Our service is connecting to https://outlook.office365.com using EWS on behalf of an #outlook.com user. We're getting status 403 and the header X-BackEndHttpStatus : 403.
What does it mean?
EWS connections seem to work for other #outlook.com users just fine.
Thank you.
Update Apr'19: What we see is that EWS for #Outlook.com accounts is refusing connections from Heroku/AWS IP addresses. Not sure why.
According to my search, do you have a Authentication with your EWS application.
You could make a authentication with the below link:
Authenticate an EWS application by using OAuth
EWS must have the "Full access to user's mailbox" permission.
If your Outlook account has multi-factor authentication, please refer to this link:
Set up multi-factor authentication for Office 365 users
Related
Recently Microsoft has started to authenticate user with OAuth 2.0 protocol. I have implemented it in Asp.net Core C# and got token.
Now I am able to access mails from main mail Inbox using Mailkit from Microsoft exchange server using OAuth 2.0. But how can I be able to access mails from shared mailbox?
In my code I have mentioned shared mailbox account id.
My code is as follows
Code
Getting exception as "Autheticated but not connected". Please guide
The "Authenticated but not connected" error is unique to Microsoft Exchange IMAP servers and means that your account is not authorized to connect via IMAP.
You will need to be granted permissions for IMAP access by the admin of your tenant.
Need to give shared mailbox permissions to OAuth app as well and shared mailbox will be accessible.
I have question 'bout using EWS with Oauth2.0 Client Credential.
In our directory, there're users with member type and guest type, however, all of our administrators are from Microsoft directory(using v-xxx#microsoft.com) and they are under guest.
My question is if it's possible to use credential client grant type, and use EWS to send email behalf of these guest users?
For now, I tried to use EASendMail sdk to achieve this task. However, whenever I use account within our directory(member type) I get "There is no SMTP email associated" which is what I expected, 'cause we do not have email address associated with these users. But when I tried using (v-xxx#microsoft.com) , "Mailbox does not exist" error is raised.
Thank you.
You can do as long as the app has been granted impersonation permissions. OAuth is supported for the client credential flow(app permissions) & impersonation to do so.
I am trying to list my contacts with 'GET https://graph.microsoft.com/v1.0/me/contacts' and always have 401 (Unauthorized).
My application on apps.dev.microsoft.com has permissions:
Contacts.ReadWrite (both delegated and application permissions)
My client application has authentication scope: https://graph.microsoft.com/Contacts.ReadWrite
Other API like 'me' or 'users' works fine.
I tried to list my contacts using Microsoft Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) with enabling relevant scopes and it never worked for me. Any hints on how to resolve it are appreciated.
Thank you in advance.
The Microsoft Graph can only access cloud data, so in order to access personal contacts, you need to have an Exchange Online mailbox in Office 365. (reference) From your comment, you don't have an Exchange Online mailbox so unfortunately the /me/contacts endpoint won't work for your users.
I am developing a web app that is supposed to access contact and other information for users with their Outlook or Office 365 accounts and I am having some issues with offline_access to Office365 accounts.
Upon initial authentication the code works fine and I am able to access all I need for both Outlook and Office 365 accounts.
The inconsistency shows up after the initial access token had expired. For Outlook accounts I can always refresh the access token, while for Office 365 accounts the exact same code fails with "400 Bad Request" error.
It feels like there should be something different done for the Office 365 accounts when refreshing access toke but I cannot figure out what.... I am not even sure how to tell if the users have used Otlook vs. Office 365 account I can figure this out later.
The authority URL I use is https://login.microsoftonline.com/common/oauth2/v2.0/token and I thought that perhaps it should be different for Outlook and Office 365 but everything else appears to be working for both account types except for the refresh_token request.
Appreciate your help!
Thanks!
This is weird but the solution to the problem is in making sure the redirect_url parameter used in the refresh token request matches exactly the registered redirect url including the host name.
Amazingly this is true only for Office 365 accounts and only for refresh token requests. It looks like all other APIs for both Outlook and Office 365 accounts do not care about the supplied redirect URL and use whatever was registered for the app instead.
The blog post: Announcing Exchange ActiveSync v16.1 states that:
While not a part of EAS 16.1, we also want to note that both Office 365 and Outlook.com customers can now utilize the OAuth 2.0 protocol for authorization through EAS.
My question is: which scope should I use in the oauth request?
Is there an example, perhaps of the full request?
Note: there was a similar question about using OAuth for Office365 with IMAP, but here I'm specifically asking about ActiveSync. I referenced this question in a comment to one of the answers on that thread.
Secondary problem:
Thanks to Jason's answer and some additional tweaks, we managed to generate oauth token using https://login.windows.net/common/oauth2 but only for office365 users (Organization Accounts) and not to Microsoft users account (live, hotmail, outlook.com...)
The token allows access to both ActiveSync protocol (via https://eas.outlook.com/Microsoft-Server-ActiveSync) and for EWS API (via https://outlook.office365.com/EWS/Exchange.asmx).
Unfortunately we cannot find a way to generate same token for Microsoft online accounts (hotmail, live, outlook.com). We tried using this endpoint: https://login.live.com/oauth20_authorize.srf which allow only activesync and not EWS.
Is there a way to use the same token for both organization and online accounts on both protocols (ActiveSync and EWS)?
Sorry this took so long, but I wasn't aware of this question until today :). You need to register your app as a native application in Azure Active Directory:
Then add the Access mailboxes as the signed-in user via Exchange Web Services (under Office 365 Exchange Online) delegated permission.
NOTE: You cannot register this in the Application Registration Portal (https://apps.dev.microsoft.com), it needs to be registered in the Azure Portal (https://portal.azure.com/), and you need to use the v1 Azure auth endpoints for authorization and token requests.