Switch to OAuth before October 13th 2020

[toddjames]

Hello,

Does this script support OAuth for authentication? If so, I was unable to find documentation on configuring that. EWS for Office 365 is removing support for Basic Authentication on October 13.

[grahamr975]

I am aware of this depreciation and do plan to add OAuth support.

[rypto]

I second this request :-)

[grahamr975]

Hello,

Can you try testing this Oauth migration branch? Let me know how this works for you. https://github.com/grahamr975/EWS-Office365-Contact-Sync/tree/oauth_migration

[teconmoon]

Good morning, I am looking into testing this OAuth branch. Is the process for exporting credentials still the same as basic auth?

Edit: Nevermind, stupid question as it's obvious I did zero reading about OAuth.

[teconmoon]

Alright take two: Created an app within the Azure AD Portal, granted the Exchange permission Contacts.ReadWrite.All as delegate permission since the script still requires a user account, and got the Client ID for the script, I generated a client secret string but not sure if that's needed for use within the context of the script as there's no parameter for it. Ran through and got the following error:

A constructor was not found. Cannot find an appropriate constructor for type Microsoft.Exchange.WebServices.Data.OAuthCredentials.

Logs attached with organization-specific information removed. PowerShell_transcript.IT-2087.FnYevNxF.20200720080600.txt

On an aside, if the script supported just using a client ID and secret without the need for any user account that might end up being the best way to go.

[toddjames]

Hi Graham, I won't be able to help with the testing of this new feature. We decided to go another direction with a commercial product, but I commend your commitment to getting this working for the OSS community.

[grahamr975]

@toddjames Thanks Todd. I'm glad you were able to find a solution that works for your environment.

[grahamr975]

Following Microsoft's document here, I was able to make a test account with Legacy EWS Authentication disabled. You can do this using the below script. You must use an Office 365 admin account.

$Credentials = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://outlook.office365.com/powershell-liveid/' -Credential $Credentials -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking -AllowClobber
New-AuthenticationPolicy -Name "Disable Legacy EWS Auth Test" -AllowBasicAuthActiveSync -AllowBasicAuthAutodiscover -AllowBasicAuthImap -AllowBasicAuthMapi -AllowBasicAuthOfflineAddressBook -AllowBasicAuthOutlookService -AllowBasicAuthPop -AllowBasicAuthPowershell -AllowBasicAuthReportingWebServices -AllowBasicAuthRpc -AllowBasicAuthSmtp
Set-User -Identity "TestAccount@myCompany.com" -AuthenticationPolicy "Disable Legacy EWS Auth Test"
Remove-PSSession $Session

The ModernAuth mode is still working with legacy authentication disabled.

[grahamr975]

@teconmoon You don't need to create an app in Azure at this time. All you need is an account with application impersonation permissions. See the 'read me' file in the oauth branch for more information.

[tardispilot]

I get the same issue as teconmoon . I am using a user account (with App Password set up due to enforced MFA on user account.) User is admin with impersonate. Stepping through the code, the issue seems to be on line 98 of Connect-EXCEchange.ps1. $token is null. Not sure if this is because what I'm submitting is technically not my password, rather an App Password. Could support for App Passwords be included also if this is the case?

[grahamr975]

@tardispilot Looking at the Microsoft reply here to a similar question, it's not possible to use an app password with custom .net applications. They're only usable for legacy Microsoft applications like Outlook.

[mathieudev]

Hi Graham, I won't be able to help with the testing of this new feature. We decided to go another direction with a commercial product, but I commend your commitment to getting this working for the OSS community.

Hi @toddjames, May I ask you the name of the commercial product?

[toddjames]

@mathieudev I don't think it'd be appropriate to advertise here unless @grahamr975 agrees. Lacking a GitHub messaging system, feel free to email me at my first name @ my domain (as seen on my GitHub profile).

[grahamr975]

Verified modern auth is now working with new instructions. See the latest script and README file for more information.