Microsoft OAuth email type is not documented

X

Xon

Well-known member
I'm using a non-admin user to access a shared mailbox (which they have been granted access to) for bounced emails (using this https://xenforo.com/community/threads/expose-username-field-for-microsoft-oauth2-setup.230882/) and recently connection attempts started failing (oauth randomly fails from microsoft is a day ending in 'y') so I attempted rebind the app to the site and it gives this error now:
Need admin approval
XXX needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Click to expand...

What permissions is very much unclear :(

I think getMicrosoftOAuthEmailSetupConfig might need updating
 
Last edited:
learn.microsoft.com

Unexpected error when performing consent to an application - Microsoft Entra ID

This article discusses errors that can occur during the process of consenting to an application and what you can do about them.
learn.microsoft.com

This might just be microsoft now requiring admin account to create the oauth token :(

learn.microsoft.com

Manage app consent policies - Microsoft Entra ID

Learn how to manage built-in and custom app consent policies to control when consent can be granted.
learn.microsoft.com

Microsoft recommended user consent policy​

The setting labeled "Let Microsoft manage your consent settings," the Microsoft managed policy, will update with Microsoft's latest recommended default consent settings. This is also the default for a new tenant. The setting's rules are currently: End users can consent for any user consentable delegated permissions EXCEPT:

  • For Microsoft Graph: Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All, Mail.Read, Mail.ReadWrite, Mail.ReadBasic, Mail.Read.Shared, Mail.ReadBasic.Shared, Mail.ReadWrite.Shared, MailboxItem.Read, Calendars.Read, Calendars.ReadBasic, Calendars.ReadWrite, Calendars.Read.Shared, Calendars.ReadWrite.Shared, Chat.Read, Chat.ReadWrite, OnlineMeetings.Read, OnlineMeetings.ReadWrite, MailBoxFolder.Read, MailBoxFolder.ReadWrite, MailBoxSettings.Read, MailBoxSettings.ReadWrite, EAS.AccessAsUser.All, EWS.AccessAsUser.All, IMAP.AccessAsUser.All, POP.AccessAsUser.All.
  • For Office 365 Exchange Online: EAS.AccessAsUser.All, EWS.AccessAsUser.All, IMAP.AccessAsUser.All, POP.AccessAsUser.All.
Click to expand...

It looks like it is the claims; IMAP.AccessAsUser.All and POP.AccessAsUser.All which are doing it.
 
Last edited:
To get the old behavior, this requires some tenant changes.

Login to Entra, navigate to Enterprise apps and find the Consent and permissions option.

Then on the User consent settings page; select "Allow user consent for apps from verified publishers, for selected permissions" & Then on the Permission classifications page; add these permissions:
  • POP.AccessAsUser.All
  • SMTP.Send
  • IMAP.AccessAsUser.All
  • openid
  • profile
  • email
  • offline_access
  • User.Read
 
You must log in or register to reply here.
Back
Top Bottom