Modern Auth enabled, user outlook prompt password but not able to authenticate
Dear All, We enable Oauth for our exchange 2019, once it is done, we started to see user keep prompt for password. once upn and password enter it does not takes in. showing outlook unable to connect to server with below error not sure what was the issue, but we disable oauth, issue will certainly gone. this only happen to small portion of people not all user affected.
Sending email with OAuth authentication to Office 365 using MgGraph
Hi all, I'm trying to send emails using MgGraph and Modern Authentication and somehow this fails. The sender receives an auto-respond from Exchange saying; Diagnostic information for administrators: Generating server: AS8PR08MB9314.eurprd08.prod.outlook.com <from address> Remote server returned '550 5.7.708 Service unavailable. Access denied, traffic not accepted from this IP. For more information please go to http||go.microsoft.com/fwlink/?LinkId=526653 AS(7230) [AS1PR08MB7586.eurprd08.prod.outlook.com 2023-05-14T09:19:00.773Z 08DB542B00E328F8]' Original message headers: Received: from AS8PR08MB9314.eurprd08.prod.outlook.com([fe80::4599:1fd:9e8d:8974]) by AS8PR08MB9314.eurprd08.prod.outlook.com ([fe80::4599:1fd:9e8d:8974%6]) with mapi id 15.20.6387.029; Sun, 14 May 2023 09:19:00 +0000 MIME-Version: 1.0 Content-Type: text/plain Date: Sun, 14 May 2023 09:19:00 +0000 Message-ID: [email address removed for privacy reasons] Subject: OAuth Mail Sent from PowerShell via App Let me explain what I'm doing; I have a script that is using Graph API to send the email. This script is authenticating with a certificate (self-signed on my laptop and added to the App Registration earlier) on an AD Application that has Graph API Mail.Send permissions. The Graph POST is successful, but Exchange immediately sends back the above NDR. Install-Module MSAL.PS Import-Module MSAL.PS $appName = "MailSendingTestApp" $appRegistration = @{ TenantId = "xxx.onmicrosoft.com" ClientId = "<app-id>" ClientCertificate = (Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -eq ('CN={0}' -f $appName)}) } $msalToken = Get-MsalToken @appRegistration -ForceRefresh -AzureCloudInstance 1 $fromEmailAddress = "email address removed for privacy reasons" $requestBody = @{ "message" = [PSCustomObject]@{ "subject" = "OAuth Mail Test" "body" = [PSCustomObject]@{ "contentType" = "Text" "content" = "Hello this is a test" } "toRecipients" = @( [PSCustomObject]@{ "emailAddress" = [PSCustomObject]@{ "address" = "email address removed for privacy reasons" } } ) } "saveToSentItems" = "true" } $request = @{ "Headers" = @{Authorization = $msalToken.CreateAuthorizationHeader() } "Method" = "Post" "Uri" = "https || graph.microsoft.com/v1.0/users/$fromEmailAddress/sendMail " "Body" = $requestBody | ConvertTo-Json -Depth 5 "ContentType" = "application/json" } Invoke-RestMethod @request Googling led me to a post that links to a MS article that says; "This error can happen when you are trying out a Microsoft 365 trial tenant. If you receive this error before you can purchase licenses, contact support to request an exception for the low reputation IP address until you're able to purchase licenses." My tenant is licensed with Microsoft 365 E5 Developer (part of the Visual Studio benefit that comes with our partner account). What could be going wrong here? Do I need to contact Microsoft here or start pulling my wallet? Hope someone can help. Cheers!Updating unattended EWS scripts using modern auth
Hi there, a lot of possibilities about phasing out legacy authentication have been discussed here. But I still have a lack of information or let's say I want to find the most comfortable and most secure possibility for my customers. https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps But if your scripts contain EWS connections you have to initialize a different way of authentication. So I found the following option using MSAL, unfortunately this does not work in unattended mode. https://morgantechspace.com/2022/03/connect-ews-api-with-modern-authentication-using-powershell.html And then there is the possibility using the secure application model. https://docs.microsoft.com/en-us/powershell/partnercenter/multi-factor-auth?view=partnercenterps-3.0#secure-application-model I got this working now, the creation of the token for the first time has to be done interactively and the token only lasts for 90 days. I read the hint for securely saving the token to the Azure KeyVault, but how do I do this and how can I re-call this token? Is there even a better way of refreshing the token manually? Is this now the new go-to solution for unattended EWS scripts, or do you have a even better solution?
