SAP Knowledge Base Article - Public

2997844 - Error on Interview Scheduling with Outlook Integration using Modern Authentication - Recruiting Management

Symptom

When trying to do a 'Verify' on Interview scheduling with Outlook Integration while "Exchange Online" is selected, there will be an error:

The system failed to connect to Exchange Online for one of the reasons below. Please correct the following errors:
1. Invalid Client ID, Client Secret, or Tenant ID.
2. Service Principal Name (SPN)'s Client Secret may be expired.
3. Service Account's email address is invalid or doesn't exist in the system.
4. Try again later.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental

Environment

SAP SuccessFactors Recruiting Management

Reproducing the Issue

  1. Go to Admin center > Setup Interview Scheduling Outlook Integration
  2. Choose "Exchange Online" and configure the each required fields from your Exchange / Azure portal
  3. Click verify and you will receive a generic error

Cause

Per reviewing SF logs, we can see an error thrown by Microsoft server. Here are common errors:

  1. "Error code: NoPermissionsInAccessToken Error message: The token contains no permissions, or permissions can not be understood.", "Error code: ErrorAccessDenied. Error message: Access is denied. Check credentials and try again. These show that the error is caused by incomplete Microsoft Graph API permissions for Calendar and Mail.
  2. "AADSTS7000215: Invalid client secret provided."
  3. "AADSTS700016: Application with identifier 'xxxx-xxxx-xxxx-xxxx-xxxx' was not found in the directory '{Tenant Name}'."
  4. MailboxNotEnabledForRESTAPI

Resolution

Microsoft Graph API permissions

Microsoft Graph API permissions should be provided by your Exchange or Azure admin that can also grant admin permissions, as described in SAP SuccesFactors Recruiting implementation guide: Technical Details for Interview Scheduling Outlook Integration Using Modern Authentication.

Sample configuration of MS Graph API permission:

  

For more information regarding the these permissions and their respective use case, please refer to the Microsoft Permission Guide.

Also, to control mailbox and calendar access of an app that has been granted the application permissions in question, it can be done from the Azure application portal side by creating dynamic groups and allowing mail-enabled or calendar-enabled security group to restrict the app's access to individual or groups. Refer to the Scoping Application Permissions to Specific Exchange Online Mailboxes written by Microsoft for more information.

NOTE: SAP Support cannot provide assistance or guidance on creation of these dynamic groups nor about the permissions as they pertain to Microsoft Office 365 configuration and Azure. Also, Azure portal is not owned by SAP SuccessFactors, for any changes, we suggest to reach out to your internal Exchange or Network Administrator or Microsoft support.

Client Secret

Please ensure the secret being sent in the request is the client secret value, not the client secret ID.

Application (client) ID

Please ensure the Application (client) ID being sent in the request matches the Identifier value configured for the application in Azure AD.

MailboxNotEnabledForRESTAPI

Based on SF error log above, this error can for various reasons:
The mailbox is on a dedicated Microsoft Exchange Server or is not a valid Office 365 mailbox.
The mailbox is an Outlook.com account that hasn't been enabled yet.
The mailbox is not part of an Office 365 plan that includes Flow.

To fix this issue, use one of the following options, as appropriate for your situation.

Option 1: Migrate your mailbox account

If you don't have a valid Office 365 mailbox, you must submit a request to your Outlook administrator to migrate the mailbox account. Users who don't have administrator permissions can't migrate accounts. For  information about how to migrate the mailbox account, see How to migrate mailbox data by using the Exchange Admin Center in Office 365.

Option 2: Wait for your mailbox to update, or request a developer preview account

Because enabling mailboxes on Outlook.com for the Outlook REST API happens over time, your existing Outlook.com account may still be in the queue. You can request a new, enabled Outlook.com developer preview account by sending an email message to outlookdev@microsoft.com.

Option 3: Upgrade your Office 365 plan

The following Office 365 plans include the "Microsoft Flow for Office 365" plan:

Office 365 Business Essentials
Office 365 Business Premium
Office 365 Education
Office 365 Education Plus
Office 365 Enterprise E1
Office 365 Enterprise E3
Office 365 Enterprise E5

For complete information, please review the guide provided by Microsoft via link https://docs.microsoft.com/en-us/exchange/troubleshoot/user-and-shared-mailboxes/rest-api-is-not-yet-supported-for-this-mailbox-error

See Also

2978862 - Interview Scheduling Outlook Integration Using Modern Authentication

Keywords

application, permission, NoPermissionsInAccessToken, graph, API, delegated ,permission, exchange, online, interview, scheduling, outlook, integration, verify, connection, modern, authentication, client, secret , KBA , LOD-SF-RCM-IVW , Interview Central, Interviews, Scheduling etc , Problem

Product

SAP SuccessFactors Recruiting all versions

Attachments

Pasted image.png