davmail icon indicating copy to clipboard operation
davmail copied to clipboard

Published 20 hours ago verified publisher icon mguessan

(O365Modern quit working) question

Open boldcompany opened this issue 2 years ago • 2 comments

We had an instance of DavMail working perfectly on a server, connecting to https://outlook.office365.com/EWS/Exchange.asmx using davmail.mode=O365Modern. This worked with no issues for many months.

Recently it seems O365 is enforcing phone checks, etc. during logins. Since this happened, we get the following error trying to use DavMail: Authentication failed: invalid user or password

Obviously this seems tied to the O365 changes.

We tried the suggested workaround: davmail.oauth.clientId=d3590ed6-52b3-4102-aeff-aad2292ab01c davmail.oauth.redirectUri=urn:ietf:wg:oauth:2.0:oob ...but this achieved the same result.

Is there any current workaround in this situation, where we need DavMail to run on a server with no manual interaction?

boldcompany avatar Aug 28 '23 02:08 boldcompany

Phone checks means you have MFA enabled, I would strongly suggest you add Microsoft Authenticator as an authentication factor on your account, SMS by phone is not secure enough.

Then switch to O365Interactive or O365Manual to validate you can authenticate with MFA

I also need to simplify the authentication modes:

  • EWS: for on prem Exchange
  • O365: EWS on O365, may have to deprecate this one, basic authentication is now disabled on (almost ?) all tenants
  • O365Modern: fully automated OIDC authentication, working when MFA is not enabled and used to work with MS Authenticator... however now that number matching is enforced fully transparent auth with MFA is no longer an option. You may be able to grab the number matching number in logs but this in not practical
  • O365Interactive: O365 authentication with embedded browser, will work with most MFAs but not when workplace join is enforced
  • O365Manual: Fallback for interactive authentication, use your own browser to authenticate

mguessan avatar Sep 29 '23 09:09 mguessan

Phone checks means you have MFA enabled, I would strongly suggest you add Microsoft Authenticator as an authentication factor on your account, SMS by phone is not secure enough.

Isn't Microsoft Authenticator a proprietary application? I think many users are using DavMail precisely to limit their use of proprietary software.

O365Modern: fully automated OIDC authentication, working when MFA is not enabled

Do you mean that O365Modern doesn't work with MFA? Because this is contradicted by the "Is Office 365 modern authentication / MFA supported ?" section of the FAQ, which says, "O365Modern: same logic as O365Interactive, but use client provided credentials for Oauth negotiation, trigger PhoneApp MFA check transparently".

logological avatar Feb 13 '24 19:02 logological