Modern Authentication

[timbauer132]

Hi! I love this script and have been using it for months without any problems. But unfortunately it doesn't work since a couple of days. I think this is due to the type of authentication which is used. Since Oct 1st, MS set the "modern" authentication as requirement for lots of things.

At the moment, the script fails on the following line: $CalendarFolder = [Microsoft.Exchange.WebServices.Data.CalendarFolder]::Bind($service, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Calendar); -> Error 401.

I just ran a connectivity test via https://testconnectivity.microsoft.com/tests/O365EwsAccess/input . When I run the test with my username and password, a specified target mailbox and "Calendar" as target folder I get:

• The same error when using the standard authentication
• No error when using OAuth -> So I guess the script has to be changed in order to incorporate the modern authentication.

Can anybody please tell me what exactly has to be changed? Thanks in advance and kind regards

[David-Barrett-MS]

Which specific script are you referring to? Most of them should already support OAuth (the ones that do have OAuth parameters to provide the app details), but I may have missed some.

[timbauer132]

Thanks for the quick reply. Sorry, I am referring to the "Import-CalendarCSV.ps1".

[David-Barrett-MS]

I'll add the OAuth parts to that one when I get a chance. Looks like a long time since I updated it!

[timbauer132]

Sounds awesome, thanks a lot! I assume you are pretty busy and I can totally understand if this might take some time. As this is a highly relevant topic for our company (booking options etc rely on this), could you maybe tell me in which of your other scripts those parameters are already incorporated? Maybe I can change the relevant lines by myself by comparing the script to the updated scripts. Thanks so much!

[David-Barrett-MS]

Pretty much all the other scripts have OAuth. They all use the same functions for that, so I'll just be copying the same over. e.g. https://github.com/David-Barrett-MS/PowerShell-EWS-Scripts/blob/master/Legacy/Merge-MailboxFolder.ps1

MSAL is required for certificate auth, but for other flows I send the requests directly.

It'll take me a week or two most likely to update and publish this one, depending what time I get to do so.

[timbauer132]

awesome, thanks! I'll see what I can do. No matter what, I'm looking forward to your official update :)

[timbauer132]

Update: I was not able to get the script to work =/ Looking forward to the official update!

[keiiith11]

I'd also be interested. Best Keith

[unicornpancakes]

+1. Thank you for your work on this script David! It's much appreciated.

[David-Barrett-MS]

Please check out v2.0.0 of the script (just published). I tested it with these parameters (which uses the default app registration):

.\Import-CalendarCSV.ps1 -CSVFileName "c:\temp\importtest.csv" -GenerateSampleCSV -Mailbox "test@domain.com" -Office365 -OAuth -OAuthTenantId "tenant id"

The above uses the default app registration which is multitenant, and would trigger log-on for the specified mailbox and require consent (which may need a tenant administrator). I don't recommend using my app registration, though. Better would be to register an application in your own tenant and pass the relevant info in the OAuth parameters.

I'll add a Wiki page at some point. I haven't done a huge amount of testing, so if any issues are encountered please raise a new report here and I'll take a look.

[timbauer132]

Hi David, Thanks a lot! I'm already testing the new script.

• First I received errors because the script was looking for the dll file in strange locations, but I managed to load the dll file properly after a few tries.

• But now the script fails when binding to the calendar ($CalendarFolder = [Microsoft.Exchange.WebServices.Data.CalendarFolder]::Bind($service, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Calendar)).

• It fails with error 401 when $OAuth=False . Impersonation is set to $True and I pass the Credentials of an administrator user (who is definitely allowed to access the user calendars and create appointments) to the script. I guess this way doesn't work anymore as OAuth is required.

• It fails with error 403 when $OAuth=True . I registered a new app in Azure AD. I granted API rights (Calendars.ReadWrite) to the app and pass all the necessary OAuth information (SecretKey, TenantID, ClientID, RedirectURI) to the script. As far as I see, the GetTokenWithKey-Function works fine and the token is obtained. But still, the mentioned error appears. -> Do you have any suggestion for me? Maybe the script requires more App permissions than "Calendars.ReadWrite"?

UPDATE: I somehow managed to add the app permissions in the "Microsoft Graph" section instead of the "Office 365 Exchange Online" section. It works perfectly now. Thanks so much, David, for this awesome script!

Kind regards Tim