Exchange on-premise create mailbox or login using access token bearer
hello everyone! We have an external oauth2 server for SSO. Now we must use that server to authenticate our users. We are not allowed to create users, we just have to authenticate the users via SSO and get the information via Access Token, and based on that token we have to either create a mailbox for new users or login to the mailbox if the user already has a mailbox created. the SSO server guys provide us with the ClientID, ClientSecret, RedirectURI, etc... In addition to the below URL: https://< SSO-Server>/oauth2/authorize/?client_id=< ClientID>&response_type=token&redirect_uri=https://< Exchange-Server>/owa/&scope=profile We are using Exchange Server 2019 CU 13 on-premise, I don't know what to do! I'm not sure how to config the server. I'd appreciate any help. I tried to redirect the owa to the above link using "Set-OrganizationConfig -AdfsIssuer" It will redirect to the SSO and then SSO will authenticate the user and redirect the user to the specific link I provide + an Access Token But how can I use that access token to create a new mailbox user?
Sending email with OAuth authentication to Office 365 using MgGraph
Hi all, I'm trying to send emails using MgGraph and Modern Authentication and somehow this fails. The sender receives an auto-respond from Exchange saying; Diagnostic information for administrators: Generating server: AS8PR08MB9314.eurprd08.prod.outlook.com <from address> Remote server returned '550 5.7.708 Service unavailable. Access denied, traffic not accepted from this IP. For more information please go to http||go.microsoft.com/fwlink/?LinkId=526653 AS(7230) [AS1PR08MB7586.eurprd08.prod.outlook.com 2023-05-14T09:19:00.773Z 08DB542B00E328F8]' Original message headers: Received: from AS8PR08MB9314.eurprd08.prod.outlook.com([fe80::4599:1fd:9e8d:8974]) by AS8PR08MB9314.eurprd08.prod.outlook.com ([fe80::4599:1fd:9e8d:8974%6]) with mapi id 15.20.6387.029; Sun, 14 May 2023 09:19:00 +0000 MIME-Version: 1.0 Content-Type: text/plain Date: Sun, 14 May 2023 09:19:00 +0000 Message-ID: [email address removed for privacy reasons] Subject: OAuth Mail Sent from PowerShell via App Let me explain what I'm doing; I have a script that is using Graph API to send the email. This script is authenticating with a certificate (self-signed on my laptop and added to the App Registration earlier) on an AD Application that has Graph API Mail.Send permissions. The Graph POST is successful, but Exchange immediately sends back the above NDR. Install-Module MSAL.PS Import-Module MSAL.PS $appName = "MailSendingTestApp" $appRegistration = @{ TenantId = "xxx.onmicrosoft.com" ClientId = "<app-id>" ClientCertificate = (Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.Subject -eq ('CN={0}' -f $appName)}) } $msalToken = Get-MsalToken @appRegistration -ForceRefresh -AzureCloudInstance 1 $fromEmailAddress = "email address removed for privacy reasons" $requestBody = @{ "message" = [PSCustomObject]@{ "subject" = "OAuth Mail Test" "body" = [PSCustomObject]@{ "contentType" = "Text" "content" = "Hello this is a test" } "toRecipients" = @( [PSCustomObject]@{ "emailAddress" = [PSCustomObject]@{ "address" = "email address removed for privacy reasons" } } ) } "saveToSentItems" = "true" } $request = @{ "Headers" = @{Authorization = $msalToken.CreateAuthorizationHeader() } "Method" = "Post" "Uri" = "https || graph.microsoft.com/v1.0/users/$fromEmailAddress/sendMail " "Body" = $requestBody | ConvertTo-Json -Depth 5 "ContentType" = "application/json" } Invoke-RestMethod @request Googling led me to a post that links to a MS article that says; "This error can happen when you are trying out a Microsoft 365 trial tenant. If you receive this error before you can purchase licenses, contact support to request an exception for the low reputation IP address until you're able to purchase licenses." My tenant is licensed with Microsoft 365 E5 Developer (part of the Visual Studio benefit that comes with our partner account). What could be going wrong here? Do I need to contact Microsoft here or start pulling my wallet? Hope someone can help. Cheers!
Using MS Client Credentials OAuth flow with JavaMail
Our server application uses JavaMail to read inboxes and send e-mails etc from MS Exchange... As Microsoft is shutting down password based authentication, we need to switch over to using OAuth. We are able to successfully integrate MS OAuth using Authorization code flow (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow). However since our application is a background process running in servers, we want to integrate MS OAuth client credentials flow in our app. So, I followed the steps outlined here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow to achieve the same. However, the JavaMail authentication is failing with error "A1 NO AUTHENTICATE failed." whenever we try to connect to outlook.office365.com. Full trace given below: DEBUG IMAPS: mail.imap.minidletime: 10 DEBUG IMAPS: enable SASL DEBUG IMAPS: SASL mechanisms allowed: XOAUTH2 DEBUG IMAPS: closeFoldersOnStoreFailure DEBUG IMAPS: trying to connect to host "outlook.office365.com", port 993, isSSL true * OK The Microsoft Exchange IMAP4 service is ready. [UwBJADIAUABSADAAMQBDAEEAMAAwADUAMQAuAGEAcABjAHAAcgBkADAAMQAuAHAAcgBvAGQALgBlAHgAYwBoAGEAbgBnAGUAbABhAGIAcwAuAGMAbwBtAA==] A0 CAPABILITY * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+ A0 OK CAPABILITY completed. DEBUG IMAPS: AUTH: PLAIN DEBUG IMAPS: AUTH: XOAUTH2 DEBUG IMAPS: protocolConnect login, host=outlook.office365.com, user=venkatbabukr@myumsoauth.onmicrosoft.com, password=<non-null> DEBUG IMAPS: SASL Mechanisms: DEBUG IMAPS: XOAUTH2 DEBUG IMAPS: DEBUG IMAPS: SASL client XOAUTH2 DEBUG IMAPS: SASL callback length: 1 DEBUG IMAPS: SASL callback 0: javax.security.auth.callback.NameCallback@a67c67e A1 AUTHENTICATE XOAUTH2 <<< Access token value >>> A1 NO AUTHENTICATE failed. Got exception while browsing Inbox! AUTHENTICATE failed. javax.mail.AuthenticationFailedException: AUTHENTICATE failed. at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:732) at javax.mail.Service.connect(Service.java:366) We are not able to understand why the authentication is failing, so need some help here. Is it possible to integrate MS OAuth using client credentials with JavaMail to access inbox using IMAP and send mails using SMTP? If possible, can you please share some reference implementations where it is working? Or otherwise, if you can throw some light on why OAUth authentication is failing with AuthenticationFailedException and how can this be resolved? That would also be helpful. FYI, here are the parameter values that I have used to get Access token from https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token: client_id: <Our client id> client_secret: <Our client secret> grant_type: client_credentials scope: https://graph.microsoft.com/.default There was some suggestion here: https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-imap-and-pop-connections to use the scope: IMAP.AccessAsApp. But right now, I'm just not able to find this permission in Azure portal. So, is there any other such permission/scope that we can set/use? Thanks & Regards, Venkatesh
JavaMail connecting to Office 365 XOAUTH2 for IMAP Authentication fails
Facing connectivity issue with Office365 online with OAuth2.0 I have set up the application permissions and IMAP and SMTP connection.Basic authentication seems to be work fine. I believe IMAP is enabled. My application is configured as Accounts in any organizational directory (Any Azure AD directory - Multitenant) and uses grant type authorization code. And Delegated Microsoft Graph scopes https://graph.microsoft.com/IMAP.AccessAsUser.All have been added: https://i.stack.imgur.com/tcwr2.png Requested Access token with resource as https://graph.microsoft.com/ Successfully received access token with scopes as IMAP.AccessAsUser.All SMTP.Send { "token_type": "Bearer", "scope": "IMAP.AccessAsUser.All SMTP.Send", "expires_in": 3599, "ext_expires_in": 3599, "access_token": "access_token", "refresh_token": "refresh_token", "id_token": "id_token" } So here is the Java Code (JavaMail jar 1.6.2 used) Properties properties= new Properties(); properties.put("mail.imap.ssl.enable", "true"); properties.put("mail.imap.auth.mechanisms", "XOAUTH2"); //properties.put("mail.imap.sasl.enable", "true"); un-commented still results are same properties.put("mail.imap.auth.login.disable", "true"); properties.put("mail.imap.auth.plain.disable", "true"); properties.put("mail.debug", "true"); properties.put("mail.debug.auth", "true"); Session session = Session.getInstance(props); session.setDebug(true); String userEmail = "emailuser@domain.onmicrosoft.com"; String accessToken = "accessToken"; final Store store = session.getStore("imap"); store.connect("outlook.office365.com","993",userEmail, accessToken); Following output : DEBUG: JavaMail version 1.6.2 DEBUG: successfully loaded resource: /META-INF/javamail.default.address.map DEBUG: getProvider() returning javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle] DEBUG IMAP: mail.imap.appendbuffersize: -1 DEBUG IMAP: mail.imap.minidletime: 10 DEBUG IMAP: closeFoldersOnStoreFailure DEBUG IMAP: trying to connect to host "outlook.office365.com", port 993, isSSL true * OK The Microsoft Exchange IMAP4 service is ready. [TQBB] A0 CAPABILITY * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+ A0 OK CAPABILITY completed. DEBUG IMAP: AUTH: PLAIN DEBUG IMAP: AUTH: XOAUTH2 DEBUG IMAP: protocolConnect login, host=outlook.office365.com, user=emailuser@domain.onmicrosoft.com, password=<non-null> A1 AUTHENTICATE XOAUTH2 dXNlAQE= A1 NO AUTHENTICATE failed. Could not connect to the message store javax.mail.AuthenticationFailedException: AUTHENTICATE failed. at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:731) at javax.mail.Service.connect(Service.java:366) at myproject.EmailReceiver.downloadEmails(EmailReceiver.java:79) at myproject.EmailReceiver.main(EmailReceiver.java:179) Following other posts could not able to find scopes https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send in my Azure. May be they are legacy scopes. Is there any other scopes other then "https://graph.microsoft.com/IMAP.AccessAsUser.All" and "https://graph.microsoft.com/SMTP.send" required to connect to Exchange online through IMAP. Or any problem with existing code.
How to access Shared Inboxes with OAuth via IMAP (Basic Authentication Deprecation)
Since Microsoft is deprecating basic auth in the future I cannot use IMAP to access shared inboxes the way I used to: Email address: sharedmailbox[AT]domain.com Incoming Mail Server (IMAP) Username: mymailbox[AT]domain.com/sharedmailbox Hostname: outlook.office365.com Outgoing Mail Server (SMTP) Username: mymailbox[AT]domain.com Hostname: outlook.office365.com In order for the above to work I had to disable security defaults. By 01. October this will stop working. I use the native Apple mail app for managing mails. Now for the life of me I cannot figure out how I could possibly access shared inboxes via OAuth. When I choose to add an "Microsoft Exchange" account (which is the only way I found to use OAuth) I put in sharedmailbox[AT]domain.com as the mail address (which is the shared inbox I want to manage) and as username I choose my account mymailbox[AT]domain.com. When I do that the mail address is simply ignored and I end up adding my personal mailbox instead of the shared mailbox. Trying to login as mymailbox[AT]domain.com/sharedmailbox doesn't work either. Has anyone an idea how to get this working? I'm really used to working with my separate mailboxes and I really can't afford to put licenses on them.Modern Hybrid with no external access
Hi All. We have an on-prem Exchange 2016 infrastructure with no https connectivity from external. We setup the Hybrid agent in full 'modern' mode for this reason and it seems to work OK. We had to do some adjustments on the Inbound and Outbound connectors to route mail correctly and have successfully done test mailbox migrations to and from O365. We aren't scheduled to move any mailboxes to the cloud at present so everything is staying on-prem. We have also deployed Teams to a pilot group, however there is no Calendar integration and users cannot delegate a Teams meeting on behalf of another. I believe (after many hours reading various posts) that for these to work we need to publish our internal autodiscover and EWS records externally? My question then is can this be worked around using the Hybrid agent somehow or is the above the only option, in which case the Modern Hybrid is not usable and we might as well use Classic Hybrid, assuming we can even get approval to publish these URL's externally. Cheers Peter