O365 Connection issues with MFA

Hi,

I’ve got a situation where I need to connect a server application to O365 with OAuth 2 and MFA.
I’ve been trying all kinds of different ways but none of them work.

ROPC connection fails with AADSTS50076 before I even get to the Aspose part, and Client Credentials way fails with “The SMTP address has no mailbox associated with it” when I try to use EWSClient.GetClient.

Attached here are different permissions I tried giving my application:
image.png (22.2 KB)

I’m lost here, please help me understand what’s wrong here - This is very urgent seeing as Microsoft is disabling basic authentication in two weeks.
Thanks in advance!

Edit:
It would seem that it was an error on my part and the user was missing a mailbox, after sorting that out and adding “full_access_as_app” for EWS and “Mail.ReadWrite”/“Mail.Send” for Microsoft.Graph - it seems Client Credentials connection works for both ways.

Now the only question I have left is whether there’s a way to make GraphClient work with ROPC & MFA?

@eyaldar

Please read the following detail to login into Office 365 account using Modern Authentication. Hope this helps you.

How To Enable or disable modern authentication

To use modern authentication, make sure that it is enabled. Modern authentication is enabled by default in Exchange Online. For tenants created before August 1, 2017, modern authentication is turned off by default.
In the Microsoft 365 admin center at https://admin.microsoft.com, go Settings > Org Settings > Modern Authentication. In the Modern authentication flyout that appears, you can identify the protocols that no longer require Basic authentication.
For new Office 365 tenants in Azure, Basic Authentication is disabled by default for all applications. In this case, the text will be displayed in this section.

Your organization has security defaults enabled, which means modern authentication to Exchange Online is required, and basic authentication connections are blocked. You must turn off security defaults in the Azure portal before you can change any settings here.

You can enable Basic Auth support for tenant from the Azure portal (Azure Active Directory → Properties → Manage Security defaults → Enable Security defaults = No ).
For more information, see the documentation on Enable or disable modern authentication for Outlook in Exchange Online | Microsoft Learn

How To use modern authentication with EwsClient

To use modern authentication with EwsClient the following is required:

  1. App registration with Azure Active Directory.
  2. Adding code to get an authentication token from a token server.
  3. Using the token to authenticate.

Note: There are two types of permissions that can be used to access EWS. Choose a specific type of permission, depending on the app you are creating:

  • Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. In other words, when you connect to the service, a dialog window will appear to enter username and password. App can never have more privileges than the signed-in user.
  • Application permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons. Only an administrator can consent to application permissions.

Refer to Microsoft documentation for more information: Authenticate an EWS application by using OAuth | Microsoft Learn

App registration with Azure Active Directory

The registration procedure depends on the type of permission selected. To register your app, refer to the Microsoft documentation:

You can download full code example to use modern authentication with IMAP and SMTP clients from here: EWSModernAuthenticationImapSmtp.zip (3.9 KB)

You can also download full code examples to use different permission types of modern authentication with EWS client from here:

With Delegated authentication - EWSModernAuthenticationDelegated.zip (3.6 KB)
With Application authentication - EWSModernAuthenticationApp.zip (3.4 KB)

Hi,

Thank you for responding!
I went over the provided code and it’s not exactly what i’m trying to achieve - I was able to implement those ways but I’m trying to figure out is whether it’s possible to connect with ROPC connection silently when MFA is set on (i.e without user interactions).

Thanks again

@eyaldar

We have added a ticket for your case in our issue tracking system. We will inform you via this forum thread once there is an update available on it.

We apologize for your inconvenience.

@eyaldar

The ticket ID for your case is EMAILNET-40723.