question

AndriiMaslov-1341 avatar image
0 Votes"
AndriiMaslov-1341 asked TejoKumar-3838 edited

Shared mailbox oauth access

Greetings,


I recently configured oauth authentication for my software in order to fetch/send emails from my outlook or office365 account. I'm using these endpoints

with such scopes: https://outlook.office.com/IMAP.AccessAsUser.All, https://outlook.office.com/SMTP.Send, offline_access, https://outlook.office.com/user.read.

Oauth login successful and both SMTP/IMAP connection tests passed for accounts main mailbox. But I need to access shared mailbox, that account has access to. According to your docs:

In case of shared mailbox access using OAuth, application needs to obtain the access token on behalf of a user but replace the userName field in the SASL XOAUTH2 encoded string with the email address of the shared mailbox.

That's all I need to do, in order for it to work. Although IMAP works fine, SMTP isn't working in this way and returns 535 5.7.3 authentication unsuccessful.

I'm new to office 365 and shared mailboxes, perhaps there is something I need to configure in office 365 admin center, or maybe add another scope? I've read that you shouldn't access shared mail box directly(I'm guessing setting password to mailboxes 'active user' and login like normal account) but I'm not sure why. So seems to me that changing email user in SASL XOAUTH2 encoded string is the only option, or is there any other way?



P.s.
License - office 365 business standard.





office-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LydiaZhou-MSFT avatar image
0 Votes"
LydiaZhou-MSFT answered

@AndriiMaslov-1341

I did some research, but cannot find other options to access shared mailbox using OAuth. Based on the official document, this should be the only suggested option.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndriiMaslov-1341 avatar image
0 Votes"
AndriiMaslov-1341 answered AndriiMaslov-1341 commented

@LydiaZhou-MSFT

I'm fine with that only option. The thing I don't get is why am I getting 535 5.7.3 authentication unsuccessful only through SMTP connection with OAuth.
The basic authentication works fine for both IMAP/SMTP, the problem only with oauth. I haven't found any limitations in official documentations yet. Or maybe its not possible at all?


Also I've noticed that Authenticated SMTP checkbox is absent in shared mailbox email settings compared to "active user" of that shared mailbox.
Shared mailbox:
40005-selection-239.png


Active user of shared mailbox:
40006-selection-238.png



Can it be the reason?


selection-239.png (20.3 KiB)
selection-238.png (23.4 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Well, I'm doing more research in this direction. I will post back as soon as I get more information. Thanks for your patience.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

When you use OAuth authentication to connect with SMTP, do you mean you can access other user mailboxes except the shared mailbox?
Please try to grant full access permission of the shared mailbox to other users, then replace the userName with other users to test again.
Btw, where did you check the settings in the first image?


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

When you use OAuth authentication to connect with SMTP, do you mean you can access other user mailboxes except the shared mailbox?

I don't know how many mailboxes user can have, but yes. I can access to user main mailbox with oauth through SMTP. It's only when I change userName in SASL XOAUTH2 encoded string to shared mailbox - SMTP doesn't work.


I've already gave access(Read and manage, Send as, Send on behalf in mail box permission settings) to both users and with nether of them I got successful SMTP response. Are there more setting to this?

First image is from Email apps from shared mailbox settings.

I've also noticed in Sign-in logs requests with "interrupted" status right when I've tried SMTP connections.
Sign-in error code
50058
Failure reason
Session information is not sufficient for single-sign-on.

Can it be the reason?










0 Votes 0 ·
LydiaZhou-MSFT avatar image
0 Votes"
LydiaZhou-MSFT answered LydiaZhou-MSFT commented

@AndriiMaslov-1341

Did you also try the Full Access permission? The Full Access permission lets a user open the shared mailbox and act as the owner of that mailbox.
You can set from EAC > Recipients > Shared > select your shared mailbox and click Mailbox delegation to grant Full Access permission.
42111-620.png

You also can use the following command to grant full access permission:

 Add-MailboxPermission -Identity "shared mailbox" -User username -AccessRights FullAccess -InheritanceType All
 Get-MailboxPermission "shared mailbox"

Wait for a while to make sure it takes affect, then test to use OAuth authentication to connect with SMTP again.

Additionally, did you assign a license to the shared mailbox?
You can create a new shared mailbox without license to test again to see if the issue can be reproduced on the new one.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


620.png (13.9 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, I've tried Full Access permission as well. I've also tried it on fresh new shared mailbox(without playing with license) - no effect.

Additionally, did you assign a license to the shared mailbox?

I did when I was trying things. But I've tried both licensed/unlicensed and result was the same. The only way I could get into shared mailbox with SMTP is add license + set up password and use a direct login. Can it be used that way?

Also in your doc I found this and last item isn't compatible with shared mailboxes since they don't have a password to login with. Can you comment on this? Does it even possible that I'm trying to achieve? Maybe I'm missing out some scopes or permissions in registered app?

0 Votes 0 ·

The article you provided is used to set SMTP relay for applications or devices to send messages, and it's not suggested to use shared mailbox for SMTP relay. For your reference: Shared MailBox SMTP Auth.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·

Well, that's kinda what I'm trying to achieve. I wanted my application tot be able to send and fetch emails from shared mailbox using oauth. So right now it can only be done with normal user mailbox, not shared?

0 Votes 0 ·
Show more comments
TejoKumar-3838 avatar image
0 Votes"
TejoKumar-3838 answered TejoKumar-3838 edited

I've a shared mailbox with the similar configuration as provided in the question. But instead of user being directly added to the shared mailbox as a member(to receive/send emails), we have a mail-enabled security group added as a member. The user and the shared mailbox both belong to the same security group.
The IMAP fails with Oauth in this case. Basic auth works just fine. Also, If I add the user directly as a member, IMAP with oauth access token works fine.
Why isn't the oauth access token working if the group is added to the mailbox as a member instead of the user.

We're receiving the below error:
User is authenticated but not connected.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.