I am trying to integrate SAP cloud with azure Ad for Oauth2.0 setup.

Question

I am trying to integrate SAP cloud with azure Ad for Oauth2.0 setup.

George Geoffrick G 40

I am trying to integrate SAP cloud with azure Ad for Oauth 2.0 setup.I have created a app in ad with necessary permissions to send email and also provided consent.The SAP user was able to generate token using my cred but after token is generated he is not able to send email using te token . getting error

Below error

com.sap.esb.oauth.token.access.TokenAccessException: Access token request via refresh_token grant type for OAuth2 Authorization Code credential 'SAP_Integration_2' failed after 5 retries: HTTP request failed: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'SAP_Integration_2'. Send an interactive authorization request for this user and resource.

CarlZhao-MSFT 46,376 Reputation points

2024-12-04T10:29:37.2033333+00:00

Hi @George Geoffrick G

Decode your access token using jwt.ms and share a screenshot.

Also, are you sending the email on behalf of the calling user (i.e. the currently logged in user)?
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-04T10:50:12.8233333+00:00

Hi @George Geoffrick G • Thank you for reaching out.

From my understanding you have a custom Enterprise application, granted permissions and consent but are still getting a consent error when trying to use this non interactively.

I have a few questions to clarify some things.

Would you mind sharing the exact configuration you have performed on the Application Registration, please?

There is 2 ways to configure the sending of email and I am curious to see if you chose delegated or application permissions. You can navigate to the required screen in the portal by selecting App registrations -> All applications -> SAP_Integration_2 -> API permissions.

Does your application allow for interactive interaction in a browser as well that would allow for the same workflow so we could get a browser trace to follow the OAUTH steps as well to see exactly where the error is occurring, if not can this be done through tracing within in the app otherwise?

Ideally we only have to utilize this after double checking the application permission settings first.

You can read more about the browser trace capture in this Learn article: Capture a browser trace for troubleshooting.
George Geoffrick G 40 Reputation points

2024-12-04T11:20:19.92+00:00

Dear Team,

Thank you for your prompt response.Please find below screenshots

I am using Delegated graph permissions

Below is the SAP screen where they are using the generated token to send email and while doing so getting the error I mentioned above

Does your application allow for interactive interaction in a browser as well that would allow for the same workflow so we could get a browser trace to follow the OAUTH steps as well to see exactly where the error is occurring, if not can this be done through tracing within in the app otherwise?

Yes it allows for interactive Oauth flow and the token is also generated , but when the token is presented as Credential Name parameter as shown in above screenshot it fails with error I mentioned
George Geoffrick G 40 Reputation points

2024-12-04T11:22:11.4166667+00:00

Please let me know if you need anything else
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-04T11:38:40.0366667+00:00

Hi @George Geoffrick G,

Would you mind trying one thing please. Try adding the offline_access api permission on your delegated permissions as well. You can find some more detail for it in the following Learn article: Authorization request. Since you are using refresh tokens this might be all that is required.

If this does not help, can you please run through the trace procedure I mentioned earlier: Capture a browser trace for troubleshooting. As well as the decode mentioned by @CarlZhao-MSFT for one of your tokens.

Please do not share the traces here, you can share them by email to AzCommunity@microsoft.com. Please use "Attn: Frank EB" in the email subject and include the thread URL (https://learn.microsoft.com/en-us/answers/questions/2126203/i-am-trying-to-integrate-sap-cloud-with-azure-ad-f) in the email body as well so I can easily find your message.
George Geoffrick G 40 Reputation points

2024-12-05T07:43:37.9766667+00:00

Dear Frank,

I added the offline_access in the API permission and provided access also(even though it seems not necessary).After doing this I ran the same token procedure and when trying to mail again,getting the same error

FYI screenshots for the same

Decoded token below decoded token.txt

Please let me know if you need anything else.If we can speed this up little bit it will be greatly helpful,,Thank you for the support
George Geoffrick G 40 Reputation points

2024-12-05T07:44:52.7566667+00:00

Also please find my traces below in email
George Geoffrick G 40 Reputation points

2024-12-05T07:55:19.6066667+00:00

We followed this blog FYI
https://community.sap.com/t5/technology-blogs-by-sap/cloud-integration-connect-to-microsoft-365-mail-with-oauth2/ba-p/13465693

Accepted answer

1 additional answer

Your answer

CarlZhao-MSFT 46,376 Reputation points

2024-12-04T10:29:37.2033333+00:00

Hi @George Geoffrick G

Decode your access token using jwt.ms and share a screenshot.

Also, are you sending the email on behalf of the calling user (i.e. the currently logged in user)?
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-04T10:50:12.8233333+00:00

Hi @George Geoffrick G • Thank you for reaching out.

From my understanding you have a custom Enterprise application, granted permissions and consent but are still getting a consent error when trying to use this non interactively.

I have a few questions to clarify some things.

Would you mind sharing the exact configuration you have performed on the Application Registration, please?

There is 2 ways to configure the sending of email and I am curious to see if you chose delegated or application permissions. You can navigate to the required screen in the portal by selecting App registrations -> All applications -> SAP_Integration_2 -> API permissions.

Does your application allow for interactive interaction in a browser as well that would allow for the same workflow so we could get a browser trace to follow the OAUTH steps as well to see exactly where the error is occurring, if not can this be done through tracing within in the app otherwise?

Ideally we only have to utilize this after double checking the application permission settings first.

You can read more about the browser trace capture in this Learn article: Capture a browser trace for troubleshooting.
George Geoffrick G 40 Reputation points

2024-12-04T11:20:19.92+00:00

Dear Team,

Thank you for your prompt response.Please find below screenshots

I am using Delegated graph permissions

Below is the SAP screen where they are using the generated token to send email and while doing so getting the error I mentioned above

Does your application allow for interactive interaction in a browser as well that would allow for the same workflow so we could get a browser trace to follow the OAUTH steps as well to see exactly where the error is occurring, if not can this be done through tracing within in the app otherwise?

Yes it allows for interactive Oauth flow and the token is also generated , but when the token is presented as Credential Name parameter as shown in above screenshot it fails with error I mentioned
George Geoffrick G 40 Reputation points

2024-12-04T11:22:11.4166667+00:00

Please let me know if you need anything else
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-04T11:38:40.0366667+00:00

Hi @George Geoffrick G,

Would you mind trying one thing please. Try adding the offline_access api permission on your delegated permissions as well. You can find some more detail for it in the following Learn article: Authorization request. Since you are using refresh tokens this might be all that is required.

If this does not help, can you please run through the trace procedure I mentioned earlier: Capture a browser trace for troubleshooting. As well as the decode mentioned by @CarlZhao-MSFT for one of your tokens.

Please do not share the traces here, you can share them by email to AzCommunity@microsoft.com. Please use "Attn: Frank EB" in the email subject and include the thread URL (https://learn.microsoft.com/en-us/answers/questions/2126203/i-am-trying-to-integrate-sap-cloud-with-azure-ad-f) in the email body as well so I can easily find your message.
George Geoffrick G 40 Reputation points

2024-12-05T07:43:37.9766667+00:00

Dear Frank,

I added the offline_access in the API permission and provided access also(even though it seems not necessary).After doing this I ran the same token procedure and when trying to mail again,getting the same error

FYI screenshots for the same

Decoded token below decoded token.txt

Please let me know if you need anything else.If we can speed this up little bit it will be greatly helpful,,Thank you for the support
George Geoffrick G 40 Reputation points

2024-12-05T07:44:52.7566667+00:00

Also please find my traces below in email
George Geoffrick G 40 Reputation points

2024-12-05T07:55:19.6066667+00:00

We followed this blog FYI
https://community.sap.com/t5/technology-blogs-by-sap/cloud-integration-connect-to-microsoft-365-mail-with-oauth2/ba-p/13465693

Answer 1

CarlZhao-MSFT 46,376

Hi @George Geoffrick G

By analyzing your access token, I found that the logged in user is a guest user, which may be the cause of the problem. As far as I know, sending mail on behalf of a guest user is not currently supported, only on behalf of their identity in their home tenant.

So, try to configure your app as a multi-tenant app, and then change /{tenant_id} to /common to log in and send mail using their identity in the home tenant.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

George Geoffrick G 40 Reputation points

2024-12-05T13:21:06.4266667+00:00

Hey Carl,

Thank you for the solution,I am yet to test it out , so let me get this straight.So since I am a guest user in this current tenant,I cant send emails from lets say ******@abc.com, so inorder to do this I need to change /{tenant_id} to /common or /organization and use my home tenant(abc.com) to authorize the smtp mail.

Am I correct here?
George Geoffrick G 40 Reputation points

2024-12-05T13:25:49.63+00:00

Thank you
CarlZhao-MSFT 46,376 Reputation points

2024-12-06T02:03:49.1733333+00:00

Hi @George Geoffrick G

Yes, your understanding is correct. Since the guest user does not have an EXO mailbox in the current tenant, you cannot send mail on behalf of the guest, but only on behalf of their user identity in the home tenant.

Answer 2

Hi @George Geoffrick G,

Thank you for the offline update. Glad to hear that the issue is now resolved. I'm summarizing the discussion below in an answer for visibility so that other users facing the same problem can find a working solution easier.

The issue you were facing was indeed based on the tenancy setup in where the app registration and email inbox resided. You created the app registration in tenant A and the mailbox was present in tenant B. The admin consent was given in tenant A, however since the mailbox resided in a different tenant you also needed admin consent in tenant B. Once this was granted sending emails was successful.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

I am trying to integrate SAP cloud with azure Ad for Oauth2.0 setup.

1 additional answer

Your answer