How to setup OAuth on osTicket using Microsoft 365

Upgrading from basic authentication to OAuth on osTicket is a must if you are using Microsoft 365 since Microsoft 365 has a hard cut-off on basic authentication by end of 2022. Here are steps to configure step by step, if you are using multiple departments, this work for that too. You must be using osTicket v1.17 or higher, you can download it from here https://osticket.com/download, also you have to be an admin or have rights to create app registration, and give API permissions. This post covers everything from Creating App registration to, adding plugins, configuring, and Fetching emails automatically. Official documentation can find it here that also covers Google OAuth2 Guide

For your osTicket application, you will need the following info, which you can find, under Overview of your application, you need this info to configure OAuth.

  • Application ID
  • Directory (tenant ID)
  • Endpoints: authorize and token: Overview>Endpoints
    • If you have selected the multi-tenant option, your Endpoints URL will be generic, like these:
      https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
      https://login.microsoftonline.com/organizations/oauth2/v2.0/token
  • Value of secrets from one of the steps below

Create an app registration

You need to log in to your Azure portal: Go to Azure Active Directory>App registrations

Next, click on New registration

Next, fill in the info

This is where you choose your access options, based on the selection, the next screen will have different options, for us, we choose a Single tenant and Redirect URL: Web

The redirect URL should be: https://YourSupportTicketURL.tld/api/auth/oauth2

Next, add API permission
YourApp>API permissions>Add a permission

Select Microsoft Graph

Next, select Delegated permissions

Then add the following permissions: you can search or scroll to select these, then click add permissions

  • IMAP.AccessAsUser.All
  • Mail.ReadWrite
  • offline_access
  • POP.AccessAsUser.All
  • SMTP.Send
  • User.Read

Once you have added all permission, you have to give admin consent by clicking on Grant admin consent for Name of your Business

You should see Status with Green checks, for all permissions.

Give Implicit grant and hybrid flows under Authentication
Check box for ID tokens (used for implicit and hybrid flows)

You need to be assigned roles to support address as an Application Administrator

To view and manage consented permissions for individual apps, as well as your tenant’s consent settings, need to go to Enterprise applications.

Add your Support email/user, if you have more than one department, you can add them here

Then click on each support email/user and assigned roles

Add assignments>Seach for Application administrator, then click add

Note: you need to do this for each support email address If you are using multiple departments setup.

Now to create client credentials, click on Overview>Add a certificate or secret

Click on the Clent secrets>New client secret

Enter the name, this could be anything and select the time when it Expires, then click on Add

Before you click out of this screen make sure to copy the value of your secret ID, which you will need for your app. Once you leave this screen, you will not be able to get this value back, so you may need to create a new one in case you have not copied it or you need to change it.
Note: You never want to show your Value to anyone, I am showing Value here for the test, which I have already deleted

Install OAuth plugin

If you have not downloaded it, you can go to https://osticket.com/download

Select Plugins>choose v1.17, you should see Oauth2

Install the OAuth plugin by uploading it to your installation/include/plugins

Click Add New Plugin

Click Install

and activate it, do NOT configure it here, go to the next step

To configure OAuth on osTicket

Now go to Emails>Select your support email address>Remote Mailbox>Select OAuth2 – Microsoft under Authentication

Fill in the details, once you click on Submit, it’s going to redirect you to the login page of MS365 https://login.microsoftonline.com :

You will get a prompt to Accept permission

If everything goes well you should see

Then you can enable email fetching, settings

For Outgoing should be something like this:

To schedule to Fetch emails in the background:

https://docs.osticket.com/en/latest/Getting%20Started/POP3-IMAP%20Settings.html

For Ubuntu: This will check email every 1 minute
Sudo nano /etc/crontab

1 * * * * nobody php /var/www/osticket_Path/api/cron.php

That’s all, hope this helps someone out there who is going through these changes in technologies

Issues and Solutions:

Error: Unable to update an email address or blank windows or sping circle

Solution:

Try these

  • Make sure you clear your cache on your browser
  • Make sure your rewrite is enabled:
    To enable rewrite on Ubuntu:
    sudo a2enmod rewrite

    You might need to edit apache2.conf file: sudo nano /etc/apache2/apache2.conf
    change from AllowOverride none to AllowOverride all
    under: < Directory /var/www/>
  • You might need to delete the email and re-add it, If you have only one email address, you will not be able to delete it, so you need to make another email address as default

To change click on Settings>Change Default System Email address to something else, then you can change it back, once you add your original support address.
Note: Don’t forget to change your default MTA back, otherwise it will be set to PHP mail:

Outgoing Email: Default email only applies to outgoing emails without SMTP settings.
Default MTA:

Error:  array ( ‘code’ => ‘MailboxNotEnabledForRESTAPI’, ‘message’ => ‘The mailbox is either inactive, soft-deleted, or is hosted on-premise.’, )

Solution: check the user consent and API permission, also make sure they have admin consent


Error: Expired Access Token

Solution: need to setup a scheduled task to fetch the email: #Fetch-emails
Link to the official documentation: