feat: Support Azure single-tenant application using the Graph API (#6728) (#6878)

app/controllers/api/v1/accounts/microsoft/authorizations_controller.rb

@@ -4,13 +4,7 @@ class Api::V1::Accounts::Microsoft::AuthorizationsController < Api::V1::Accounts
 
   def create
     email = params[:authorization][:email]
-    redirect_url = microsoft_client.auth_code.authorize_url(
-      {
-        redirect_uri: "#{base_url}/microsoft/callback",
-        scope: 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send openid profile',
-        prompt: 'consent'
-      }
-    )
+    redirect_url = microsoft_client.auth_code.authorize_url(auth_params)
     if redirect_url
       email = email.downcase
       ::Redis::Alfred.setex(email, Current.account.id, 5.minutes)
@@ -25,4 +19,31 @@ class Api::V1::Accounts::Microsoft::AuthorizationsController < Api::V1::Accounts
   def check_authorization
     raise Pundit::NotAuthorizedError unless Current.account_user.administrator?
   end
+
+  # SMTP, Pop and IMAP are being deprecated by Outlook.
+  # https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
+  #
+  # As such, Microsoft has made it a real pain to use them.
+  # If AZURE_TENANT_ID is set, we will use the MS Graph API instead.
+  def auth_params
+    return graph_auth_params if ENV.fetch('AZURE_TENANT_ID', false)
+
+    standard_auth_params
+  end
+
+  def standard_auth_params
+    {
+      redirect_uri: "#{base_url}/microsoft/callback",
+      scope: 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send openid profile',
+      prompt: 'consent'
+    }
+  end
+
+  def graph_auth_params
+    {
+      redirect_uri: "#{base_url}/microsoft/callback",
+      scope: 'offline_access https://graph.microsoft.com/Mail.Read https://graph.microsoft.com/Mail.Send openid profile',
+      prompt: 'consent'
+    }
+  end
 end