Microsoft 365 Modern Authentication For Email (OAuth): Difference between revisions

From RangerMSP Wiki - PSA software for MSPs and IT services providers
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
<pre style="color: red">Important: RangerMSP version 30 or above is required for configuring access to Microsoft 365 mail servers using OAuth.</pre>
<pre style="color: red">Important: RangerMSP version 30 or above is required for configuring access to Microsoft 365 mail servers using OAuth.</pre>
__TOC__
=Prerequisites=
Open your default browser and go to [https://login.microsoftonline.com https://login.microsoftonline.com]
If you are logged in with any of your users, click the user avatar and '''Sign out'''.
[[File:365_log_out.png]]
This step is IMPORTANT and will prevent accidentally granting access to the wrong mailbox, e.g., yours.
=Configuring RangerMSP with OAuth=


To configure RangerMSP to connect to Microsoft 365 mail servers, follow the steps below:
To configure RangerMSP to connect to Microsoft 365 mail servers, follow the steps below:
Line 16: Line 35:
#'''Finally, you must RESTART the ‘CRM Server’ Windows service on your server for the changes to apply and take effect immediately.'''
#'''Finally, you must RESTART the ‘CRM Server’ Windows service on your server for the changes to apply and take effect immediately.'''


DONE!
<br><br>
=Troubleshooting=
==Case 1==
The browser shows “'''Successfully connected'''” however:
POP3 connection test fails with error:
'''''500 -ERR Authentication failure: unknown user name or bad password''''' 
And/or SMTP test fails with error:
'''''535 5.7.3 Authentication unsuccessful'''''
This error might show when the username set in the ServerConfig utility for sending emails (SMTP) or receiving emails (POP3) does NOT match and is different from the 365 user account, which was for signing into the 365 portal and authenticating RangerMSP access to the mailbox.
[https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/fix-issues-with-printers-scanners-and-lob-applications-that-send-email-using-off#fix-issues-with-smtp-client-submission Microsoft's website] includes detailed information about such errors.
<br><br>


'''<u>Solution:</u>'''
#Open your default browser and visit [https://login.microsoftonline.com https://login.microsoftonline.com]. <br> If you are logged in with any 365 user account, click the user avatar and select the Sign out option.<br><br>
#Run RangerMSP’s ServerConfig utility - <br><br>If testing an outbound email failed with the above error - Visit the '''''Outgoing Mail Server''''' tab and click the '''''Send Test Email''''' button.<br><br>If testing an inbound email connection failed with the error above - Visit the '''''Email Connector''''' tab and click the '''''Test Server Settings''''' button.<br><br>
#Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.
Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility.<br><br>
#In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.
<br><br>
<br><br>
==Case 2==
The browser shows '''“Successfully connected'''” however, testing SMTP by sending a test email fails with the following error -
'''''535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the tenant. Visit https://aka.ms/smtp_auth_disabled for more information.'''''
<br>
'''<u>Solution:</u>'''
The error means that SMTP authentication is disabled for this mailbox.
This [https://aka.ms/smtp_auth_disabled article] (also [https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission here]) explains how to enable SMTP authentication for the whole organization or only for some mailboxes.
The article will guide you to the following settings where the ‘Authenticated SMTP’ option should be selected (see below). After enabling it, try again.
[[File:Smtp_auth.png]]

Revision as of 09:39, 14 September 2022

Important: RangerMSP version 30 or above is required for configuring access to Microsoft 365 mail servers using OAuth.



Prerequisites

Open your default browser and go to https://login.microsoftonline.com

If you are logged in with any of your users, click the user avatar and Sign out.


This step is IMPORTANT and will prevent accidentally granting access to the wrong mailbox, e.g., yours.


Configuring RangerMSP with OAuth

To configure RangerMSP to connect to Microsoft 365 mail servers, follow the steps below:

  1. Run <Installation_DIR>\RangerMSP\Server\ServerConfig.exe.>

  2. Under the ‘Outgoing Mail Server’ tab, select the option ‘Use OAuth 2 to connect to Microsoft 365’.



  3. You must authorize RangerMSP in Microsoft 365.
    For this to work:
    1. Click the ‘Send Test Email’ button.
    2. Specify the ‘To’ email address that will be used for sending the test email message.
    3. Click the ‘Send Test Email Now’ button:



    4. Follow the Microsoft 365 flow in your browser to log into your Microsoft 365 using a privileged 365 user, ideally your 365 administrator user.

      Note: if you are already logged into 365 using another non-privileged account, please first log out - before starting the entire test-email process.



    5. The following page is displayed.
      Click the ‘Accept’ button whenever you are ready to authorize RangerMSP.




    6. The SMTP send-email test should show that it completed successfully:



  4. Under the ‘Email Connector’ tab, you configure the same for inbound email under the ‘Incoming Email Settings’ section.

    Select Use OAuth 2 to connect to Microsoft 365.

    Next - click the ‘Test Server Settings’ button.



    NOTE: If you have not authorized RangerMSP in Microsoft 365 yet, a browser window will open asking you to approve RangerMSP, as explained above.

    A connection attempt to your mailbox at Microsoft 365 will run, and if everything is configured correctly, you will be prompted about a successful connection to Microsoft 365 POP3 servers.

  5. Click OK to save your new settings.



  6. Finally, you must RESTART the ‘CRM Server’ Windows service on your server for the changes to apply and take effect immediately.

DONE!

Troubleshooting

Case 1

The browser shows “Successfully connected” however:

POP3 connection test fails with error:

500 -ERR Authentication failure: unknown user name or bad password

And/or SMTP test fails with error:

535 5.7.3 Authentication unsuccessful

This error might show when the username set in the ServerConfig utility for sending emails (SMTP) or receiving emails (POP3) does NOT match and is different from the 365 user account, which was for signing into the 365 portal and authenticating RangerMSP access to the mailbox.

Microsoft's website includes detailed information about such errors.



Solution:

  1. Open your default browser and visit https://login.microsoftonline.com.
    If you are logged in with any 365 user account, click the user avatar and select the Sign out option.

  2. Run RangerMSP’s ServerConfig utility -

    If testing an outbound email failed with the above error - Visit the Outgoing Mail Server tab and click the Send Test Email button.

    If testing an inbound email connection failed with the error above - Visit the Email Connector tab and click the Test Server Settings button.

  3. Follow the Microsoft 365 flow in your browser to log into your Microsoft 365.

Important: You MUST sign in with the SAME 365 user account that owns the mailbox you are trying to use, and - it should be the SAME one defined in ServerConfig utility.

  1. In case you were not prompted to sign in, and the browser used a previously logged-in user, you should sign out and try again. In case this does not help, clearing the browser cache may be required.



Case 2

The browser shows “Successfully connected” however, testing SMTP by sending a test email fails with the following error -

535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the tenant. Visit https://aka.ms/smtp_auth_disabled for more information.


Solution: The error means that SMTP authentication is disabled for this mailbox.

This article (also here) explains how to enable SMTP authentication for the whole organization or only for some mailboxes.

The article will guide you to the following settings where the ‘Authenticated SMTP’ option should be selected (see below). After enabling it, try again.