jfields

That’s the same thing I get but @jerer says otherwise. Maybe try offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send for the scopes?

Cheers.

array ( 'code' => 'InvalidAuthenticationToken', 'message' => 'Access token validation failure. Invalid audience.', 'innerError' => array ( 'date' => '2024-10-01T20:38:46', 'request-id' => '<guid>', 'client-request-id' => '<guid>', ), )

    jfields

    That sounds like something isn’t configured correctly. Do you have all of these scopes added and admin consented in the app registration in entra?

    Cheers.

    KevinTheJedi,

    This is the third account I'm setting up for this application. The previous two work fine because their token hasn't expired yet (and I'm tiptoeing around it). I can get it to authenticate just fine but then get AUTHENTICATE failed when trying to download IMAP mail.

    For as big as Microsoft is, you would think they would not change things so often or so quickly.

    KevinTheJedi,

    To get it to authenticate successfully (but fail on fetching email (AUTHENTICATE failed)) I used:
    Resource: https://graph.microsoft.com/v1.0/me
    Scopes: offline_access https://graph.microsoft.com/IMAP.AccessAsUser.All
    Mail Address Attribute: mail

    To get it to give me the invalid token error:
    Resource: https://graph.microsoft.com/v1.0/me
    Scopes: offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send
    Mail Address Attribute: mail

    I believe this is because I'm calling scopes that are different than the Resource URL I'm reaching to get the mail attribute.

      jfields

      But if you modified the plugin and database records appropriately it shouldn’t call the endpoint at all. You can try deleting the existing token via token tab in authentication config and changing the user endpoint to “ https://outlook.office.com/api/v2.0/me” and email attribute to “EmailAddress”.

      Cheers.

      With the given workarounds, what is the reversal if MS ends up fixing this? I'm hesitant to make direct changes to the PHP/database without a fallback.

        ognalysis

        The reversal would be to replace the unpacked plugin with the latest download from the website, reversing the db changes, and that’s it.

        Cheers.

          KevinTheJedi I'm not this familiar with php, is it as simple to just repack the plugin instead? If so, it makes sense to me that it'd be easier to unpack, modify, and then repack the plugin instead of modifying the DB.

            I've unpacked and modified the php as you indicated, however, the DB settings are already as you described (install path has no .phar, and isphar is already 0). Should I just replace the whole original plugin directory with the new unpacked one?

              ognalysis

              No, there should be a folder called auth-oauth2/ within the include/plugin/ folder if you followed my steps correctly.

              Cheers.

                KevinTheJedi There is, but within that folder, it looks like the phar is already unpacked.

                I went ahead and just copied the changes to the existing oauth2.php, no db modifications, and reran the token refresh. No error, and I just got the ticket generations. As far as I can immediately tell, your changes worked.

                EDIT: for reference, we're on 1.17.2, using a custom domain within Exchange Online (no outlook.com or onmicrosoft.com)

                  ognalysis

                  After getting a token successfully can you save changes with the Remote Mailbox tab Status set to Enable?

                  Cheers.

                    Okay so from what I’m gathering it appears that @outlook.com emails must be special and are still broken however business emails and exchange online emails should be fine after the plugin changes. Let’s hope they fix personal emails otherwise they will be in hot water.