Microsoft 365 Modern Authentication For Email (OAuth): Difference between revisions
No edit summary |
(→Case 3) |
||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Important: RangerMSP version 30 or above is required for configuring access to Microsoft 365 mail servers using OAuth. | <pre style="color: red">Important: RangerMSP version 30 or above is required for configuring access to Microsoft 365 mail servers using OAuth.</pre> | ||
__TOC__ | |||
=Prerequisites= | |||
Open your default browser and go to [https://login.microsoftonline.com https://login.microsoftonline.com] | |||
If you are logged in with any of your users, click the user avatar and '''Sign out'''. | |||
[[File:365_log_out.png]] | |||
This step is IMPORTANT and will prevent accidentally granting access to the wrong mailbox, e.g., yours. | |||
=Configuring RangerMSP with OAuth= | |||
To configure RangerMSP to connect to Microsoft 365 mail servers, follow the steps below: | To configure RangerMSP to connect to Microsoft 365 mail servers, follow the steps below: | ||
Line 9: | Line 29: | ||
##Specify the ‘'''''To'''''’ email address that will be used for sending the test email message. | ##Specify the ‘'''''To'''''’ email address that will be used for sending the test email message. | ||
##Click the ‘Send Test Email Now’ button:<br><br>[[File:Send_test_email_smtp.png]]<br><br> | ##Click the ‘Send Test Email Now’ button:<br><br>[[File:Send_test_email_smtp.png]]<br><br> | ||
##Follow the Microsoft 365 flow in your browser to log into your Microsoft 365 using | ##Follow the Microsoft 365 flow in your browser to log into your Microsoft 365 using the SAME 365 user account that owns the mailbox you are trying to use (i.e., defined as the username in ServerConfig utility).<br />Note: if you are already logged into 365 using another account, please log out - BEFORE starting the entire test-email process. <br /><br> [[File:Ms365_signin.png]] <br><br />[[File:Case1_sample.png]]<br /><br><br> | ||
##The following page is displayed.<br>Click the ‘Accept’ button whenever you are ready to authorize RangerMSP.<br><br>[[File:365_permissions_request.png]]<br>[[File:Authorization_success.png]] | ##The following page is displayed.<br>Click the ‘Accept’ button whenever you are ready to authorize RangerMSP.<br><br>[[File:365_permissions_request.png]]<br>[[File:Authorization_success.png]]<br><br> | ||
##The SMTP send-email test should show that it completed successfully:<br><br>[[File:Smtp_test_completed.png]] | ##The SMTP send-email test should show that it completed successfully:<br><br>[[File:Smtp_test_completed.png]]<br><br> | ||
#Under the ‘'''''Email Connector'''''’ tab, you configure the same for inbound email under the ‘'''''Incoming Email Settings'''''’ section.<br><br>Select '''''Use OAuth 2 to connect to Microsoft 365'''''.<br><br>Next - click the ‘'''''Test Server Settings'''''’ button.<br><br>[[File:Pop_test_server_settings.png]]<br><br>'''NOTE:''' If you have not authorized RangerMSP in Microsoft 365 yet, a browser window will open asking you to approve RangerMSP, as explained above. <br><br>A connection attempt to your mailbox at Microsoft 365 will run, and if everything is configured correctly, you will be prompted about a successful connection to Microsoft 365 POP3 servers.[[File:Pop_test_completed.png]] | #Under the ‘'''''Email Connector'''''’ tab, you configure the same for inbound email under the ‘'''''Incoming Email Settings'''''’ section.<br><br>Select '''''Use OAuth 2 to connect to Microsoft 365'''''.<br><br>Next - click the ‘'''''Test Server Settings'''''’ button.<br><br>[[File:Pop_test_server_settings.png]]<br><br>'''NOTE:''' If you have not authorized RangerMSP in Microsoft 365 yet, a browser window will open asking you to approve RangerMSP, as explained above. <br><br>A connection attempt to your mailbox at Microsoft 365 will run, and if everything is configured correctly, you will be prompted about a successful connection to Microsoft 365 POP3 servers.[[File:Pop_test_completed.png]]<br><br> | ||
#Click OK to save your new settings.<br><br>[[File:Serverconfig_save_settings.png]] | #Click '''OK''' to save your new settings.<br><br>[[File:Serverconfig_save_settings.png]]<br><br> | ||
#'''Finally, you must RESTART the ‘CRM Server’ Windows service on your server for the changes to apply and take effect immediately.''' | #'''Finally, you must RESTART the ‘CRM Server’ Windows service on your server for the changes to apply and take effect immediately.''' | ||
DONE! | |||
<br><br> | |||
=Troubleshooting= | |||
==Case 1== | |||
The browser shows “'''Successfully connected'''” however: | |||
POP3 connection test fails with error: | |||
'''''500 -ERR Authentication failure: unknown user name or bad password''''' | |||
And/or SMTP test fails with error: | |||
'''''535 5.7.3 Authentication unsuccessful''''' | |||
This error might show when the username set in the ServerConfig utility for sending emails (SMTP) or receiving emails (POP3) does NOT match and is different from the 365 user account, which was for signing into the 365 portal and authenticating RangerMSP access to the mailbox. | |||
[https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/fix-issues-with-printers-scanners-and-lob-applications-that-send-email-using-off#fix-issues-with-smtp-client-submission Microsoft's website] includes detailed information about such errors. | |||
<br><br> | |||
'''<u>Solution:</u>''' | |||
#Open your default browser and visit [https://login.microsoftonline.com https://login.microsoftonline.com]. <br> If you are logged in with any 365 user account, click the user avatar and select the Sign out option.<br><br> | |||
#Run RangerMSP’s ServerConfig utility - <br><br>If testing an outbound email failed with the above error - Visit the '''''Outgoing Mail Server''''' tab and click the '''''Send Test Email''''' button.<br><br>If testing an inbound email connection failed with the error above - Visit the '''''Email Connector''''' tab and click the '''''Test Server Settings''''' button.<br><br> | |||
#If you completed the 365 authorization process using an incorrect 365 account (e.g., you used the already-logged-in account vs. the one owning the mailbox), you need first to use the ServerConfig utility to '''Reset''' the existing authorization. You should now be able to start the authorization process with 365 from scratch.<br><br> [[File:365_auth_reset.png]] <br><br> | |||
#Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.<br>Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility.<br><br>[[File:Case1_sample.png]]<br><br> | |||
#In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required. | |||
<br><br> | |||
==Case 2== | |||
The browser shows '''“Successfully connected'''” however, testing SMTP by sending a test email fails with the following error - | |||
'''''535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the tenant. Visit https://aka.ms/smtp_auth_disabled for more information.''''' | |||
<br> | |||
'''<u>Solution:</u>''' | |||
The error means that SMTP authentication is disabled for this mailbox. | |||
This [https://aka.ms/smtp_auth_disabled article] (also [https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission here]) explains how to enable SMTP authentication for the whole organization or only for some mailboxes. | |||
The article will guide you to the following settings where the ‘Authenticated SMTP’ option should be selected (see below). After enabling it, try again. | |||
[[File:Smtp_auth.png]] | |||
==Case 3== | |||
The error is shown in the application or POP3 connection test fails with error: | |||
'''''POP3 needs OAuth2 authentication token''''' | |||
<br> | |||
'''<u>Solution:</u>''' | |||
This error means that 365 requires re-authorization. | |||
#Open your default browser and visit [https://login.microsoftonline.com https://login.microsoftonline.com]. <br> If you are logged in with any 365 user account, click the user avatar and select the '''Sign out''' option.<br><br> | |||
#Run RangerMSP’s ServerConfig utility - visit the '''''Email Connector''''' tab and click the '''''Reset''''' button.<br><br>You should now be able to start the authorization process with 365 from scratch.<br><br> [[File:365_auth_reset.png]] <br><br> | |||
#Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.<br>Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility. | |||
#In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required. | |||
<br><br> | <br><br> |
Latest revision as of 14:26, 3 January 2023
Important: RangerMSP version 30 or above is required for configuring access to Microsoft 365 mail servers using OAuth.
Prerequisites
Open your default browser and go to https://login.microsoftonline.com
If you are logged in with any of your users, click the user avatar and Sign out.
This step is IMPORTANT and will prevent accidentally granting access to the wrong mailbox, e.g., yours.
Configuring RangerMSP with OAuth
To configure RangerMSP to connect to Microsoft 365 mail servers, follow the steps below:
- Run <Installation_DIR>\RangerMSP\Server\ServerConfig.exe.>
- Under the ‘Outgoing Mail Server’ tab, select the option ‘Use OAuth 2 to connect to Microsoft 365’.
- You must authorize RangerMSP in Microsoft 365.
For this to work:- Click the ‘Send Test Email’ button.
- Specify the ‘To’ email address that will be used for sending the test email message.
- Click the ‘Send Test Email Now’ button:
- Follow the Microsoft 365 flow in your browser to log into your Microsoft 365 using the SAME 365 user account that owns the mailbox you are trying to use (i.e., defined as the username in ServerConfig utility).
Note: if you are already logged into 365 using another account, please log out - BEFORE starting the entire test-email process.
- The following page is displayed.
Click the ‘Accept’ button whenever you are ready to authorize RangerMSP. - The SMTP send-email test should show that it completed successfully:
- Under the ‘Email Connector’ tab, you configure the same for inbound email under the ‘Incoming Email Settings’ section.
Select Use OAuth 2 to connect to Microsoft 365.
Next - click the ‘Test Server Settings’ button.
NOTE: If you have not authorized RangerMSP in Microsoft 365 yet, a browser window will open asking you to approve RangerMSP, as explained above.
A connection attempt to your mailbox at Microsoft 365 will run, and if everything is configured correctly, you will be prompted about a successful connection to Microsoft 365 POP3 servers. - Click OK to save your new settings.
- Finally, you must RESTART the ‘CRM Server’ Windows service on your server for the changes to apply and take effect immediately.
DONE!
Troubleshooting
Case 1
The browser shows “Successfully connected” however:
POP3 connection test fails with error:
500 -ERR Authentication failure: unknown user name or bad password
And/or SMTP test fails with error:
535 5.7.3 Authentication unsuccessful
This error might show when the username set in the ServerConfig utility for sending emails (SMTP) or receiving emails (POP3) does NOT match and is different from the 365 user account, which was for signing into the 365 portal and authenticating RangerMSP access to the mailbox.
Microsoft's website includes detailed information about such errors.
Solution:
- Open your default browser and visit https://login.microsoftonline.com.
If you are logged in with any 365 user account, click the user avatar and select the Sign out option. - Run RangerMSP’s ServerConfig utility -
If testing an outbound email failed with the above error - Visit the Outgoing Mail Server tab and click the Send Test Email button.
If testing an inbound email connection failed with the error above - Visit the Email Connector tab and click the Test Server Settings button. - If you completed the 365 authorization process using an incorrect 365 account (e.g., you used the already-logged-in account vs. the one owning the mailbox), you need first to use the ServerConfig utility to Reset the existing authorization. You should now be able to start the authorization process with 365 from scratch.
- Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.
Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility. - In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.
Case 2
The browser shows “Successfully connected” however, testing SMTP by sending a test email fails with the following error -
535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the tenant. Visit https://aka.ms/smtp_auth_disabled for more information.
Solution:
The error means that SMTP authentication is disabled for this mailbox.
This article (also here) explains how to enable SMTP authentication for the whole organization or only for some mailboxes.
The article will guide you to the following settings where the ‘Authenticated SMTP’ option should be selected (see below). After enabling it, try again.
Case 3
The error is shown in the application or POP3 connection test fails with error:
POP3 needs OAuth2 authentication token
Solution:
This error means that 365 requires re-authorization.
- Open your default browser and visit https://login.microsoftonline.com.
If you are logged in with any 365 user account, click the user avatar and select the Sign out option. - Run RangerMSP’s ServerConfig utility - visit the Email Connector tab and click the Reset button.
You should now be able to start the authorization process with 365 from scratch.
- Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.
Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility. - In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.