Re: [Evolution] Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins

From: Milan Crha <mcrha redhat com>
To: evolution-list gnome org
Subject: Re: [Evolution] Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins
Date: Thu, 08 Oct 2020 09:24:38 +0200

On Wed, 2020-10-07 at 20:36 -0400, Paulo Cesar G. Costa wrote:

To clarify my question: based on your tests so far, does Evolution
can access the Office 365 Calendar and Address book?


        Hi,
after some months spent on this I realized that the Microsoft Graph API
is useless for a real usage in applications like Evolution. I can
read/write some events (recurring events are a problem - to be fair, I
can get to recurring events, but only as individual instances, not to
download them and use them in offline, which is a natural use by the
evolution-data-server backends), I can read/write some contacts
(distribution lists are a problem), I can read mails (write custom
messages is nonexistent, anything created on the server is considered a
draft by the server, without a way to preserve exact content of the
copied message), tasks are in a beta stage and basically doesn't work
and I didn't try the memos (they have pretty nice OneNote APIs, but
also complicated). All of that are limitations of the Microsoft Graph
API, it's basically incomparable to the EWS API.

An interesting thing about the Microsoft Graph OAuth2 is that it can
connect to any account, free or company, while the EWS OAuth2 doesn't
let me connect to a free account (the server returns this error:
"AADSTS500201: We are unable to issue tokens from this API version for
a Microsoft account. Please contact the application vendor as they need
to use version 2.0 of the protocol to support this." I understand that
as "use Microsoft Graph API instead", which is not ready for production
in the Evolution environment).

The problem (or an advantage for them) is that the admins are always
involved. They can influence what application they let in the company
data and which not, thus if they do not want to let any 3rd party
application in, it will not work.

I have created two test applications. I created one just now, which
asks for EWS permissions only. Its Application ID is:
751cf8be-ca07-484b-9308-fac4b9d85eff
and either with empty or filled Tenant ID it says this in the OAuth2
login page:

   Need admin approval

   GNOME Evolution EWS

   This app may be risky. If you trust this app,
   please ask your admin  to grant you access.
   [Learn more] https://aka.ms/RiskBasedConsent

Interestingly, an older Application ID, used with an empty Tenant, but
asking also for a lot of Microsoft Graph API permissions, doesn't
require admin approval. At least not for the same account as I used for
the above Application ID. The second Application ID is:
20460e5d-ce91-49af-a3a5-70b6be7486d1

You can try with your company's tenant ID, which you can find out as is
described here:
https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2

For what it's worth, I updated that page yesterday with the steps to
setup the application on the Azure server according to current web
interface.

        Bye,
        Milan

Follow-Ups:
- Re: [Evolution] Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins
  - From: Louis van Dyk

References:
- Re: [Evolution] Office 365 with Multi Factor Authentication and unfriendly Active Directory Admins
  - From: Paulo Cesar G. Costa

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]