Exchange Online Integration

Introduction

In episode 286 of our SAP on Azure video podcast we talk about Email Outbound integration.

Sending emails from your SAP system is something that is required for sending alerts, notifying users about new workflows or sending invoices to customers. In the past, many customers just connected their on-prem Exchange server to it and that was it. With the shift to Exchange Online several new requirements were introduced which changed the setup and configuration quite a bit. Today I am happy to have Martin Raepple and Oliver Beck with us here in the show who tell us more abut the Exchange Online Integration for Email-Outbound from SAP ABAP Platform

Find all the links mentioned here: https://www.saponazurepodcast.de/episode286

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #Exchange #Emails #Authentication #OAuth

Summary created by AI

• Deprecation of Basic Authentication in Exchange Online:
• Martin Raepple from Microsoft outlined the deprecation timeline for basic authentication in Exchange Online, emphasizing the shift to OAuth for improved security and the impact on SAP customers, with Holger and Oliver Beck discussing the implications for SAP systems.
  • Deprecation Timeline: Martin Raepple explained that Microsoft is deprecating basic authentication for Exchange Online, with SMTP AUTH Basic Authentication remaining unchanged until December 2026, after which it will be disabled by default for existing tenants and unavailable for new tenants. The final removal is planned for the second half of 2027.
  • Security Motivation: Martin highlighted that basic authentication, which relies on static usernames and passwords, poses security risks such as credential theft and reuse. The move to OAuth, which uses time-bound tokens instead of static credentials, significantly enhances security for email integrations.
  • Impact on SAP Customers: Holger and Oliver discussed that all SAP customers using the ABAP platform’s email outbound service with basic authentication must transition to OAuth or certificate-based authentication, except for S/4HANA Public Cloud customers, who are not affected as SAP manages their configuration.
  • SAP’s Response: Oliver Beck confirmed that SAP has updated its products to support OAuth for email outbound, and provided guidance on the necessary changes for customers, partners, and internal teams to comply with the new authentication requirements.
• Configuration Steps for SAP and Microsoft Integration:
• Martin Raepple and Oliver Beck provided a comprehensive walkthrough of the configuration steps required on both the Microsoft and SAP sides to enable secure email outbound from SAP systems using OAuth, referencing updated documentation and automation tools.
  • Microsoft Entra and Exchange Online Setup: Martin described the process of registering an application in Microsoft Entra to represent the SAP system, assigning the necessary SMTP.SendAsApp permission, and configuring mailbox access for the service principal. He emphasized the importance of using either client ID/secret or client certificates for OAuth token acquisition.
  • SAP System Configuration: Oliver detailed the steps for configuring SAP systems, including creating a communication system and arrangement in SAP BTP ABAP Environment, or using transactions such as SCOT or SBCS_MAIL_CONFIGSMTP for on-premise/private cloud systems. He explained how to input the OAuth client ID, token endpoint, and authorized user, and the importance of matching the configuration with Microsoft settings.
  • Documentation and Guidance: Both Martin and Oliver referenced updated Microsoft Learn and SAP Help documentation, SAP Notes, and provided links to ensure customers have access to the latest configuration instructions for both platforms.
  • Automation Tools: Martin introduced a PowerShell script available in a Microsoft open-source GitHub repository that automates the Entra and Exchange Online setup, generating the necessary configuration details (client ID, secret, etc.) for SAP administrators to use in their system setup.
• End-to-End Demonstration of Email Outbound Setup:
• Martin Raepple and Oliver Beck conducted a step-by-step demonstration of configuring and testing the email outbound integration from SAP to Exchange Online using OAuth, including both the Microsoft and SAP sides, and validating the setup with a test email.
  • Mailbox and Application Registration: Martin demonstrated creating a new mailbox in Exchange Online, registering an application in Entra, and running the PowerShell script to automate the configuration, resulting in the generation of client ID, client secret, and other required parameters.
  • Testing with Java Client: Martin used a Java program from the GitHub repository to simulate the SAP system, inputting the generated credentials to obtain an OAuth token and successfully sending a test email from the new mailbox to a recipient, confirming the setup worked.
  • SAP BTP ABAP Environment Configuration: Oliver showed how to configure the communication system and arrangement in the SAP BTP ABAP Environment, including entering the Microsoft-provided host, port, token endpoint, client ID, and uploading the client certificate for JWT authentication.
  • SAP On-Premise/Private Cloud Configuration: Oliver also demonstrated the configuration steps for SAP on-premise or private cloud systems, using transactions like SBCS_MAIL_CONFIGSMTP and SCOT to input the OAuth profile, configuration, and authorized user, ensuring the SAP system can send emails via Exchange Online.
  • Troubleshooting and Validation: Oliver advised that if errors occur, administrators should determine whether the issue is on the SAP or Microsoft side, consult the provided documentation, and ensure all configuration details (especially the authorized user) are correct for successful email delivery.

• Exchange Online Integration for Email-Outbound from SAP ABAP Platform
• Updated Exchange Online SMTP AUTH Basic Authentication Deprecation Timeline
• Integrating Outbound Emails Using SMTP
• 3581654 - OAuth 2.0 for email server authentication
• 3728158 - BCS: OAuth 2.0 configuration downport

• 0:00 Intro
• 1:30 Introducing Oliver Beck and Martin Raepple
• 3:15 Deprecation of Basic authentication
• 6:10 Update Exchange Online SMTP Auth Basic Authentication Deprecatio Timeline
• 8:15 Implications on the SAP side
• 10:45 Updates on the Microsoft documentation side
• 17:20 Configure your Microsoft Exchange Online System
• 21:55 Automation of the setup
• 25:00 Demo - Microsoft side automation
• 32:30 Demo - Confiugrating and testing from the SAP
• 40:30 Demo - Confiugrating in SAP Private Cloud