(Solved) Microsoft EMAIL OAUTH authentication error on 7.13.2

[kunanSA]

The configuration provided to connect via OAUTH to Office 365/Azure, is not working quite correctly for group accounts.

Expected Behavior

When entering an email account, it is expected to receive a successful login response

Actual Behavior

Testing this group account generates a failed authentication and it is not possible to check emails

LOG ERROR:

Fri Mar 17 15:26:32 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error: Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed."
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error | debug data"
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: {outlook.office365.com:993\/service=imap\/ssl\/tls\/validate-cert\/secure}INBOX"
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: [email protected]"
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: password is empty: no"
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: 512"
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error | debug data end "
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error:Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed."
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:32 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error: Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed."
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error | debug data"
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: {outlook.office365.com:993\/service=imap\/ssl\/tls\/validate-cert\/secure}INBOX"
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: [email protected]"
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: password is empty: no"
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: 512"
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error | debug data end "
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error:Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed."
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:37 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error: Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed."
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error | debug data"
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: {outlook.office365.com:993\/service=imap\/ssl\/tls\/validate-cert\/secure}INBOX"
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: [email protected]"
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: password is empty: no"
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "ImapHandler:open: 512"
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error | debug data end "
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "IMAP open error:Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed."
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] ImapHandler trying to use a non valid resource stream.
Fri Mar 17 15:26:42 2023 [1993][1][FATAL] An Imap error detected: "Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed."

Steps to Play

1. Complete the Microsoft OAUTH connection guide (https://docs.suitecrm.com/admin/administration-panel/emails/microsoft-oauth-provider-howto/) Point 2
2. Enter EXTERNAL OAUTH PROVIDER and create a "Group OAuth Provider" record
3. Create an "External Oauth Connection" record indicated in the "New group oauth connection" button and complete all the fields (https://docs.suitecrm.com/admin/administration-panel/emails/inboundemail-oauth-howto/ ) Point 2
4. Set up an email of type Group "New Group Inbound Email Account"
5. Complete all the data of "Group Inbound Email Account" and press the "Test connection" button

Context

When completing all the steps mentioned to create a group record, you always get a popup indicating "incorrect password", even after completing all the steps mentioned in the suitecrm documentation. It should be noted that we have granted more permissions than those mentioned in the documentation. And it keeps failing anyway.

https://docs.suitecrm.com/admin/administration-panel/emails/microsoft-oauth-provider-howto/

https://docs.suitecrm.com/admin/administration-panel/emails/inboundemail-oauth-howto/

Theme update:

I found in other forums that there is a problem regarding XOAUTH2 for Microsoft accounts, I want to know if the problem really lies on the part of Microsoft with OAUTH or is it a real Suitecrm problem

Forum link: https://lab.civicrm.org/dev/core/-/issues/3601

Your Environment

• SuiteCRM Version used: 7.13.2
• Browser name and version: Chrome Version 111 (64-bit)
• Environment name and version: Mariadb +10 PHP 8
• Operating System and version: Debian 11

Theme update April 17, 2023:
After repeated attempts we were able to get the integration working. First of all, the creator of the App must be the same author of the group credential. Secondly, a 4th permission must be enabled in the microsoft application (portal.azure.com):
email <-- new
offline_access
IMAP.AccessAsUser.All
User.Read

And the third step, whoever creates the group credentials in suitecrm, must use the same email account that was used to create the permissions app.

I hope you find it useful

[Lehnerr]

I have the same issue,

[chris001]

It's a problem with Microsoft's services: it treats certain permissions as mutually-exclusive. (If you have User.Read permission, then IMAP.AccessAsUser.All does not work.). They fixed it in code here: Stop requesting User.Read permission. Consequently, we can't read the default email address from https://graph.microsoft.com/v1.0/me. Instead, we can use OpenID Connect to determine the email address.

[kunanSA]

I have the same issue,

After repeated attempts we were able to get the integration working. First of all, the creator of the App must be the same author of the group credential. Secondly, a 4th permission must be enabled in the microsoft application (portal.azure.com):
email <-- new
offline_access
IMAP.AccessAsUser.All
User.Read

And the third step, whoever creates the group credentials in suitecrm, must use the same email account that was used to create the permissions app.

I hope you find it useful

[kunanSA]

It's a problem with Microsoft's services: it treats certain permissions as mutually-exclusive. (If you have User.Read permission, then IMAP.AccessAsUser.All does not work.). They fixed it in code here: Stop requesting User.Read permission. Consequently, we can't read the default email address from https://graph.microsoft.com/v1.0/me. Instead, we can use OpenID Connect to determine the email address.

I'm sorry to inform you that this has nothing to do with suitecrm.

[johnM2401]

Hey Folks

Thank you all for getting in touch and discussing this!

And Thank you @kunanSA for sharing your solution to this.

I'll close this for now, as it has been marked as "Solved".
However, if anyone here is still experiencing these issues after following kunanSA's steps, please feel free to get back in touch and we can re-investigate!