office 365 account not working on Mailspring

[cnazario3]

I'm using Ubuntu 18.04 and for some reason while adding my o365 account Im getting an error message.

Someone told me that it was a password issue but is not, i downloaded Hiri and works fine with it, the only thing is that you have to pay for HIri.

I think is the fact that Mailspring does not support two way verification.

----------IMAP----------

OK The Microsoft Exchange IMAP4 service is ready. [QgBOADYAUABSADAANQBDAEEAMAAwADAANwAuAG4AYQBtAHAAcgBkADAANQAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A] 1 CAPABILITY CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+ 1 OK CAPABILITY completed. 2 LOGIN "christian.nazario.rodriguez@disney.com" ***** 2 NO LOGIN failed.

[fitig]

Is IMAP enabled? Is 2 factor auth enabled? If the answer to both of these questions is yes then you have to create an application specific password in O365: https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183.

[marco-brandizi]

Application passwords are disabled in my organisation, the only way is to implement the way O365 does 2FA (as mentioned by #1277), that is, by showing the window to enter the second factor credential (like the code from the authenticator app), which, I believe, is also the one that deals with O365 authentication and returns back a result, ie, it acts as service provider. As far as I understand, that window can be provided by the target organisation (in my case, I always see something with their logo and contact references to our IT) and there is a mechanism to let the client know its URL or alike.

[jrsall92]

I'm having the same issue as well and there are no options for app password in my outlook account. Has anyone found a fix/workaround?

[cihyboj]

To find these passwords, log in to the web version of O365, click on your profile picture -> my account -> security settings.

Anyway, it didn't help and I've got the same problem...

[wifiuk]

same issue here, Kubuntu 19.10 and cant use application passwords, please allow typical office 365 2FA prompt

[enzodesena]

Same here! My organization does not allow application passwords. Too bad--it looked like a really nice email client.

[enzodesena]

PS: I also tried using IMAP and the Outlook option, but with no luck.

[LazKot]

mailspring just not accepting any method to get office 365 connected. after setting 2FA, it still doesnt work. is there a fix in the works to sort this out ?

[drkostas]

Is there any update on this?

[HansRen1024]

Still face the problem when sign in my school account

[bengotow]

Hey folks! Thanks for reporting this, I didn't realize that some organizations blocked the creation of app passwords but I guess that's not super surprising. I think that we could probably support XOAUTH2 (the auth mechanism where you obtain a token through the auth flow) because we already do it for Gmail. I'll check it out!

[bengotow]

Hey folks! It turns out that Microsoft launched support for IMAP / SMTP via OAuth on April 30th of this year (https://developer.microsoft.com/en-us/outlook/blogs/announcing-oauth-2-0-support-for-imap-smtp-client-protocols-in-exchange-online/) so this is actually really possible now! When folks originally asked back in 2017-2018 it was rumored they would add official support but this is great.

I've pushed up an implementation of this (their implementation more or less matches the spec exactly so it works almost identically to Google's and didn't require much work.) It's still building but I'd love for you guys to try the binaries once Travis has finished them and see if this resolves your issues.

I expect there may be /different/ compatibility issues with this approach (like all things MSFT), but I'm hoping that it's a big enough improvement over the previous app password approach that we can switch all Office 365 accounts to use XOAuth2. (The app will continue working fine for existing users but when they go to reconnect their accounts they will go through the OAuth flow). Fingers crossed! It looks like Thunderbird just switched to Office365 via XOAUTH2 as well.

EDIT:

Windows: https://mailspring-builds.s3.amazonaws.com/client/052f6dd5/win-ia32/MailspringSetup.exe

MacOS: https://mailspring-builds.s3.us-east-1.amazonaws.com/client/052f6dd5/osx/Mailspring.zip (will be ready in ~15min)

Linux: https://mailspring-builds.s3.us-east-1.amazonaws.com/client/052f6dd5/linux/mailspring-1.7.8-amd64.deb https://mailspring-builds.s3.us-east-1.amazonaws.com/client/052f6dd5/linux/mailspring-1.7.8-0.1.x86_64.rpm

Possibly related: #1912, #1208, #918, #1615, #1536, #1277

[marco-brandizi]

@bengotow By reading the documentation, I'm not sure this will change the problem at issue here. They say the user must get an auth token for the IMAP client then use it. Apart from the general problem of updating IMAP clients, this doesn't seem much different than the old application password method and that's why likely, it's not going to work in organisations like mine, where they decided to strictly enforce the 2-factor authentication method, that is, they want users to type a second one-off secret (provided by a hash generator like an app or SMS service) every time they login. To expand it more, episodes of "smart" users falling preys of phishing attacks are what usually lead the IT admins to inflict this punishment to everyone. The token method is likely to be disabled in such a context, as they've already disabled the application password method (the 2FA doesn't add much to token-based auth, but try to explain it to IT guys having to face users typing their password on fake login forms).

Due to that, I think the actual solution has to be that the client is aware of this 2FA protocol and asks the user to enter the second secret. Moreover, Microsoft has an option to delegate that step to an organisation's service (using a common jargon, the clients is a service provider that delegates authentication to an Identity Provider, usually that happens by means of URL forwarding and cookie exchanges).

[bengotow]

Hey @marco-brandizi — yeah I'm interested to see if it helps. With Google accounts, using their OAuth flow means you can complete 2FA (in the browser) when signing in, which you can't do with an app password form displayed within the email client.

I think there's definitely a second policy in some orgs, which is the /interval/ at which you need to login again. If the org requires 2FA daily or limits the length of your login sessions (eg: you come back in the morning and you're magically signed out of Office 365 again), I think it's unlikely you'll be able to use third party apps at all, and that's really by design 😓

(Technically you could use Mailspring, it'll just ask you to reconnect the account every day and bump you to the browser to complete 2FA. It's a little "heavy" though - several clicks and probably ~10 seconds. I'm not sure we can optimize this flow because the IMAP service doesn't specifically tell us auth is failing due to 2FA expiring!)

[marco-brandizi]

@bengotow I don't know these details, I don't know if there's a web interaction that's standardised in OAuth, like: 1. client tries to connect 2. server tells to show a sequence of URLs 3. server eventually replies OK/KO. If that's the case, Mailspring will need to do 2. anyway (or to make an existing similar workflow working with O365).

As for the O365 session's time-to-live (if any), that shouldn't be relevant, for you have to manage the authentication from Mailspring whenever that's required (whether the first time you try to connect the server or when its session has expired). What I have with my account is that it requires the additional second factor (like an SMS code) only every couple of days, the rest of the time the clients pass by just using the account password.

[QuentinBens]

Hi, I'm in the case that @marco-brandizi. My company enforce the 2FA (text message) for the organization, which I'm in.

• I tried first to install using snap and It was just considering my credentials as wrong.
• In a second time I used the deb package (v1.7.8) that you provided @bengotow, and it allows me to login, opening the browser and redirect me on microsoft login page (https://login.microsoftonline.com/...)
• Finally show me that

So I guess, it is on organization's hands. Even if they will not change rules just for me, (as I'm the only linux env. dev)

Hope details help.

[bengotow]

Ahh that's interesting - it looks like "administrator consent" is required for an app to access mail data regardless of whether you're using IMAP or the Office365 API (https://docs.microsoft.com/en-us/graph/permissions-reference). I wonder what fraction of organizations consent to all third party email apps.

If anyone else wants to give this a spin I'm really curious - it worked out of the box for my standard / consumer Office365 test account and our Office 365 business account but we don't use the administration features. We could allow this option AND also support auth via app password if we really need to...

[exe0cdc]

I've installed the latest snap from the edge channel after my organization made some changes in their policies regarding which apps are approved to connect. This got me to a similar screen as QuentinBens above.

After approval by my organization I still have issues. It seems that authentication is successful in the browser since I get the message "You're all set! Go back to Mailspring to finish linking your account and configuring the app.", but then in Mailspring I get the message Authentication Error - Check your username and password. (IMAP).

Any ideas how to fix this?

[connordeckers]

@bengotow I just tested this as well (O365 with 2FA) and it had the same "adminstrator consent" error. Keen to follow, as I've worked with the Graph API before as well and had no issues accessing my mail. Curious to see where the difference lie.

[Ben-J-Evans]

I'm using Windows 10 and after approval by my organisation I get a similar error to exe0cdc where it appears to work in browsers (I see the message: "You're all set! Go back to Mailspring to finish linking your account and configuring the app.") But when I return to mailspring I see the following error message: "ErrorNamespace (IMAP)".

Any ideas how to fix this?

[gresakg]

I have the same problem and 2fa is not enabled, but I have a choice to enable it. I get the exact same messagie the log as above although the password is correct (i can sign in on the browser).

[CTodd226]

I am having the same issue. I am trying to put my O365 account in to the iPhone to get my emails and sync my calendar. It keeps telling me account does not exist. I think it's absolutely ridiculous because outlook is a part of O365. Please let me know if there is work around for this.

[mug-cat]

I am having the same issue. I am trying to put my O365 account in to the iPhone to get my emails and sync my calendar. It keeps telling me account does not exist. I think it's absolutely ridiculous because outlook is a part of O365. Please let me know if there is work around for this.

Interestingly I have no issue with my organisation's O365 account, my personal Outlook account and my Microsoft dev account.

[vpapiez]

I have here the same issue. I do not understand the "By Design" at all since Mail.app from Apple works...

[johnphilby]

Thunderbird has a plugin called "Owl for Exchange" which is a paid service to connect to a O365 account using 2FA. Maybe that's what MailSpring would need to implement too.

[Lauszus]

@bengotow I've been using OAuth with Office 365 by using the .deb build in this comment: https://github.com/Foundry376/Mailspring/issues/1118#issuecomment-675236131 and it works.

However it seems like the token is only valid for 24 hours, thus I have to reconnect the account every day.

[marco-brandizi]

@Lauszus this seems based on application tokens: the client app gets a token, which it can use with OAuth. That cannot work if your organisation has disabled this feature for the purpose to force everyone into 2-factor authentication (which, in turn, usually happens because of some idiot still falling into phishing attacks). In that case, the only way is that the client is able to support 2FA, by forwarding to the organisation-dependent authentication web dialogue and getting back the result.

[Lauszus]

@marco-brandizi it does work fine with 2FA. I'm actually the one that forces everyone in our organization to use 2FA. The newest build available in: https://github.com/Foundry376/Mailspring/issues/1118#issuecomment-675236131 does take you to the Office 365 web dialog asking if you want to authenticate the app.

Here's the error log:

40740 [2020-11-05 12:13:32.999] [background] [info] Fetching XOAuth2 access token (office365) for d1a0e3c6
40740 [2020-11-05 12:13:33.404] [background] [critical]
***
*** Mailspring Sync
*** An exception occurred during program execution:
*** {"debuginfo":"https://login.microsoftonline.com/common/oauth2/v2.0/token RETURNED {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS700081: The refresh token has expired due to maximum lifetime. The token was issued on 2020-11-04T10:39:31.6429622Z and the maximum allowed lifetime for this application is 1.00:00:00.\\r\\nTrace ID: 6dae23b0-8875-47d1-a38f-d7223c100800\\r\\nCorrelation ID: d019d02f-7b69-476b-a3d0-e2a5b08c06aa\\r\\nTimestamp: 2020-11-05 11:13:33Z\",\"error_codes\":[700081],\"timestamp\":\"2020-11-05 11:13:33Z\",\"trace_id\":\"6dae23b0-8875-47d1-a38f-d7223c100800\",\"correlation_id\":\"d019d02f-7b69-476b-a3d0-e2a5b08c06aa\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700081\"}","key":"Invalid Response Code: 400","retryable":false,"what":"std::exception"}
***

40740 [2020-11-05 12:13:33.404] [background] [critical] *** Stack trace (line numbers are approximate):
*** ??:?        ValidateRequestResp(CURLcode, void*, string)
*** ??:?        PerformRequest(void*)
*** ??:?        PerformJSONRequest(void*)
*** ??:?        MakeOAuthRefreshRequest(string, string, string)
*** ??:?        XOAuth2TokenManager::partsForAccount(shared_ptr)
*** ??:?        MailUtils::configureSessionForAccount(mailcore::IMAPSession&, shared_ptr)
*** ??:?        SyncWorker::configure()
*** ??:?        runBackgroundSyncWorker()
*** main.cpp:?  main::{lambda()#3}::operator()() const
*** main.cpp:?  _Bind_simple::operator()()
*** main.cpp:?  thread::_Impl::_M_run()
*** thread.o:?  execute_native_thread_routine()
***

As you can see the token is only valid for 24 hours.

[marco-brandizi]

Oh, good! I'll try it, thanks.

[keithcdodd]

Hello, I have the same problem, using Manjaro. I cannot seem to figure out how to access the OAuth2 for this. It says on the AUR (or the snap) that it is 1.7.8, which is the same number you have posted above that others have said they have gotten to access their office365 sign in... what am I missing? Or are the editions you posted edited versions of 1.7.8 in which case, is there a version that could be installed for Arch/Majaro? Thanks!!

[BrunoSpy]

Can't wait to test it ... in 1.7.9 ?

[keithcdodd]

Can't wait to test it ... in 1.7.9 ?

Agreed :). If it helps (if you are using Arch or Manjaro) I got it to work by using debtap for the .deb file he provided up above. So nice to finally have a beautiful desktop email that can handle all my accounts.

[jdalrymple]

Running the modified package, it does redirect me to the browser where i can login, but then says Authentication Error - Check your username and password. (IMAP) :(

Is there anyway for us to help add this support?

[BrunoSpy]

Tried the package but ended up with the following error :

Erreur d'authentification - Vérifiez votre nom d'utilisateur et votre mot de passe. (SMTP)

It seems auth is performed properly but EWS is not supported and the lack of SMTP is somehow blocking the process.

[juancho9303]

I'm having the same issue. I can't log in to my email account due to 2-factor authentication from my organization. By reading this thread I'm assuming there's not much to do except for waiting for an upgrade to the app (1.7.9?) and hope that this is implemented?

I love the app so I really hope this is solved soon. Otherwise I would have to stop using Mailspring since my organization email is my most important one.

[miguel2488]

Just tried it again today and Mailspring still dont let me log in with my corporate account. This app is really nice but finally nothing is saving us from having to use 2 mail clients, one for business and the second for the personal mailboxes. Hope fully a fix will come soon :)

[sojjan1337]

+1 Can't use my office365-workmail in mailspring.

It works in evolution with "ews". You only add https://outlook.office365.com/EWS/Exchange.asmx.

But i prefer to use mailspring ofc.

[MarkPareja]

Same w/ ThunderTurkey when using the owl plugin, Thunderbird is fairly fat and slow in comparison but functional .

[benthejack-vuw]

@bengotow Your 1.7.8 release works really well for a single MFA account (linux), but when I add a second account one of them always logs out and has connection issues. Is it possible to simultaneously log in to two or more OAuth accounts?

[foundry376-bot]

This issue has been mentioned on Mailspring Community. There might be relevant details there:

https://community.getmailspring.com/t/institutional-office365-not-working/48/3

[CodeMouse92]

We are in the process of migrating issues to Discourse, which can better facilitate discussion and discovery, and so GitHub Issues can focus on issues that are confirmed and slated for resolution in the near term. Learn more about the changes here.

This issue appears to be a duplicate of one we've already migrated to Discourse:

https://community.getmailspring.com/t/institutional-office365-not-working/48/2

Please consider joining that community and continuing the discussion there.

We're closing and locking the issue here as part of this migration. Rest assured, this doesn't mean the issue is being discarded or ignored.

We hope to see you on Discourse soon!

-The Mailspring Team

P.S. @benthejack-vuw The best way to get an answer to your question would be to start a new thread on the Discourse, perhaps under Help.