oAuth 2.0 and Microsoft Office 365 Exchange

[freescout-helpdesk]

In G Suite according to this App Passwords will continue to work after oAuth 2.0. will be enforced in G Suite.

Situation with App Passwords and enforcing oAuth in Microsoft Office 365 Exchange is not so clear yet.

So if you are using Microsoft Office 365 Exchange please try to clarify with their support and let us know if it will be possible to use App Passwords for IMAP authentication after October 13th, 2020 when they enforce oAuth 2.0 authentication (or Modern Authentication as they call it).

It may happen that FreeScout still will not support oAuth after October 13th, 2020 (see this).

Also see post in our blog: https://medium.com/@freescout/oauth-2-0-g-suite-microsoft-365-and-php-7da16ca74314

[freescout-helpdesk]

For now it does looks like App Passwords will not work in Microsoft 365 after Microsoft 365 enforces oAuth 2.0. So it would be good to know if someone is actually using FreeScout with Microsoft 365 to find a way to proceed with this. Please reply below.

[freescout-helpdesk]

https://github.com/freescout-helpdesk/freescout/wiki/Connect-Microsoft-Office-365-Exchange-to-FreeScout

[matsn0w]

Oh dear. I found a solution!

TL;DR

Give the shared mailbox's user (same alias) a password by 'resetting' it. Use that to authenticate. Done!

What?

Let me explain the background. When creating a shared mailbox, Exchange assigns a 'user' to it with the same alias. So when I, for example, create a shared mailbox called [email protected], Exchange will create a user called info with the same mail address. Obviously, you can't login to this user because it has no password. Until... you give it one!

How do I do this?

0. Make sure you've got a shared mailbox. (duh)
1. Log in to the Microsoft 365 Admin Center. You must be an admin to do so. (admin.microsoft.com)
2. Go to Users > Active users and select the user with the same mail address (aka 'alias' or 'UPN') as your shared mailbox.
3. Click Reset password and select Let me create the password and enter the desired password. Save it.
4. You're done!

You can now enter the shared mailbox as username and the password in FreeScout's mailbox connection settings and it'll connect!

You can thank me later ;)

Greetz from Holland!
matsn0w

[freescout-helpdesk]

Thanks for the solution.

[TheNerdSquad]

Hey so when looking at this I realized that maybe the following was not known?
So when Microsoft did what they did, they actually instead of removing the ability altogether, they disabled the setting for Authenticated SMTP.

You can still send via Microsoft Authenticated SMTP without OAuth at all.

You need to just enable the setting for the mailbox in question, then I personally also add a connector within the Exchange Admin console in order to ensure that the system does not reject any items coming from my Feescout server.

So the only issue I have ever dealt with regarding this is the fact that you might have to retry a number of times until it works, but you can still use app passwords and normal account passwords as well, which I did just set this up the other day for a client so he could send via a different app. It failed like 9 times, but then worked and authenticated the 10th, which prior about 2 months ago I contacted Microsoft regarding the inability to send SMTP as it was a month early of their deadline.

They told the above info to me and then noted a tech article regarding just a simple retry required to go through.

So I use an app password on a shared or non-shared email and have no problems at all, but the email must be hosted with Microsoft.

Seems they finally worked an article up or at least the community might have. But this trick has been that way for a little bit now as people with older copiers freaked out at Microsoft so they made it a setting instead, you can adjust via admin console or use PowerShell Exchange Online Module if wanted. Personally it seems to work best with PowerShell, but also do not forget that connector in Exchange
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission

Currently I am using Freescout like the above. :-) Not sure if this helps or not, but was not sure where else to place this.

[richhickson]

Oh dear. I found a solution!

TL;DR

Give the shared mailbox's user (same alias) a password by 'resetting' it. Use that to authenticate. Done!

What?

Let me explain the background. When creating a shared mailbox, Exchange assigns a 'user' to it with the same alias. So when I, for example, create a shared mailbox called [email protected], Exchange will create a user called info with the same mail address. Obviously, you can't login to this user because it has no password. Until... you give it one!

How do I do this?

1. Make sure you've got a shared mailbox. (duh)

2. Log in to the Microsoft 365 Admin Center. You must be an admin to do so. (admin.microsoft.com)

3. Go to Users > Active users and select the user with the same mail address (aka 'alias' or 'UPN') as your shared mailbox.

4. Click **Reset password** and select **Let me create the password** and enter the desired password. Save it.

5. You're done!

You can now enter the shared mailbox as username and the password in FreeScout's mailbox connection settings and it'll connect!

You can thank me later ;)

Greetz from Holland!
matsn0w

Seems this no longer works. Just tried it. Can you confirm if it is still working for you?
Thanks

[matsn0w]

Seems this no longer works. Just tried it. Can you confirm if it is still working for you?
Thanks

Hi Rich,

Yes, this is still working for me. Are you getting errors?

[richhickson]

Seems this no longer works. Just tried it. Can you confirm if it is still working for you?
Thanks

Hi Rich,

Yes, this is still working for me. Are you getting errors?

Thanks for replying @matsn0w

I setup a new shared mailbox and I get this error when using SSL:

imap_open(): Couldn't open stream {outlook.office365.com:993/imap/ssl}. Retrying PLAIN authentication after AUTHENTICATE failed.; Retrying PLAIN authentication after AUTHENTICATE failed.; Can not authenticate to IMAP server: AUTHENTICATE failed.

and this when using TLS

imap_open(): Couldn't open stream {outlook.office365.com:993/imap/tls}. [CLOSED] IMAP connection broken (server response)

[ingoldsby]

Seems this no longer works. Just tried it. Can you confirm if it is still working for you?
Thanks

Hi Rich,
Yes, this is still working for me. Are you getting errors?

Thanks for replying @matsn0w

I setup a new shared mailbox and I get this error when using SSL:

imap_open(): Couldn't open stream {outlook.office365.com:993/imap/ssl}. Retrying PLAIN authentication after AUTHENTICATE failed.; Retrying PLAIN authentication after AUTHENTICATE failed.; Can not authenticate to IMAP server: AUTHENTICATE failed.

and this when using TLS

imap_open(): Couldn't open stream {outlook.office365.com:993/imap/tls}. [CLOSED] IMAP connection broken (server response)

I get this error on a new setup as well. Any suggestions or anything that has worked?

[TheNerdSquad]

You turn on SMTP Authentication for that account?
Also white list the IP itself that is sending the email in 365. Also their magnificent help tech article I stumbled on at some point during this SMTP auth stuff they are doing, was that you needed to try numerous times as according to Microsoft "It might not work the first time or even second, keep trying until you get it working" which worked even for the GMail link SMTP to Office 365 for a client I had to migrate.
Within Freescout I was even able to get a verified send from the account hooked into office 365 with the S/MIME addon and a bit of exchange online powershell commands.
Also sometimes it is easier to use a email account, then send as permissions of the shared email or to create a generic basic user and pay the license for it each month, but still the above must be done most of the time as far as I know. I always gmail or freescout, or a printer, have to turn on the SMTP authentication for that account.

[richhickson]

I never did get it working properly.

I did get it receiving emails, but I had to purchase a basic M365 account to enable the mailbox for some reason.
I then send emails via AuthSMtp.com

But then I have another free scout helpdesk and that works perfectly sending/receiving via M365 (but again needed a base license on the account)

[ingoldsby]

I was unable to turn on SMTP Authentication for the account. As it was a group mailbox I had issues with that part of it.

I ended up getting it working after an hour of playing around with stuff this morning. I checked the user account that had been created from the group mailbox process. It had the alias ([email protected]) as the main username. I changed that to be [email protected] instead but also reset the password (3rd time) again. I got the receiving working but am using sending via AWS SES.

I was going to purchase a licence and assign it to that if it didn't work after the above, but it did for me. I believe it was the email alias not being 100% correct.

[jeliasson]

Just my two cents;

To my knowledge, shared mailboxes in Office 365 does not allow users to connect directly to them using username (email address) and password. The mailbox is shown/exposed to the user with access in the supported applications, such as Outlook.

To connect to a mailbox using username and password, it needs to be assigned a appropriate license. One of the cheaper one would be Exchange Online Plan 1.

[matsn0w]

@jeliasson you won´t believe it, but it actually works. I know it's strange, but I think Exchange handles a shared mailbox as a 'user', just without a login. They are even listed in the Users overview in the MS Admin panel. Pretty ugly.