Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"connection setup failed" using oAuth for Microsoft Outlook / Exchange #452

Open
Mysterox opened this issue Nov 16, 2023 · 1 comment
Open

"connection setup failed" using oAuth for Microsoft Outlook / Exchange #452

Mysterox opened this issue Nov 16, 2023 · 1 comment

Comments

@Mysterox
Copy link

Mysterox commented Nov 16, 2023
edited
Loading

I am trying to connect to Microsoft Outlook / Exchange
to Microsoft Outlook / Exchange.

I am already getting an access token back.
Unfortunately, I always get the message "connection setup failed"
The error is thrown in the "authenticate" function.

$settings = [
    'client_id' => '',
    'client_secret' => '',
    'tenant_id' => '',
    'email' => ''
];

curl_setopt($ch, CURLOPT_URL, 'https://login.microsoftonline.com/' . $settings['tenant_id'] . '/oauth2/v2.0/token');
    curl_setopt(
        $ch,
        CURLOPT_POSTFIELDS,
        http_build_query([
            'client_id' => $settings['client_id'],
            'client_secret' => $settings['client_secret'],
            'scope' => 'https://outlook.office365.com/.default',
            'grant_type' => 'client_credentials'
        ])
    );

$mails = [];
    $cm = new ClientManager();
    $client = $cm->make([
        'host' => 'outlook.office365.com',
        'port' => 993,
        'encryption' => 'tls', //ssl
        'validate_cert' => true,
        'username' => $settings['email'],
        'password' => $access_token,
        'protocol' => 'imap',
        'authentication' => 'oauth'
    ]);

image

These are some parts of the code, unfortunately I could not find a solution so far.
@tiamatloc
Copy link

Have you created your service principle and mapped that to the mailbox you are trying to access? The token will authenticate you to Azure/Entra, but it will not give you access to the mailboxes themselves (admittedly the authenticate message is a bit misleading). You must create a service principle and map that as delegate access on the target mailbox(es), much like you would if person A goes on vacation and you want to give user B access to A's mailbox (with your application being "person B"). Note that the Object ID you use here is the one from the Enterprise application in Entra, not the app registration!
See here: #264

Note that the guide above says this:
New-ServicePrincipal -AppId <clientId> -ServiceId <objectId>

I recommend this instead:
New-ServicePrincipal -AppId <clientId> -ServiceId <objectId> -DisplayName <something sensible>

The reason being that if you look at the mailbox delegation settings seeing a GUID there instead of a name may alarm others on your team. With a sensible display name you can at least tell what it is.

Finally, some areas of the admin panels won't actually show the service principle on the mailbox delegation settings making you think it hasn't worked. Use the full Exchange admin panel, or use the Powershell commands to view your service principles and the mailbox delegation settings.

Get-ServicePrincipal
Get-MailboxPermission -Identity "[email protected]"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tiamatloc @Mysterox