.
Click on “Yes”.
Take note of the changes.
One last step which currently is only documented in the KIC admin guide.
Click on “Authentication”.
Under Advanced settings, set the setting for “Treat application as a public client” to “Yes”.
And click “Save”.
Take note of the changes.
Go back to the “Overview” of your application.
Here you can find and copy the “Application (client) ID” that you need to setup your KTA or KIC import for MS Graph.
For KIC (2.8 on the left and 2.8.0.1 on the right), setup a new mailbox import, select “MS Graph” in the Protocol field and copy the “Application (client) ID” into the “Client ID” field and configure the User name and password for the mailbox you want to poll. (note that in the following Mailbox settings screenshots the password isn't always shown but still is needed. The password isn't seen due to security changes in the GUI.)
Note that it’s best practice to restart the MC after setting up the Azure side of things and before testing the connection of your MS Graph import connector.
 |
 |
The same goes for KTA. Setup a new Import Source of Type “MS graph”.
Copy the “Application (client) ID” into the “Client ID” field and configure the User name and password for the mailbox you want to poll.
Note that it’s best practice to restart the MC after setting up the Azure side of things and before testing the connection of your MS Graph import connector.
Part Two: More secure setup using Tenant ID and Client Secret.
The “Directory (Tenant) ID” can be found directly under the “Application (client) ID”.
Copy the value.
Paste the copied value in the Tenant ID field of your KIC import connector for MS Graph.
To setup a client secret, from your application Overview window, click on “Certificates & secrets”.
Click on “+ New client secret”.
Add a description for this secret, select the desired expiry and click on “Add”.
Copy the newly generated Client secret. Note that you have to copy this value at this point in time and store it in a safe place because at a later point in time this value won't be visible/available anymore.
Paste the copied value into the “Client Secret” field of your KIC import connector for MS Graph.
Note that it’s best practice to restart the MC after setting up the Azure side of things and before testing the connection of your MS Graph import connector.
Level of Complexity
High
Applies to
| Product | Version | Build | Environment | Hardware |
|---|---|---|---|---|
| Kofax Import Connector | 2.8 |
References
- KIC admin guide chapter “Permissions for Azure Active Directory application”
- KTA admin guide chapter “Permissions for Azure Active Directory application”
- KB article 3031220
- KB article 3023690
Article # 3031226