Send Mail (SMTP) through Office 365 with MFA
We have a web server that needs to be able to send emails as users (FROM field); however, we have noticed that if the user account is protected with MFA, the message is rejected. Has anyone been able to get this working? I found a work around by using an account that does not have MFA then adding that account as a delegate of the sending user, but that seems a bit extensive. In our scenario, web server sends a message showing it comes from a sales rep, that is populated dynamically on the web server. It uses CFMAIL (same rules as say PHPMailer) and uses the FROM field as the sales rep. That is handled off in this case to Office365 to send emails. Actual Error: Diagnostic-Code: smtp;550 5.7.60 SMTP; Client does not have permissions to send as this sender
Modern Auth Looping with Outlook 2016 when Outside Corporate Network
Hello! First time poster, here. In the past ~1-2 months, our travelling users have been running into an authentication loop in Outlook 2016. They will suddenly be asked to enter their password in Outlook (the larger, white, browser-based modern authentication window, not the small Outlook client username/password authentication window). Entering their password will close the window, then the window will immediately pop back up. The Outlook client cannot be used until they come back inside our network and reboot their PC. I was able to immediately reproduce the issue on my work laptop (64-bit Windows 10 1803 running Office 2016 32-bit version 1809) by deleting my Outlook profile, deleting all saved Office-related credentials in the Credential Manager, and connecting my laptop to my smartphone hotspot (to simulate being outside the network). Starting Outlook 2016, I'll create a new profile, connect with my AD account, enter my password in the Outlook 2016 authentication box; my email will actually start loading in Outlook, then the larger, white authentication window will pop up. I enter my password, it will disappear, then pop up again, and on, and on... We have worked with MS Support on this issue for a total of ~7 hours in multiple remote sessions, and here are the troubleshooting steps they took, which all failed: -Using an app password when the MFA browser window asks for the user’s password (“invalid password”) -Adding “HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\DisableADALatopWAMOverride” to the registry, with a DWORD value of 1 -Using “Fiddler” to collect logs while the issue occurred (the technician seemed like they had no idea how to use the program, since the certificates installed by the program effectively blocked Outlook 2016 from communicating with the Microsoft servers) -Turning on Outlook logging, and reproducing the issue. The logs were not affected in any way while the looping was taking place, leading us to believe that the issue is taking place outside of the Outlook application. -MS O365 Support then brushed it off as Incident EX152471, which was announced as resolved yesterday evening, but the problem still persists in our environment. The ONLY workaround that we found, is adding "DisableAADWAM" to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\, and giving it a DWORD value of 1. But disabling Web Access Management is not a solution! Can anyone shed any light on our issue? Thank you, --RyanHow to add alias domain for all users?
Hi, There's a company with their company's full name as their domain name and a shorter domain name. So, contoso.com and conto.so. They need all their users to have an alias of contoso.com and conto.so to be their primary email address. This way, they can: Send/Send as/Receive emails as both domain names for the respective users Receive shared files (OneDrive for Business and SharePoint Online) on both domain names for the respective users Call as/receive call/book meeting on Skype for Business using both domain names for the respective users Send and receive calendar shares or event invitations on both domain names for the respective users This needs to be automatic, rather than adding the domain alias for each user. How can this be configured? Thanks,
Restricting client access to other Office 365 tenants
Hi, When allowing connectivity into Office 365, is there a way to restrict access to a single a tenant? For the purposes of DLP I need to prevent internal machines logging onto any another email service including other 365 tenants, how could this be acheived? Google offer a way to restrict this by using additional headers -> https://support.google.com/a/answer/1668854?hl=en Many thanks, -Ben
Configuring iOS 12 for O365 Exchange using MFA (OAuth)
I have iOS 12 beta 6 installed, and Im using Apple Configurator 2.8 to generate a ActiveSync payload that contains the new OAuth 2.0 settings. The deployment and setup of the Exchange/ActiveSync profile is smooth and easy in iOS 12 as expected. The final end-user step is the GUI prompt to enter a MFA code (via SMS or the MS Authenticator app). Pretty much performs as expected too (other than a couple extra taps and 'hops' to the MS cloud). The problem I am experiencing is that Mail/Contacts/Calendar stop syncing after a couple hours of deployment. At this time, I see a generic "Failed to connect to server" error. There is no way to force a new session/token. No way to re-authenticate again (i.e.; no password field). All ActiveSync-based services stop working until the MDM profile is removed and re-deployed again. Rinse & repeat. I'm deploying the Apple .mobileconfig (XML) profile to my test iOS 12 devices via USB (Apple Configurator) and via Meraki MDM. Both yield the same results. The problem is not related to deployment. The problem clearly appears to be a session time-out or a token refresh failure. MFA (multi-factor authentication) works great on our Macs and Windows PCs (including Outlook 2016, Skype for Business, Outlook Webmail, etc). Both SMS and the Microsoft Authenticator app work fine for one-time passcodes too. No App Passwords are used in my environment (other than the initial App Password generated automatically by MS when an O365 account transitions from 'Enabled' to 'Enforced'. I have been able to reproduce this issue on multiple iOS devices running iOS 12 betas #5 and #6. I have rebuilt the MDM .mobileconfig profile numerous times (including creating it by hand in a text editor). Profile and payloads look perfect. I am digging into O365 server/tenant logs now, but I don't see anything interesting yet. Has anyone else experienced this issue? Any help or feedback is greatly appreciated.
What OAuth permissions needed for exchangelib?
My end goal is to have a script that moves a single users mail around (archiving stuff etc.). Right now I'm just trying to be able to look at the mail. I'm using a python library called https://github.com/ecederstrand/exchangelib. However, I can't seem to get the permissions right. Here's the code I'm using from exchangelib import ( Account, Configuration, OAuth2Credentials, DELEGATE, OAUTH2, ) from os import environ username = environ["USERNAME"] client_id = environ["CLIENT_ID"] tenant_id = environ["TENANT_ID"] secret_value = environ["VALUE"] credentials = OAuth2Credentials( client_id=client_id, tenant_id=tenant_id, client_secret=secret_value ) conf = Configuration( credentials=credentials, server="outlook.office365.com", auth_type=OAUTH2 ) account = Account( primary_smtp_address=username, autodiscover=False, config=conf, access_type=DELEGATE, ) And here's what the permissions look like in AzureAD And here's the error Traceback (most recent call last): File "test.py", line 21, in <module> account = Account( File ".../account.py", line 133, in __init__ self.version = self.protocol.version File ".../protocol.py", line 470, in version self.config.version = Version.guess(self, api_version_hint=self._api_version_hint) File ".../version.py", line 229, in guess list(ResolveNames(protocol=protocol).call(unresolved_entries=[name])) File ".../services/resolve_names.py", line 52, in _elems_to_objs for elem in elems: File ".../services/common.py", line 212, in _chunked_get_elements yield from self._get_elements(payload=payload_func(chunk, **kwargs)) File ".../services/common.py", line 230, in _get_elements yield from self._response_generator(payload=payload) File ".../services/common.py", line 196, in _response_generator response = self._get_response_xml(payload=payload) File ".../services/common.py", line 310, in _get_response_xml r = self._get_response(payload=payload, api_version=api_version) File ".../services/common.py", line 265, in _get_response r, session = post_ratelimited( File ".../util.py", line 877, in post_ratelimited protocol.retry_policy.raise_response_errors(r) # Always raises an exception File ".../protocol.py", line 689, in raise_response_errors raise UnauthorizedError('Invalid credentials for %s' % response.url) exchangelib.errors.UnauthorizedError: Invalid credentials for https://outlook.office365.com/EWS/Exchange.asmx By the way I've looked into a bunch of different methods of moving email but I'm dealing with a few hundred thousand emails and nothing else will do it in a reasonable time (except IMAP but... its IMAP). Specifically: The web interface doesn't allow selecting and moving more than like 100 emails The outlook desktop app wont move more than about 1000 emails at a time without the move crashing. For some reason using the addon interface with C# was also unstable (I got a test to complete once but it failed like 6 times with no exceptions or anything) The powershell command line thing that you connect to with like Connect-ExchangeOnline doesn't allow you to move individual emails. Microsoft Graph rate limits you at 10,000 email moves per day.PowersHell and Basic authentication
Hi there, I have been trying to get the PowersHell connections to work to Office 365 and current results are: (AD) Connect-AzureAD: Working (Exchange) Connect-EXOPSSession: Not working (Basic authentication is currently disabled...) (Skype) New-csOnlineConnection: Not working (Basic authentication is currently disabled...) Question to you who might know this better: why AzureAD is working while others doesn't? Has AzureAD team done some fixes to their connection and Exchange/Skype team has not? Both of them are asking the MFA credentials, but when I have appoved the authentication request on my phone the error appears. My connections are coming through the proxy and the MFA is enabled on the tenant.
