Microsoft 365 Modern Authentication For Email (OAuth): Difference between revisions

From RangerMSP Wiki - PSA software for MSPs and IT services providers
Jump to navigation Jump to search
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 9: Line 9:


Open your default browser and go to [https://login.microsoftonline.com https://login.microsoftonline.com]
Open your default browser and go to [https://login.microsoftonline.com https://login.microsoftonline.com]


If you are logged in with any of your users, click the user avatar and '''Sign out'''.
If you are logged in with any of your users, click the user avatar and '''Sign out'''.
Line 28: Line 29:
##Specify the ‘'''''To'''''’ email address that will be used for sending the test email message.
##Specify the ‘'''''To'''''’ email address that will be used for sending the test email message.
##Click the ‘Send Test Email Now’ button:<br><br>[[File:Send_test_email_smtp.png]]<br><br>
##Click the ‘Send Test Email Now’ button:<br><br>[[File:Send_test_email_smtp.png]]<br><br>
##Follow the Microsoft 365 flow in your browser to log into your Microsoft 365 using a privileged 365 user, ideally your 365 administrator user.<br><br>Note: if you are already logged into 365 using another non-privileged account, please first log out - before starting the entire test-email process.<br><br> [[File:Ms365_signin.png]]<br><br>
##Follow the Microsoft 365 flow in your browser to log into your Microsoft 365 using the SAME 365 user account that owns the mailbox you are trying to use (i.e., defined as the username in ServerConfig utility).<br />Note: if you are already logged into 365 using another account, please log out - BEFORE starting the entire test-email process. <br /><br> [[File:Ms365_signin.png]] <br><br />[[File:Case1_sample.png]]<br /><br><br>
##The following page is displayed.<br>Click the ‘Accept’ button whenever you are ready to authorize RangerMSP.<br><br>[[File:365_permissions_request.png]]<br>[[File:Authorization_success.png]]<br><br>
##The following page is displayed.<br>Click the ‘Accept’ button whenever you are ready to authorize RangerMSP.<br><br>[[File:365_permissions_request.png]]<br>[[File:Authorization_success.png]]<br><br>
##The SMTP send-email test should show that it completed successfully:<br><br>[[File:Smtp_test_completed.png]]<br><br>
##The SMTP send-email test should show that it completed successfully:<br><br>[[File:Smtp_test_completed.png]]<br><br>
Line 60: Line 61:
#Open your default browser and visit [https://login.microsoftonline.com https://login.microsoftonline.com]. <br> If you are logged in with any 365 user account, click the user avatar and select the Sign out option.<br><br>
#Open your default browser and visit [https://login.microsoftonline.com https://login.microsoftonline.com]. <br> If you are logged in with any 365 user account, click the user avatar and select the Sign out option.<br><br>
#Run RangerMSP’s ServerConfig utility - <br><br>If testing an outbound email failed with the above error - Visit the '''''Outgoing Mail Server''''' tab and click the '''''Send Test Email''''' button.<br><br>If testing an inbound email connection failed with the error above - Visit the '''''Email Connector''''' tab and click the '''''Test Server Settings''''' button.<br><br>
#Run RangerMSP’s ServerConfig utility - <br><br>If testing an outbound email failed with the above error - Visit the '''''Outgoing Mail Server''''' tab and click the '''''Send Test Email''''' button.<br><br>If testing an inbound email connection failed with the error above - Visit the '''''Email Connector''''' tab and click the '''''Test Server Settings''''' button.<br><br>
#If you completed the 365 authorization process using an incorrect 365 account (e.g., you used the already-logged-in account vs. the one owning the mailbox), you need first to use the ServerConfig utility to '''Reset''' the existing authorization. You should now be able to start the authorization process with 365 from scratch.<br><br> [[File:365_auth_reset.png]] <br><br>
#Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.<br>Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility.<br><br>[[File:Case1_sample.png]]<br><br>
#Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.<br>Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility.<br><br>[[File:Case1_sample.png]]<br><br>
#In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.
#In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.
Line 72: Line 74:


'''<u>Solution:</u>'''
'''<u>Solution:</u>'''
The error means that SMTP authentication is disabled for this mailbox.
The error means that SMTP authentication is disabled for this mailbox.


Line 79: Line 82:


[[File:Smtp_auth.png]]
[[File:Smtp_auth.png]]
==Case 3==
The error is shown in the application or POP3 connection test fails with error:
'''''POP3 needs OAuth2 authentication token'''''
<br>
'''<u>Solution:</u>'''
This error means that 365 requires re-authorization.
#Open your default browser and visit [https://login.microsoftonline.com https://login.microsoftonline.com]. <br> If you are logged in with any 365 user account, click the user avatar and select the '''Sign out''' option.<br><br>
#Run RangerMSP’s ServerConfig utility - visit the '''''Email Connector''''' tab and click the '''''Reset''''' button.<br><br>You should now be able to start the authorization process with 365 from scratch.<br><br> [[File:365_auth_reset.png]] <br><br>
#Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.<br>Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility.
#In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.
<br><br>

Latest revision as of 14:26, 3 January 2023

Important: RangerMSP version 30 or above is required for configuring access to Microsoft 365 mail servers using OAuth.



Prerequisites

Open your default browser and go to https://login.microsoftonline.com


If you are logged in with any of your users, click the user avatar and Sign out.


This step is IMPORTANT and will prevent accidentally granting access to the wrong mailbox, e.g., yours.


Configuring RangerMSP with OAuth

To configure RangerMSP to connect to Microsoft 365 mail servers, follow the steps below:

  1. Run <Installation_DIR>\RangerMSP\Server\ServerConfig.exe.>

  2. Under the ‘Outgoing Mail Server’ tab, select the option ‘Use OAuth 2 to connect to Microsoft 365’.



  3. You must authorize RangerMSP in Microsoft 365.
    For this to work:
    1. Click the ‘Send Test Email’ button.
    2. Specify the ‘To’ email address that will be used for sending the test email message.
    3. Click the ‘Send Test Email Now’ button:



    4. Follow the Microsoft 365 flow in your browser to log into your Microsoft 365 using the SAME 365 user account that owns the mailbox you are trying to use (i.e., defined as the username in ServerConfig utility).
      Note: if you are already logged into 365 using another account, please log out - BEFORE starting the entire test-email process.






    5. The following page is displayed.
      Click the ‘Accept’ button whenever you are ready to authorize RangerMSP.




    6. The SMTP send-email test should show that it completed successfully:



  4. Under the ‘Email Connector’ tab, you configure the same for inbound email under the ‘Incoming Email Settings’ section.

    Select Use OAuth 2 to connect to Microsoft 365.

    Next - click the ‘Test Server Settings’ button.



    NOTE: If you have not authorized RangerMSP in Microsoft 365 yet, a browser window will open asking you to approve RangerMSP, as explained above.

    A connection attempt to your mailbox at Microsoft 365 will run, and if everything is configured correctly, you will be prompted about a successful connection to Microsoft 365 POP3 servers.

  5. Click OK to save your new settings.



  6. Finally, you must RESTART the ‘CRM Server’ Windows service on your server for the changes to apply and take effect immediately.

DONE!

Troubleshooting

Case 1

The browser shows “Successfully connected” however:

POP3 connection test fails with error:

500 -ERR Authentication failure: unknown user name or bad password

And/or SMTP test fails with error:

535 5.7.3 Authentication unsuccessful

This error might show when the username set in the ServerConfig utility for sending emails (SMTP) or receiving emails (POP3) does NOT match and is different from the 365 user account, which was for signing into the 365 portal and authenticating RangerMSP access to the mailbox.

Microsoft's website includes detailed information about such errors.



Solution:

  1. Open your default browser and visit https://login.microsoftonline.com.
    If you are logged in with any 365 user account, click the user avatar and select the Sign out option.

  2. Run RangerMSP’s ServerConfig utility -

    If testing an outbound email failed with the above error - Visit the Outgoing Mail Server tab and click the Send Test Email button.

    If testing an inbound email connection failed with the error above - Visit the Email Connector tab and click the Test Server Settings button.

  3. If you completed the 365 authorization process using an incorrect 365 account (e.g., you used the already-logged-in account vs. the one owning the mailbox), you need first to use the ServerConfig utility to Reset the existing authorization. You should now be able to start the authorization process with 365 from scratch.



  4. Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.
    Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility.



  5. In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.



Case 2

The browser shows “Successfully connected” however, testing SMTP by sending a test email fails with the following error -

535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the tenant. Visit https://aka.ms/smtp_auth_disabled for more information.


Solution:

The error means that SMTP authentication is disabled for this mailbox.

This article (also here) explains how to enable SMTP authentication for the whole organization or only for some mailboxes.

The article will guide you to the following settings where the ‘Authenticated SMTP’ option should be selected (see below). After enabling it, try again.

Case 3

The error is shown in the application or POP3 connection test fails with error:

POP3 needs OAuth2 authentication token


Solution:

This error means that 365 requires re-authorization.

  1. Open your default browser and visit https://login.microsoftonline.com.
    If you are logged in with any 365 user account, click the user avatar and select the Sign out option.

  2. Run RangerMSP’s ServerConfig utility - visit the Email Connector tab and click the Reset button.

    You should now be able to start the authorization process with 365 from scratch.



  3. Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.
    Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility.
  4. In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.