MFA Login does not Authenticate
I am trying to retrofit an existing C# asp.net appliction with an MFA login on Azure. I am able to get the MFA prompt, and I click on my account and the code successfully returns to the redirect URL. However, IsAuthenticated is never true and User.Identity.Name is always blank. I based my code on another MFA application for my company that works, but I can't figure out why mine doesn't. I then created a brand new app from scratch to see if I could figure out what went wrong. However, in the new app, IsAuthenticated is always true, both before login, after login and after logout, and yet User.Identity.Name is blank here as well, so the authentication is clearly not valid. I have the most recent Owin DLLs installed, which at the time of this writing are mostly version 4.2.2. My code includes the usual MFA code found in many online examples. The Startup.cs file includes this code: string clientId = ConfigurationManager.AppSettings["ClientId"]; string tenantId = ConfigurationManager.AppSettings["TenantId"]; string authority = "https://login.microsoftonline.com/" + tenantId + "/v2.0"; string redirectURI = ConfigurationManager.AppSettings["MFARedirect"]; string postLogoutRedirectUri = ConfigurationManager.AppSettings["PostLogoutRedirectUri"]; app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, ExpireTimeSpan = System.TimeSpan.FromMinutes(90), CookieManager = new Microsoft.Owin.Host.SystemWeb.SystemWebChunkingCookieManager(), Provider = new CookieAuthenticationProvider { OnResponseSignIn = (context) => context.Properties.ExpiresUtc = DateTime.UtcNow.AddMinutes(sessionTimeout.TotalMinutes), }, SlidingExpiration = true, CookieSecure = CookieSecureOption.Always }); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { ClientId = clientId, Authority = authority, PostLogoutRedirectUri = postLogoutRedirectUri, RedirectUri = redirectURI, UseTokenLifetime = false, Scope = OpenIdConnectScope.OpenIdProfile, ResponseType = OpenIdConnectResponseType.CodeIdToken, Notifications = new OpenIdConnectAuthenticationNotifications() { AuthenticationFailed = OnAuthenticationFailed } }); app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); The Login method in the Home Controller includes this code: HttpContext.GetOwinContext().Authentication.Challenge( new AuthenticationProperties { RedirectUri = redirectUri }, OpenIdConnectAuthenticationDefaults.AuthenticationType ); I have tried many suggestions found on Google, but nothing has made any difference. If anybody has some insight as to what might be going on here, I would greatly appreciate any help I can get.
Outlook connectivity test fails / Office365 SMTP - SAML Assertion Invalid Signature
We have developed our own SAML IDP and have configured Office365 for federation to our SAML IDP. We can login to Office365, Teams, etc all with no errors. However, when we try the Outlook connectivity test at https://testconnectivity.microsoft.com, or when we attempt to send an SMTP email through smtp.office365.com, then we are getting a failure. The failure is shown below for the Outlook connectivity test (personal information changed) X-CalculatedBETarget: MW4PR14MB5440.namprd14.PROD.OUTLOOK.COM X-BackEndHttpStatus: 503 X-RUM-Validated: 1 X-AutoDiscovery-Error: LiveIdBasicAuth:FederatedStsUnreachable:<UNH:<PII.Email:7J+GS+4rufdDUc9R4mr7Ifl48VhyJ296RJq6lQpEsKg=@softexinc.com>><RequestId=7fdb0084-ea19-4729-8290-aa2a663cbaba,ST=23:03:23><UIPH:<PII.IP:aU/9Mm6Oy7mcCIl2kWkA43wQoeRe2WNIcRrp/8UOlNo=>><HitHrd<X-forwarded-for:<PII.IP:aU/9Mm6Oy7mcCIl2kWkA43wQoeRe2WNIcRrp/8UOlNo=>><PTS:False><BA:255,UP:-46840,ExCaught:False,BlockStatus:1><IOOH<IV1OOH<SHIBB-Business-1717ms><SAML_F:T:,M:STSFailure,E:Saml Assertion has invalid signature<?xml version='1.0' encoding='UTF-8'?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header><ECP:Response xmlns:ECP="urn:oasis:names:tc:SAML:2:0:profiles:SSO:ecp" AssertionConsumerServiceURL="https://login.microsoftonline.com/login.srf" SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next" SOAP-ENV:mustUnderstand="1" /></SOAP-ENV:Header><SOAP-ENV:Body> <SAML RESPONSE IS HERE> </SOAP-ENV:Body></SOAP-ENV:Envelope>><SAML:AddV2N><FEDERATED><UserType:Federated><LogonFailed-FederatedStsFailed><AS:FederatedStsFailed><Tid=8ccccceb-0040-4e3e-a7bc-733ee9f8ef80><V1; X-DiagInfo: MW4PR14MB5440 X-BEServer: MW4PR14MB5440 X-Proxy-RoutingCorrectness: 1 X-Proxy-BackendServerStatus: 503 X-FirstHopCafeEFZ: DSM X-FEProxyInfo: DS7PR06CA0008.NAMPRD06.PROD.OUTLOOK.COM X-FEEFZInfo: DSM X-FEServer: DS7PR06CA0008 Content-Length: 0 Date: Fri, 09 Sep 2022 05:35:18 GMT Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET We get a call into our IDP's SAML ECP SOAP endpoint (ActiveLogOnUri) where we build the SAML Response/Assertion to return and we sign both the Response and Assertion with our SAML signing certificate (same certificate that is set in Office 365 federation as the SigningCertificate). We return successfully from our SAML ECP SOAP endpoint, and then see the error above. If we take our SAML Response and put it in the SAML Response Validater at https://www.samltool.com/validate_response.php, we see that the response and XML signature is validated. We also wrote a C# code to read the SAML response and validate the signature using the SignedXML class. One note: our SAML response is returned with no extra whitespace/newlines. We sign the SAML response with no extra whitespace/newlines and return the response from the SAML ECP SOAP endpoint the same way, so we don't think this is related to whitespace. We can not figure out why Office365 returns this SAML Invalid Signature error ONLY when the SAML ECP SOAP endpoint is invoked via the Outlook connectivity test or SMTP email sending. Any help is appreciated.
What OAuth permissions needed for exchangelib?
My end goal is to have a script that moves a single users mail around (archiving stuff etc.). Right now I'm just trying to be able to look at the mail. I'm using a python library called exchangelib. However, I can't seem to get the permissions right. Here's the code I'm using from exchangelib import ( Account, Configuration, OAuth2Credentials, DELEGATE, OAUTH2, ) from os import environ username = environ["USERNAME"] client_id = environ["CLIENT_ID"] tenant_id = environ["TENANT_ID"] secret_value = environ["VALUE"] credentials = OAuth2Credentials( client_id=client_id, tenant_id=tenant_id, client_secret=secret_value ) conf = Configuration( credentials=credentials, server="outlook.office365.com", auth_type=OAUTH2 ) account = Account( primary_smtp_address=username, autodiscover=False, config=conf, access_type=DELEGATE, ) And here's what the permissions look like in AzureAD And here's the error Traceback (most recent call last): File "test.py", line 21, in <module> account = Account( File ".../account.py", line 133, in __init__ self.version = self.protocol.version File ".../protocol.py", line 470, in version self.config.version = Version.guess(self, api_version_hint=self._api_version_hint) File ".../version.py", line 229, in guess list(ResolveNames(protocol=protocol).call(unresolved_entries=[name])) File ".../services/resolve_names.py", line 52, in _elems_to_objs for elem in elems: File ".../services/common.py", line 212, in _chunked_get_elements yield from self._get_elements(payload=payload_func(chunk, **kwargs)) File ".../services/common.py", line 230, in _get_elements yield from self._response_generator(payload=payload) File ".../services/common.py", line 196, in _response_generator response = self._get_response_xml(payload=payload) File ".../services/common.py", line 310, in _get_response_xml r = self._get_response(payload=payload, api_version=api_version) File ".../services/common.py", line 265, in _get_response r, session = post_ratelimited( File ".../util.py", line 877, in post_ratelimited protocol.retry_policy.raise_response_errors(r) # Always raises an exception File ".../protocol.py", line 689, in raise_response_errors raise UnauthorizedError('Invalid credentials for %s' % response.url) exchangelib.errors.UnauthorizedError: Invalid credentials for https://outlook.office365.com/EWS/Exchange.asmx By the way I've looked into a bunch of different methods of moving email but I'm dealing with a few hundred thousand emails and nothing else will do it in a reasonable time (except IMAP but... its IMAP). Specifically: The web interface doesn't allow selecting and moving more than like 100 emails The outlook desktop app wont move more than about 1000 emails at a time without the move crashing. For some reason using the addon interface with C# was also unstable (I got a test to complete once but it failed like 6 times with no exceptions or anything) The powershell command line thing that you connect to with like Connect-ExchangeOnline doesn't allow you to move individual emails. Microsoft Graph rate limits you at 10,000 email moves per day.Security question
I have been using Microsoft Planner. My computer is protected using Norton, and is on a daily deep scan routine. On Microsoft Planner, there is a customer service feedback form, basically asking if I would recommend planner. There are two questions, the recommendation question, and a box to include your email address. When I started filling the email address, the email Email address removed defaulted into the address box. I have never accessed this domain, and am wondering whether the customer survey itself has been hacked.
Authenticate O365 users with okta Integration?
Hi, i have integrated Okta SSO in office 365 account and trying to authenticate users wtih azure App ID. but it throws error like "{"AADSTS50020: User account '{EmailHidden}' from identity provider 'https://sts.windows.net/5f73b188-eb12-4029-bc50-281088be49c0/' does not exist in tenant 'Tenant' and cannot access the application '380ca9c4-2d3f-4bed-9127-711cb03ffed3'(rootavg) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.\r\nTrace ID: f2620add-6f70-40c1-9c21-feb358fa7c00\r\nCorrelation ID: 517de74f-289e-43fe-93ec-2656fa6b38ca\r\nTimestamp: 2019-06-28 08:33:26Z"}" kindly help me out Thanks, Aravind Elumalai
