Blog Post

Exchange Team Blog
5 MIN READ

Basic Authentication Deprecation in Exchange Online – September 2022 Update

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Sep 01, 2022
One month from today, we’re going to start to turn off basic auth for specific protocols in Exchange Online for customers who use them. Since our first announcement nearly three years ago, we’ve se...
Updated Jan 01, 2023
Version 16.0
announcements
exchange online
security
pavel-razgovorov's avatar
pavel-razgovorov
Copper Contributor
Oct 21, 2022

Hi,

 

I am trying to create an Azure AD App registration to use the Reporting Web Service Endpoint following the guide you reference. There appears one specific section, https://learn.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984325(v=office.15)#assign-azure-ad-roles-to-the-application, whose steps to follow I do not understand. I do not know how to assign a predefined role (Global Reader, for instance) to an application. The section references an article with instructions to https://learn.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal, but not roles to applications.

 

Here we can see that the Global Reader mode is assigned to a user, which is a Global Administrator:

 

However, this is what I am seeing when checking the Roles and administrators and App roles sections from the App registration:

 

Even if I have the required permissions:

and asking for a token works OK

$ curl -d "grant_type=client_credentials&client_id=redacted&client_secret=redacted&resource=https://outlook.office365.com" -X POST https://login.microsoftonline.com/redacted/oauth2/token
{"token_type":"Bearer","expires_in":"3599","ext_expires_in":"3599","expires_on":"1665413919","not_before":"1665410019","resource":"https://outlook.office365.com","access_token":"redacted"}
------------------------------------------------------------------------------------
When decoded, the roles are:
 "roles": [ "ReportingWebService.Read.All" ]

but using the obtained token against the reporting endpoint results in a permission error:

$ curl -H "Authorization: Bearer redacted" https://reports.office365.com/ecp/ReportingWebService/Reporting.svc
<ServiceFault xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Exchange.Management.ReportingWebService" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><ErrorCode/><Message>No permission to access the report for the organization .</Message></ServiceFault>

I believe that this error is coming because the role is not being correctly set up in my configuration. What steps should I follow to have the Global Reader assigned to my App registration? Or if I am missing something else, what is it?