Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

Louis van Dyk
Hi

One of the companies I've been using Evolution-EWS on for years without an issue has decided to move to MFA (Multi Factor Authentication) in order to make things more secure. They've also stated that the only supported environment is to use Outlook for mail.

I've found that changing to the standard URL (https://outlook.office365.com/EWS/Exchange.asmx) allows one to set the authentication type to OAuth2 (Office365). This has a great Help link, but the AD admins were not open to anything other than Outlook and weren't even willing to discuss it.

The question is how can I get the settings I need to make this work?  
- I can find the Tenant ID in various places. (e.g. sign in to portal.azure.com, click on ? for Help and choose Show Diagnostics - the json file it opens shows the Tenant ID.)
- How can I get the APP ID that I must enter? I do not have access to Azure Active Directory or to App Registrations.

Any advice on how to make this work would be greatly appreciated. I would hate to have to use Web Browser Access just for this one account.

Regards,
Louis


_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

Gnome Evolution - General mailing list
On Tue, 2020-05-26 at 16:11 +0200, Louis van Dyk wrote:
> The question is how can I get the settings I need to make this work?
>
> - I can find the Tenant ID in various places. (e.g. sign in to
> portal.azure.com, click on ? for Help and choose Show Diagnostics -
> the json file it opens shows the Tenant ID.)
> - How can I get the APP ID that I must enter? I do not have access to
> Azure Active Directory or to App Registrations.

        Hi,
if I recall correctly, you cannot. It's the company administrators whom
have privileges to create an application in the Azure web interface and
set it up with the tenant. Regular users cannot do it.

It doesn't matter much, because EWS is dead for the Office365 server [1].
Do not worry, the Microsoft Graph API looks promising. It doesn't seem
to know everything what the EWS does, but it is also simpler, thus
maybe it'll work. I've just begun to explore what it can do. Some
preliminar testing will be appreciated, as always. I think that the
Graph API is less strict with respect of the OAuth2, it seemed to me
that one can use any application (as registered on the Microsoft
server) to use it, including for the free accounts, which makes life
significantly simpler. I will need help to test it first, because these
are just my initial understandings, which can be false, because I only
begun to explore the API.

If you do not mind, I'll contact you off list with some simple code to
test, once I have any (that would be for the authentication part, to
check my guesses).

        Bye,
        Milan

[1] https://blogs.technet.microsoft.com/exchange/2018/07/03/upcoming-changes-to-exchange-web-services-ews-api-for-office-365/

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

Louis van Dyk
Hi Milan

I am more than willing to test. Please go ahead and contact me when you are ready.

Thank you!

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

Paulo Cesar G. Costa
In reply to this post by Gnome Evolution - General mailing list
Milan,

> > The question is how can I get the settings I need to make this
> > work?
> >
> if I recall correctly, you cannot. It's the company administrators
> whom have privileges to create an application in the Azure web
> interface and set it up with the tenant. Regular users cannot do it.
>

My situation is the same since July. The workaround I use is to set a
forward from my university's email to another account and use that
account with Evolution. Yet, it is a hack and for outgoing messages
that require the university account in the sender spot I have to resort
to Outlook online.

> It doesn't matter much, because EWS is dead for the Office365 server
> [1].
> Do not worry, the Microsoft Graph API looks promising. It doesn't
> seem to know everything what the EWS does, but it is also simpler,
> thus maybe it'll work. I've just begun to explore what it can do.

Does this apply to Calendar and Address Book? That is, my workaround is
ok for email, but for calendar and to access the global address book I
have to use Outlook online all the time.
To clarify my question: based on your tests so far, does Evolution can
access the Office 365 Calendar and Address book?

> Some preliminar testing will be appreciated, as always.
> If you do not mind, I'll contact you off list with some simple code
> to test, once I have any (that would be for the authentication part,
> to check my guesses).

I volunteer to help with testing too in case you need.

Thanks,
Paulo

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

Gnome Evolution - General mailing list
On Wed, 2020-10-07 at 20:36 -0400, Paulo Cesar G. Costa wrote:
> To clarify my question: based on your tests so far, does Evolution
> can access the Office 365 Calendar and Address book?

        Hi,
after some months spent on this I realized that the Microsoft Graph API
is useless for a real usage in applications like Evolution. I can
read/write some events (recurring events are a problem - to be fair, I
can get to recurring events, but only as individual instances, not to
download them and use them in offline, which is a natural use by the
evolution-data-server backends), I can read/write some contacts
(distribution lists are a problem), I can read mails (write custom
messages is nonexistent, anything created on the server is considered a
draft by the server, without a way to preserve exact content of the
copied message), tasks are in a beta stage and basically doesn't work
and I didn't try the memos (they have pretty nice OneNote APIs, but
also complicated). All of that are limitations of the Microsoft Graph
API, it's basically incomparable to the EWS API.

An interesting thing about the Microsoft Graph OAuth2 is that it can
connect to any account, free or company, while the EWS OAuth2 doesn't
let me connect to a free account (the server returns this error:
"AADSTS500201: We are unable to issue tokens from this API version for
a Microsoft account. Please contact the application vendor as they need
to use version 2.0 of the protocol to support this." I understand that
as "use Microsoft Graph API instead", which is not ready for production
in the Evolution environment).

The problem (or an advantage for them) is that the admins are always
involved. They can influence what application they let in the company
data and which not, thus if they do not want to let any 3rd party
application in, it will not work.

I have created two test applications. I created one just now, which
asks for EWS permissions only. Its Application ID is:
751cf8be-ca07-484b-9308-fac4b9d85eff
and either with empty or filled Tenant ID it says this in the OAuth2
login page:

   Need admin approval

   GNOME Evolution EWS

   This app may be risky. If you trust this app,
   please ask your admin  to grant you access.
   [Learn more] https://aka.ms/RiskBasedConsent

Interestingly, an older Application ID, used with an empty Tenant, but
asking also for a lot of Microsoft Graph API permissions, doesn't
require admin approval. At least not for the same account as I used for
the above Application ID. The second Application ID is:
20460e5d-ce91-49af-a3a5-70b6be7486d1

You can try with your company's tenant ID, which you can find out as is
described here:
https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2

For what it's worth, I updated that page yesterday with the steps to
setup the application on the Azure server according to current web
interface.

        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

Louis van Dyk
On Thu, 2020-10-08 at 09:24 +0200, Milan Crha via evolution-list wrote:
> I have created two test applications. I created one just now, which
> asks for EWS permissions only. Its Application ID is:
> 751cf8be-ca07-484b-9308-fac4b9d85eff
>
> The second Application ID is:
> 20460e5d-ce91-49af-a3a5-70b6be7486d1
>

Hi Milan

I got very excited when trying the Application ID as I was presented
with the Corporate login screen, and even approved the login using the
Microsoft Authenticator App on my phone.  But sadly, for BOTH of the
Application IDs above, I got the message:

   Need admin approval
   
GNOME Evolution EWS
GNOME Evolution EWS needs permission to access resources in your
organization that only an admin can grant. Please ask an admin to
grant permission to this app before you can use it.

Have an admin account? Sign in with that account
Return to the application without granting consent

So, sadly, the hunt must continue.  How I wish there was an application
ID we could use that didn't care that we were coming from Evolution!

Thanks for all your efforts,
Louis


_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

Louis van Dyk

On Thu, 2020-10-08 at 22:39 +0200, Louis van Dyk wrote:

> On Thu, 2020-10-08 at 09:24 +0200, Milan Crha via evolution-list
> wrote:
> > I have created two test applications. I created one just now, which
> > asks for EWS permissions only. Its Application ID is:
> > 751cf8be-ca07-484b-9308-fac4b9d85eff
> >
> > The second Application ID is:
> > 20460e5d-ce91-49af-a3a5-70b6be7486d1
> >
>
> Hi Milan
>
> I got very excited when trying the Application ID as I was presented
> with the Corporate login screen, and even approved the login using
> the
> Microsoft Authenticator App on my phone.  But sadly, for BOTH of the
> Application IDs above, I got the message:
>
>    Need admin approval
>    
> GNOME Evolution EWS
> GNOME Evolution EWS needs permission to access resources in your
> organization that only an admin can grant. Please ask an admin to
> grant permission to this app before you can use it.
>
> Have an admin account? Sign in with that account
> Return to the application without granting consent
>
> So, sadly, the hunt must continue.  How I wish there was an
> application
> ID we could use that didn't care that we were coming from Evolution!
>
> Thanks for all your efforts,
> Louis
>

I clicked send too quickly: my evolution-ews version is
        evolution-ews-3.36.5-1.fc32.x86_64

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list
Reply | Threaded
Open this post in threaded view
|

Re: Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

Gnome Evolution - General mailing list
On Thu, 2020-10-08 at 22:57 +0200, Louis van Dyk wrote:
> I clicked send too quickly: my evolution-ews version is
>         evolution-ews-3.36.5-1.fc32.x86_64

        Hi,
not really too quickly, the problem you see fully depends on your
organization administrators. As I said earlier, they have all of this
under their control. Either they want to allow an application or they
do not want to do that. There's nothing else anyone from the outer
world can do about it (well, I guess Microsoft Outlook Application ID
is "approved by default", I even do not know whether it can be
disapproved, but that's another story).
        Bye,
        Milan

_______________________________________________
evolution-list mailing list
[hidden email]
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list