How to setup OAuth on osTicket using Microsoft 365

Upgrading from basic authentication to OAuth on osTicket is a must if you are using Microsoft 365 since Microsoft 365 has a hard cut-off on basic authentication by end of 2022. Here are steps to configure step by step, if you are using multiple departments, this work for that too. You must be using osTicket v1.17 or higher, you can download it from here https://osticket.com/download, also you have to be an admin or have rights to create app registration, and give API permissions. This post covers everything from Creating App registration to, adding plugins, configuring, and Fetching emails automatically. Official documentation can find it here that also covers Google OAuth2 Guide

For your osTicket application, you will need the following info, which you can find, under Overview of your application, you need this info to configure OAuth.

  • Application ID
  • Directory (tenant ID)
  • Endpoints: authorize and token: Overview>Endpoints
    • If you have selected the multi-tenant option, your Endpoints URL will be generic, like these:
      https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
      https://login.microsoftonline.com/organizations/oauth2/v2.0/token
  • Value of secrets from one of the steps below

Create an app registration

You need to log in to your Azure portal: Go to Azure Active Directory>App registrations

Next, click on New registration

Next, fill in the info

This is where you choose your access options, based on the selection, the next screen will have different options, for us, we choose a Single tenant and Redirect URL: Web

The redirect URL should be: https://YourSupportTicketURL.tld/api/auth/oauth2

Next, add API permission
YourApp>API permissions>Add a permission

Select Microsoft Graph

Next, select Delegated permissions

Then add the following permissions: you can search or scroll to select these, then click add permissions

  • IMAP.AccessAsUser.All
  • Mail.ReadWrite
  • offline_access
  • POP.AccessAsUser.All
  • SMTP.Send
  • User.Read

Once you have added all permission, you have to give admin consent by clicking on Grant admin consent for Name of your Business

You should see Status with Green checks, for all permissions.

Give Implicit grant and hybrid flows under Authentication
Check box for ID tokens (used for implicit and hybrid flows)

You need to be assigned roles to support address as an Application Administrator

To view and manage consented permissions for individual apps, as well as your tenant’s consent settings, need to go to Enterprise applications.

Add your Support email/user, if you have more than one department, you can add them here

Then click on each support email/user and assigned roles

Add assignments>Seach for Application administrator, then click add

Note: you need to do this for each support email address If you are using multiple departments setup.

Now to create client credentials, click on Overview>Add a certificate or secret

Click on the Clent secrets>New client secret

Enter the name, this could be anything and select the time when it Expires, then click on Add

Before you click out of this screen make sure to copy the value of your secret ID, which you will need for your app. Once you leave this screen, you will not be able to get this value back, so you may need to create a new one in case you have not copied it or you need to change it.
Note: You never want to show your Value to anyone, I am showing Value here for the test, which I have already deleted

Install OAuth plugin

If you have not downloaded it, you can go to https://osticket.com/download

Select Plugins>choose v1.17, you should see Oauth2

Install the OAuth plugin by uploading it to your installation/include/plugins

Click Add New Plugin

Click Install

and activate it, do NOT configure it here, go to the next step

To configure OAuth on osTicket

Now go to Emails>Select your support email address>Remote Mailbox>Select OAuth2 – Microsoft under Authentication

Fill in the details, once you click on Submit, it’s going to redirect you to the login page of MS365 https://login.microsoftonline.com :

You will get a prompt to Accept permission

If everything goes well you should see

Then you can enable email fetching, settings

For Outgoing should be something like this:

To schedule to Fetch emails in the background:

https://docs.osticket.com/en/latest/Getting%20Started/POP3-IMAP%20Settings.html

For Ubuntu: This will check email every 1 minute
Sudo nano /etc/crontab

1 * * * * nobody php /var/www/osticket_Path/api/cron.php

That’s all, hope this helps someone out there who is going through these changes in technologies

Issues and Solutions:

Error: Unable to update an email address or blank windows or sping circle

Solution:

Try these

  • Make sure you clear your cache on your browser
  • Make sure your rewrite is enabled:
    To enable rewrite on Ubuntu:
    sudo a2enmod rewrite

    You might need to edit apache2.conf file: sudo nano /etc/apache2/apache2.conf
    change from AllowOverride none to AllowOverride all
    under: < Directory /var/www/>
  • You might need to delete the email and re-add it, If you have only one email address, you will not be able to delete it, so you need to make another email address as default

To change click on Settings>Change Default System Email address to something else, then you can change it back, once you add your original support address.
Note: Don’t forget to change your default MTA back, otherwise it will be set to PHP mail:

Outgoing Email: Default email only applies to outgoing emails without SMTP settings.
Default MTA:

Error:  array ( ‘code’ => ‘MailboxNotEnabledForRESTAPI’, ‘message’ => ‘The mailbox is either inactive, soft-deleted, or is hosted on-premise.’, )

Solution: check the user consent and API permission, also make sure they have admin consent


Error: Expired Access Token

Solution: need to setup a scheduled task to fetch the email: #Fetch-emails
Link to the official documentation:



How to configure OAuth2.0 using EWS on Microsoft O365

App registration

Upgrading from basic authentication to OAuth is a little harder for many small businesses to configure on the Azure portal. Here are the steps I have done to get our EWS service to get it working. You must have admin rights to do the following.

Create an app registration

You need to log in to your Azure portal: Go to Azure Active Directory>App registrations

Next, click on New registration

Next, fill in the info

This is where you choose your access options, based on the selection, the next screen will have different options, for us, we choose Single tenant and Redirect URI option for Public client/native, if you don’t have a URL you can leave it blank

In case you need to add or change the Authentication platform, you can click on Authentication>Add a platform>Select one that works with your Business needs

Based on your selection, you will need to select the URL option, or your custom URL

Then give API permission

This can be many permissions or just a few, also based on the type of application, you may get different options

Us, we are using EWS service, so we needed office 365 Exchange Online

Then you need to select the type of permission, we are using application permissions

The only thing we can get it working was by giving full_access_as_app

You need to give admin consent to your application, so once you have all permission added, click on Grant admin consent

To create client credentials, click on Overview>Add a certificate or secret

Click on the Clent secrets>New client secret

Enter the name, this could be anything and select the time when it Expires, then click on Add

Before you click out of this screen make sure to copy the value of your secret ID, which you will need for your app. Once you leave this screen, you will not be able to get this value back, so you may need to create a new one in case you have not copied it or you need to change it.

For your application, you will need the following info, which you can find it, here

  • Application ID
  • Directory (tenant ID)
  • Endpoints: authorize and token
    • If you have selected the multi-tenant option, your Endpoints URL will be generic, like these:
      https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
      https://login.microsoftonline.com/organizations/oauth2/v2.0/token
  • Value of secrets from the step above

That’s all, hope this helps someone out there who is going through these changes in technologies



How to test email via PowerShell

Test email via PowerShell

If you are not sure if your email settings are working or not, you can send a test email via the PowerShell command.

Open PowerShell: command

note: From email is an email with an issue or one you trying to set up and To email can be any email address where you can check to see if you get the test email.

Send-MailMessage -From EmailAccount@YourDomain.com -To YourEmailAddress@gmail.com -Subject “Test Email” -Body “Test SMTP Service from Powershell using Port 587” -SmtpServer smtp.office365.com -Credential $creds -UseSsl -Port 587

It will prompt you to enter your username and password

If everything goes well, you will not see anything, otherwise, it will give you an error message

If you have a typo or forget to put -From or -To you might get errors, something like this:

Send-MailMessage : A positional parameter cannot be found that accepts argument



How to Synchronize folders in Thunderbird

Thunderbird

Thunderbird email client has so many options to customize the way you like it. One of them is to synchronize the folders that you want. By default, it only shows Inbox, but if you have subfolders, it will not synchronize. If you don’t have the Thunderbird mail client installed, you can download it from here: https://www.thunderbird.net/en-US

To see other folders, you need to Subscribe, by right click on the account, then selecting Subscribe …

account>Subscribe

Now Check the Box for any folders you want to sync or uncheck if you want to remove them. Click ok

Subscribe Folder list

That’s it for these settings

To remove from offline sync:

Right-click on the account, then settings

Synchronization & Storage>Advanced

Synchronization & Storage

You can uncheck if you don’t want to sync offline, then click ok, these folders will still get new emails, but they will not be available if you don’t have internet access.

Items for Offline Use

That’s all for now, enjoy it



How to compact your email to regain storage

Compact email

Before you do this, make sure you delete any emails you don’t need and empty out deleted items, otherwise, you will not regain storage space. Outlook creates an Offline Outlook Data File (.ost), which caches data of your emails, default location is system drive:\Users\YourUserName\AppData\Local\Microsoft\Outlook

Also, if you have created an Archive of your email, then you will have Outlook Data File (.pst), which also needs to do compact if you are cleaning up and trying to regain storage space, otherwise it just grows larger. The default location for .PST is the Documents\Outlook Files folder

To compact .OST, open Outlook

Click Menu>Info>Account Settings

Info>Account Settings

Next click on Data Files>Select your email or account.ost file extension

Then click on Settings …

Account Settings>Data Files

Select the Advanced tab, then click on Outlook Data File Settings …

Advanced>Outlook Data File Settings

Click on Compact Now to start compacting

Compact email

Note, if you have not done this before, it will take some time, next time you do this it will be quick, the storage space regained will depend on how much you have deleted your old emails. You can do the same thing for your.PST file

Note: make sure to empty your Deleted folder