Microsoft have recently deprecated basic authentication in Exchange Online (Office 365) and in doing so require all application integrations to use modern methods of authentication such as OAuth2. You can read about the changes in the following link here. The tenancy changes in Azure started on the 1st of October 2022. Our Cisco Unity Connnection application was configured for basic authentication and required the switch to OAuth2 due to the aforementioned changes.

Azure Configuration

  1. Login to MS Azure and select Azure Active Directory. If your not the wizz bang cloud admin then youll need to have that person do it. Select App Registrations
  2. Click on Certificates and Secrets > Client secrets > New client secret. Enter a description and expiry. Select add. Copy the secret down, it is important to do so at this point as you cant see it after.
  3. Create a new App registration, copy the application client ID and directory ID values. Click on API permissions and configure like so:
    MS Graph API
    Note that I am using the Microsoft Graph API – this API is faster than the EWS one in terms of voicemail delivery and the MWI (red light). Microsoft are deprecating the EWS api so ignore the Cisco doco and dont bother using it.
  4. Be sure to click Grant Admin consent for <tenancy name> on the api items. Azure side is now completed.

Cisco Unity Configuration

  1. Login to your Cisco Unity Connection admin page. Select Unified Messaging > Unified Messaging Services. Click on your service and selected edit.
  2. Change the web based authentication option to OAuth2 and configure the settings:
    Application Client ID, Client Secret and Directory ID. See below for an example – confirmed working with these settings:
    Unity Oauth2
  3. For Cisco Unity Connection 12.5 the AD Authentication endpoint is https://login.microsoftonline.com and Resource URI equals https://outlook.office365.com
  4. Make sure outlook.office365.com is set as the dns domain name under hosted exchange servers. At this point you can click test and it should pass.
  5. You can leave the username and password credentials as is (that were used for basic auth). These are now used for the auto discovery. Some users have reported that if that password has special characters in it – the integration breaks. I did not experience this problem. The info is on the Cisco Support Forums here.

Note that I tried the EWS api and then moved to the Microsoft Graph API, the difference was huge. Voicemail delivery to and message waiting indicator both worked instantly. When using EWS api it took 15 mins for an voicemail to appear in the 365 inbox.
The Cisco configuration guide for OAuth2 setttings with 365 is located here.

I hope this helps anyone else who ran into this problem!