ADFS Modern Authentication Claims Rules
I have ADFS 4 deployed and am attempting to create claims rules for O365 to accomplish the following: - Allow intranet access - Allow extranet access via Activesync only (No access to web apps or ability to download email to PCs) Modern Authentication is enabled on tenant for Exchange Online and clients are using Outlook 2016. I've setup access control policies like so: Permit users from internet network and with Client Application claim equals to Microsoft.Exchange Activesync and Client Application claim equals to Microsoft.Exchange.Autodiscover in the request Permit users from intranet network This appears to be working to block traffic for webapps and Outlook 2016, but also is blocking mobile access. I've tested mobile by configuring both Nine and the Outlook app, but I'm being blocked. What am I doing wrong?
What OAuth permissions needed for exchangelib?
My end goal is to have a script that moves a single users mail around (archiving stuff etc.). Right now I'm just trying to be able to look at the mail. I'm using a python library called https://github.com/ecederstrand/exchangelib. However, I can't seem to get the permissions right. Here's the code I'm using from exchangelib import ( Account, Configuration, OAuth2Credentials, DELEGATE, OAUTH2, ) from os import environ username = environ["USERNAME"] client_id = environ["CLIENT_ID"] tenant_id = environ["TENANT_ID"] secret_value = environ["VALUE"] credentials = OAuth2Credentials( client_id=client_id, tenant_id=tenant_id, client_secret=secret_value ) conf = Configuration( credentials=credentials, server="outlook.office365.com", auth_type=OAUTH2 ) account = Account( primary_smtp_address=username, autodiscover=False, config=conf, access_type=DELEGATE, ) And here's what the permissions look like in AzureAD And here's the error Traceback (most recent call last): File "test.py", line 21, in <module> account = Account( File ".../account.py", line 133, in __init__ self.version = self.protocol.version File ".../protocol.py", line 470, in version self.config.version = Version.guess(self, api_version_hint=self._api_version_hint) File ".../version.py", line 229, in guess list(ResolveNames(protocol=protocol).call(unresolved_entries=[name])) File ".../services/resolve_names.py", line 52, in _elems_to_objs for elem in elems: File ".../services/common.py", line 212, in _chunked_get_elements yield from self._get_elements(payload=payload_func(chunk, **kwargs)) File ".../services/common.py", line 230, in _get_elements yield from self._response_generator(payload=payload) File ".../services/common.py", line 196, in _response_generator response = self._get_response_xml(payload=payload) File ".../services/common.py", line 310, in _get_response_xml r = self._get_response(payload=payload, api_version=api_version) File ".../services/common.py", line 265, in _get_response r, session = post_ratelimited( File ".../util.py", line 877, in post_ratelimited protocol.retry_policy.raise_response_errors(r) # Always raises an exception File ".../protocol.py", line 689, in raise_response_errors raise UnauthorizedError('Invalid credentials for %s' % response.url) exchangelib.errors.UnauthorizedError: Invalid credentials for https://outlook.office365.com/EWS/Exchange.asmx By the way I've looked into a bunch of different methods of moving email but I'm dealing with a few hundred thousand emails and nothing else will do it in a reasonable time (except IMAP but... its IMAP). Specifically: The web interface doesn't allow selecting and moving more than like 100 emails The outlook desktop app wont move more than about 1000 emails at a time without the move crashing. For some reason using the addon interface with C# was also unstable (I got a test to complete once but it failed like 6 times with no exceptions or anything) The powershell command line thing that you connect to with like Connect-ExchangeOnline doesn't allow you to move individual emails. Microsoft Graph rate limits you at 10,000 email moves per day.
Modern Auth Looping with Outlook 2016 when Outside Corporate Network
Hello! First time poster, here. In the past ~1-2 months, our travelling users have been running into an authentication loop in Outlook 2016. They will suddenly be asked to enter their password in Outlook (the larger, white, browser-based modern authentication window, not the small Outlook client username/password authentication window). Entering their password will close the window, then the window will immediately pop back up. The Outlook client cannot be used until they come back inside our network and reboot their PC. I was able to immediately reproduce the issue on my work laptop (64-bit Windows 10 1803 running Office 2016 32-bit version 1809) by deleting my Outlook profile, deleting all saved Office-related credentials in the Credential Manager, and connecting my laptop to my smartphone hotspot (to simulate being outside the network). Starting Outlook 2016, I'll create a new profile, connect with my AD account, enter my password in the Outlook 2016 authentication box; my email will actually start loading in Outlook, then the larger, white authentication window will pop up. I enter my password, it will disappear, then pop up again, and on, and on... We have worked with MS Support on this issue for a total of ~7 hours in multiple remote sessions, and here are the troubleshooting steps they took, which all failed: -Using an app password when the MFA browser window asks for the user’s password (“invalid password”) -Adding “HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\DisableADALatopWAMOverride” to the registry, with a DWORD value of 1 -Using “Fiddler” to collect logs while the issue occurred (the technician seemed like they had no idea how to use the program, since the certificates installed by the program effectively blocked Outlook 2016 from communicating with the Microsoft servers) -Turning on Outlook logging, and reproducing the issue. The logs were not affected in any way while the looping was taking place, leading us to believe that the issue is taking place outside of the Outlook application. -MS O365 Support then brushed it off as Incident EX152471, which was announced as resolved yesterday evening, but the problem still persists in our environment. The ONLY workaround that we found, is adding "DisableAADWAM" to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\, and giving it a DWORD value of 1. But disabling Web Access Management is not a solution! Can anyone shed any light on our issue? Thank you, --Ryan
Send Mail (SMTP) through Office 365 with MFA
We have a web server that needs to be able to send emails as users (FROM field); however, we have noticed that if the user account is protected with MFA, the message is rejected. Has anyone been able to get this working? I found a work around by using an account that does not have MFA then adding that account as a delegate of the sending user, but that seems a bit extensive. In our scenario, web server sends a message showing it comes from a sales rep, that is populated dynamically on the web server. It uses CFMAIL (same rules as say PHPMailer) and uses the FROM field as the sales rep. That is handled off in this case to Office365 to send emails. Actual Error: Diagnostic-Code: smtp;550 5.7.60 SMTP; Client does not have permissions to send as this sender
