403 Error | App Delegate Access for Personal Outlook Account

[mattyoungberg]

When trying to use exchangelib for my own personal Outlook inbox (domain @outlook.com), I hit a 403 Forbidden error.

I've tried multiple flavors of the script below, but this is the MCVE:

from exchangelib import DELEGATE, Account, O365InteractiveConfiguration
from exchangelib.credentials import O365InteractiveCredentials

CONFIG = {
    "clientId": "my-client-id",
    "authority": "https://login.microsoftonline.com/consumers",
    "username": "my-personal-email@outlook.com"
}

def main():

    O365InteractiveCredentials.AUTHORITY = CONFIG["authority"]

    a = Account(
        primary_smtp_address=CONFIG["username"],
        config=O365InteractiveConfiguration(
            client_id=CONFIG["clientId"], username=CONFIG["username"]
        ),
        access_type=DELEGATE,
        autodiscover=False,
    )

    print(a.root.tree())

if __name__ == "__main__":
    main()

The short of it is that, in attempting to parse a response from the server, it gets a 403 with an empty body:

exchangelib.errors.MalformedResponseError: Unknown failure in response. Code: 403 headers: {'Cache-Control': 'private', 'Transfer-Encoding': 'chunked', 'Server': 'Microsoft-HTTPAPI/2.0', 'X-BEServer': 'MW4PR20MB5591', 'X-NanoProxy': '1', 'X-AspNet-Version': '4.0.30319', 'Request-Id': 'd6724590-541e-cb68-371a-594a34c7ca13', 'X-CalculatedBETarget': 'MW4PR20MB5591.namprd20.prod.outlook.com', 'X-BeSku': 'WCS7', 'X-BackEndHttpStatus': '403', 'X-DiagInfo': 'MW4PR20MB5591', 'x-ms-appId': '000000004148D700', 'X-Proxy-BackendServerStatus': '403', 'X-Proxy-RoutingCorrectness': '1', 'X-RUM-NotUpdateQueriedPath': '1', 'X-RUM-NotUpdateQueriedDbCopy': '1', 'X-RUM-Validated': '1', 'X-UserType': 'Consumer', 'X-FEServer': 'MW4PR03CA0054', 'X-FirstHopCafeEFZ': 'EAT', 'Alt-Svc': 'h3=":443";ma=2592000,h3-29=":443";ma=2592000', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'MS-CV': 'kEVy1h5UaMs3GllKNMfKEw.1', 'Set-Cookie': 'exchangecookie=daace9cb40204a51bd143350a42be3a9; expires=Mon, 21-Jul-2025 00:36:29 GMT; path=/; secure; HttpOnly', 'Date': 'Sun, 21 Jul 2024 00:36:29 GMT'} content:

What I've done on the app side:

• I registered the application as supporting AzureAD and Personal Microsoft Accounts (Manifest line "signInAudience": "AzureADandPersonalMicrosoftAccount")
• I've correctly configured it as a desktop app whose redirect URI is http://localhost
• I've used the manifest declaration to get the EWS.AccessAsUser.All permission. It appears you cannot add it via the UI since they're trying to deprecate it.

When I run the script, the auth flow completes validly. When trying to talk to EWS, however, the library continually gets 403 errors. In this case, it appears that it gets hung up on trying to query the server to figure out its version. I've done bigger scripts where I provide it manually, but I essentially get hung up on the same 403, no matter what request the lib is making.

Why I'm not using the Graph API: Because they don't support contact lists that exist in the Outlook web app. This is apparently functionality that is only accessible through EWS.

Why this may not be working: In an attempt to move everyone off EWS and onto Graph, they've disallowed this kind of access.

I'm hopeful a response to this ticket can either 1) help me get past my 403 error so I can manage my contact lists, or 2) confirm that this kind of access is indeed no longer being allowed.

Thanks in advance!

[ecederstrand]

Thanks for the report!

Which version of exchangelib is this? We've seen MalformedResponse on earlier versions, but that was since fixed.

[mattyoungberg]

Hey @ecederstrand , thanks for responding. I'm using exchangelib==5.4.2, Python version 3.10.12 on Ubuntu 22.04.4 LTS.

[ecederstrand]

I'm certain that O365 have not kicked people off EWS in general. My test account is on O365 and uses OAuth, and that still works.

I'm not very familiar with the OAuth setup in Azure, unfortunately. I would suggest asking for help in a forum dedicated to this topic.

[mattyoungberg]

That sounds like a good plan; this can be closed.

Do you have one you'd recommend? I haven't otherwise had experience w/ the Azure ecosystem other than this small little app I was trying to write :joy:

[ecederstrand]

Sorry, I don't have any specific forum recommendations for you.