I had to create a local account and I was able to upgrade, but now I'm having trouble with the token. Everytime I hit submit and it redirects to the MS login page, I sign in and then it redirects me back to the normal OSticket User login page. I never get asked for consent or anything. When I navigate back to emails it shows it's still not configured. Any idea why this would happen?
Well now, I'm no longer redirecting back to the normal user login page, but back to the email settings page with the error "invalid_client". I've copied the client id and client secret directly from 365. As well as double checked the Endpoint URLs. I'm not sure what else to try here.
Kevin asked you to look at and provide logs with any errors.
Without them its a shot in the dark as to what is happening, or why.
That was for a previous issue I was having. I'm now having issues with the OAuth2 plugin. The system logs in OSticket do not show anything regarding this.
I am unable to get the Microsoft authentication to work with the new plugin. When I click Submit on the IdP Config page it redirects to 365, I login with the email address I am trying to setup, but then it redirects back to OSticket and says "Invalid_Client" next to the Config button. 
I've triple checked all of the inputs, and copied directly from 365.
That typically means something is misconfigured on the plugin side but could indicate other issues. Please post a screenshot of the configurations but blur out or censor the sensitive info like tenant id, client id, etc.
Cheers.
Are you certain the Client ID you pasted in the email auth configuration is the "Application (client) ID" from the App Registration? Are you certain the Client Secret the "Client Secret Value" and not the Client Secret ID?
Cheers.
Okay, so that was the issue, I was copying the wrong string for the Client Secret. It went through and is showing the token but when I hit Save Changes I am now getting this.
I was able to login to 365 with all 3 emails I needed to setup, but all 3 are now throwing that up when I select save changes. When I go back into the configs all the settings are there and it is showing a token with a new expiration date. None of them are fetching though.
It sounds like maybe IMAP is disabled in your tenant via a policy or potentially at each email level.
Cheers.
IMAP is enabled. These emails all fetched previously to the OAuth2 plugin needing to be updated.
Then are you certain you authorized the correct email accounts? Did you do each one in an Incognito window and login as each mailbox when directed to Microsoft?
Cheers.
Also ensure your all your Scopes are set to offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send.
Cheers.
Yes, I logged into each one in separate incognito windows. I've re-copied that Scopes string to be sure, and I am still getting the same error.
Hmm, the only thing I can think of is to check the logs in Microsoft to see why it's failing authentication.
Cheers.
So I've been working with my director to see if we can figure this out and we are still unable to get emails fetched. The MS logs show successful logins, IMAP is enabled, the token gets refreshed, but it still says Authenticate Failed when clicking Save Changes. Any other ideas?
See if there is a policy attached to the user (on the microsoft side) that is restricting IMAP. They have commands you can run for each user to see if it's enabled, etc. You'd need to look at guides online for such steps.
If you are using a hosting company instead of running your own server/vm then I'd recommend reaching out to them to see if they disable external IMAP, etc. I've seen in the past where such restrictions from hosts causes such issues.
Cheers.
There are no restrictions on IMAP. I went through the process with my Sr. Director today. He wanted me to ask why it is able to authenticate for app registration but when I try to with the email it will not?
Because that's completely separate. The App Registration authorization is strictly to allow the software to request tokens for things like IMAP and SMTP. IMAP is a protocol to collect mail from a mailserver. The only other thing I can recommend is deleting the email from osTicket and re-adding it and reconfiguring it. If that doesn't work then something isn't right on the microsoft end or on the server itself that's not allowing it to authenticate against IMAP.
Cheers.
