A common use case for SAP Build Process Automation is sending emails to end users when workflow tasks are assigned, or triggering emails to the workflow initiator when a task is approved or rejected. To use Email step in your process, you need to have an active mail server configured, and a destination must be set up in the SAP BTP subaccount where the Build Process Automation subscription is available.
SAP Help documentation to create SMTP mail destination in SAP BTP can be found here: Configuring SMTP Mail Destination.
There are various SMTP server options available for handling outgoing emails. A common customer question is how to configure this with Microsoft and what steps are involved.
Note: Microsoft 365 no longer allows connections to Outlook 365 via Basic Authentication. As a best practice, it’s recommended to use more advanced protocols like OAuth2 for enhanced security.
More information – https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
In this blog post, I will guide you through the process of setting up an SMTP server with Microsoft and integrating it with SAP Build Process Automation using OAuth2Password.
The configurations on the Microsoft side must be carried out by your organization’s Microsoft Administrators.
Pre-requisites
A tenant in Microsoft Azure Active Directory.A user who has an active Outlook 365 subscription.
Configurations to be completed in Microsoft Azure
Step 1: Use your Admin account to sign in to your Azure tenant at https://portal.azure.com. Upon logging in, you will be taken to the Microsoft Azure Home Page, as shown below.
Step 2: In the search bar at the top, type “Microsoft Entra ID” and select it from the list of results to proceed.
Step 3: Navigate to Manage and then select App Registrations.
Step 4: Select New Registration.
Step 5: Provide a suitable name for your application and select “Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant).” You can then proceed to register your application.
The app is now registered in Microsoft Entra ID and is displayed as shown below. Make sure to save the Application (client) ID and Directory (tenant) ID, as they will be needed later.
Step 6: Under Manage, navigate to Certificates & Secrets.
Save the Application (client) ID, which we will refer to as <Application (client) ID>. This will be used during the configuration of the Destination in SAP BTP.
Save the Directory (tenant) ID, which we will refer to as <Directory (tenant) ID>, and it will be used when configuring the Destination in SAP BTP.
Step 7: Generate a new client secret.
Enter a description and set the expiry date according to your organization’s policy. If there is an end date, ensure you generate a new secret before the old one expires and update any references to the old secret.
Save both the Secret ID and Value for future use, although only the Value will be needed. We will refer Value as <Secret Value> which will be used while configuring Destination in SAP BTP.
Step 8: Next, navigate to API Permissions.
Select “Add a permission”.
Select “Microsoft Graph”.
Choose Delegated permissions.
Under Select permissions, search for SMTP.Send and choose the permission as shown below.
The permissions are displayed as shown below. You can either keep the User.Read permission or remove it. Additionally, you will need to grant admin consent for the user.
Step 9: As we are using OAuth2Password, Multi-Factor Authentication (MFA) needs to be disabled.
Note: This will not be required once Authentication Type OAuth2ClientCredentials is supported.
In the Microsoft Entra Admin Center, go to Identity, then Protection, and select Conditional Access.
Go to Policy Snapshot
Snapshots below
Choose Multifactor Authentication for Microsoft partners and vendors, then under the Enable Policy section, switch the toggle to Off and click Save.
Repeat the same process for all the available default policies.
Note: Your organization may have additional custom policies that require special attention. Ensure that you follow your organizational policies, as they may differ from the default settings.
Step 10: Navigate to the Exchange Admin Center at https://admin.exchange.microsoft.com, go to Settings, then MailFlow, and uncheck the option for “Turn Off SMTP Auth protocol for your organization.”
Step 11: Go to https://admin.microsoft.com, then navigate to Users > Active users, and select the user that will be configured for outgoing emails.
Ensure that “Authenticated SMTP” is enabled.
Configurations to be completed in SAP BTP
Create a Destination with name sap_process_automation_mail in the BTP subaccount where SAP Build Process Automation is subscribed.
Name
sap_process_automation_mail
Type
Description
Destination to Microsoft SMTP Mail Serer
Proxy Type
Internet
Authentication
OAuth2Password
User
<Email ID of the User>
Password
<Password of the User>
Client ID
<Application (client) ID>
Client Secret
<Secret Value>
Token Service URL
https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/token
Note: <Application (client) ID>, <Secret Value> and <Directory (tenant) ID> is from steps 6 and 7.
Additional Properties
mail.smtp.auth
true
mail.smtp.auth.mechanisms
XOAUTH2
mail.smtp.from
<User from which you want to send Email> – Can be any Email ID
mail.smtp.host
smtp.office365.com
mail.smtp.port
587
mail.smtp.ssl.enable
false
mail.smtp.starttls.enable
true
mail.smtp.starttls.required
true
mail.transport.protocol
smtp
scope
https://outlook.office.com/SMTP.send
To perform the test, log in to SAP Build Process Automation and navigate to Control Tower > Mail Server.
Note: If the above screen is not visible and you have correctly configured everything in BTP destinations, the sign-in to Microsoft Entra ID likely failed. Refer to the Troubleshooting section below for guidance on checking errors.
Send a Test Email
Enter the Email ID to which you would like to Send a Test Email.
Troubleshooting
There are couple of places where you can troubleshoot and find what is going wrong.
SAP BTP subaccount Destination Logs – This can be challenging as end users do not have direct access to Destination Logs. A support ticket to SAP must be raised to get the logs.Microsoft Azure Entra ID Tenant – This can be found under Monitoring > Sign-in Logs.
Filter using the Application Name created for Microsoft Entra ID Tenant.
A common use case for SAP Build Process Automation is sending emails to end users when workflow tasks are assigned, or triggering emails to the workflow initiator when a task is approved or rejected. To use Email step in your process, you need to have an active mail server configured, and a destination must be set up in the SAP BTP subaccount where the Build Process Automation subscription is available.SAP Help documentation to create SMTP mail destination in SAP BTP can be found here: Configuring SMTP Mail Destination.There are various SMTP server options available for handling outgoing emails. A common customer question is how to configure this with Microsoft and what steps are involved.Note: Microsoft 365 no longer allows connections to Outlook 365 via Basic Authentication. As a best practice, it’s recommended to use more advanced protocols like OAuth2 for enhanced security.More information – https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauthIn this blog post, I will guide you through the process of setting up an SMTP server with Microsoft and integrating it with SAP Build Process Automation using OAuth2Password.The configurations on the Microsoft side must be carried out by your organization’s Microsoft Administrators.Pre-requisitesA tenant in Microsoft Azure Active Directory.A user who has an active Outlook 365 subscription.Configurations to be completed in Microsoft AzureStep 1: Use your Admin account to sign in to your Azure tenant at https://portal.azure.com. Upon logging in, you will be taken to the Microsoft Azure Home Page, as shown below.Step 2: In the search bar at the top, type “Microsoft Entra ID” and select it from the list of results to proceed.Step 3: Navigate to Manage and then select App Registrations.Step 4: Select New Registration.Step 5: Provide a suitable name for your application and select “Accounts in any organizational directory (Any Microsoft Entra ID tenant – Multitenant).” You can then proceed to register your application.The app is now registered in Microsoft Entra ID and is displayed as shown below. Make sure to save the Application (client) ID and Directory (tenant) ID, as they will be needed later.Step 6: Under Manage, navigate to Certificates & Secrets.Save the Application (client) ID, which we will refer to as <Application (client) ID>. This will be used during the configuration of the Destination in SAP BTP.Save the Directory (tenant) ID, which we will refer to as <Directory (tenant) ID>, and it will be used when configuring the Destination in SAP BTP.Step 7: Generate a new client secret.Enter a description and set the expiry date according to your organization’s policy. If there is an end date, ensure you generate a new secret before the old one expires and update any references to the old secret.Save both the Secret ID and Value for future use, although only the Value will be needed. We will refer Value as <Secret Value> which will be used while configuring Destination in SAP BTP.Step 8: Next, navigate to API Permissions.Select “Add a permission”.Select “Microsoft Graph”.Choose Delegated permissions.Under Select permissions, search for SMTP.Send and choose the permission as shown below.The permissions are displayed as shown below. You can either keep the User.Read permission or remove it. Additionally, you will need to grant admin consent for the user.Step 9: As we are using OAuth2Password, Multi-Factor Authentication (MFA) needs to be disabled.Note: This will not be required once Authentication Type OAuth2ClientCredentials is supported. In the Microsoft Entra Admin Center, go to Identity, then Protection, and select Conditional Access.Go to Policy SnapshotSnapshots belowChoose Multifactor Authentication for Microsoft partners and vendors, then under the Enable Policy section, switch the toggle to Off and click Save.Repeat the same process for all the available default policies.Note: Your organization may have additional custom policies that require special attention. Ensure that you follow your organizational policies, as they may differ from the default settings.Step 10: Navigate to the Exchange Admin Center at https://admin.exchange.microsoft.com, go to Settings, then MailFlow, and uncheck the option for “Turn Off SMTP Auth protocol for your organization.”Step 11: Go to https://admin.microsoft.com, then navigate to Users > Active users, and select the user that will be configured for outgoing emails.Ensure that “Authenticated SMTP” is enabled. Configurations to be completed in SAP BTPCreate a Destination with name sap_process_automation_mail in the BTP subaccount where SAP Build Process Automation is subscribed. Namesap_process_automation_mailTypeMAILDescriptionDestination to Microsoft SMTP Mail SererProxy TypeInternetAuthenticationOAuth2PasswordUser<Email ID of the User>Password<Password of the User>Client ID<Application (client) ID>Client Secret<Secret Value>Token Service URLhttps://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/tokenNote: <Application (client) ID>, <Secret Value> and <Directory (tenant) ID> is from steps 6 and 7.Additional Propertiesmail.smtp.authtruemail.smtp.auth.mechanismsXOAUTH2mail.smtp.from<User from which you want to send Email> – Can be any Email IDmail.smtp.hostsmtp.office365.commail.smtp.port587mail.smtp.ssl.enablefalsemail.smtp.starttls.enabletruemail.smtp.starttls.requiredtruemail.transport.protocolsmtpscopehttps://outlook.office.com/SMTP.sendTo perform the test, log in to SAP Build Process Automation and navigate to Control Tower > Mail Server.Note: If the above screen is not visible and you have correctly configured everything in BTP destinations, the sign-in to Microsoft Entra ID likely failed. Refer to the Troubleshooting section below for guidance on checking errors.Send a Test EmailEnter the Email ID to which you would like to Send a Test Email. TroubleshootingThere are couple of places where you can troubleshoot and find what is going wrong.SAP BTP subaccount Destination Logs – This can be challenging as end users do not have direct access to Destination Logs. A support ticket to SAP must be raised to get the logs.Microsoft Azure Entra ID Tenant – This can be found under Monitoring > Sign-in Logs.Filter using the Application Name created for Microsoft Entra ID Tenant. Read More Technology Blogs by SAP articles
#SAP
#SAPTechnologyblog
