Not a long term fix, but I am forwarding my mailbox that needs collection from osticket to a £1/month mailbox from fasthosts - then I can pop3 collect all I want - works great :-)
Basic Authentication Retirement for legacy protocols in Exchange Online
alexbuckland but you lose the ability to reply to tickets within Osticket isn't it?
Nope, SMTP basic auth is not being depreciated. Or not on my tenant at least.
It will eventually be phased out by most if not all major providers but that deadline is way farther away than IMAP/POP3.
Cheers.
Hello Everyone,
We now have the v1.17-rc1 available for download on our website! Please download, install in a test environment, and test away! If you experience any issues please open a new Issue Report detailing the issue.
A big thank you to everyone for their patience and support!
Cheers.
KevinTheJedi thank you to the whole team for all of the hard work involved!
I would like to mention that we need help testing email authorization for MS accounts specifically. We’ve tested email authorization for Gmail (IMAP/SMTP) as well as OAuth2 agent/user authentication for Google and MS. We also need help testing POP for both Gmail and MS.
Cheers.
I manage to upgrade my production environment from 1.16.3 to 1.17 RC1 without any hiccups. Manage to activate the OAuth2 plugin and here's where I cannot proceed further. I'm on Office365/AzureAD.
In Manage -> Plugins -> Oauth2 Client, there's an Instance tab. Do I need to manually create a new Instance? Some fields were populated automatically and I'm not sure what should I modify.
Then in Emails -> Email Addresses (select primary) -> Remote Mailbox, there's another "Config" tab next to "Authentication" after I selected "OAuth2 - Microsoft". The fields here are similar to the ones in Plugins.
Do you have a guide on how to get OAuth2 working? I have completed App registration in Azure AD, however Osticket does not show specific error message other than "Configure Authentication".
You need to go to osTicket, click Config next to Authentication in the email, copy your Redirect URI, go to Azure, register an app, paste your Redirect URI, create a client secret, copy the client id and client secret, go to osTicket, paste your client ID, paste your client secret, and Save Changes. This will then redirect you to Azure to authenticate and accept the scopes.
Cheers.
- Edited
KevinTheJedi
Hi Kevin,
I am facing the same issue.
I've configure the OAuth2-Microsoft and it is save successfully.
But when I enabling the email fetching option and try to save the setting it'll show me the Configure Authentication error.
Please find the screen shot.
first Screen Shot - I've configure the OAuth2-Microsoft.
Second Screen shot - My OAuth Config parameters.
Third Screen shot - I'm trying to enable the Email Fetching but getting the Configure Authentication Error.
- Edited
Okay so don’t use the /common/ urls for Authorization and Token Endpoints. Instead go to the Enterprise Applications in Azure, click Endpoints at the top, and use the v2.0 Authorization and Token URLs with /tenant-id/oauth2/v2.0/ instead of /common/oauth2/v2.0/. Then for Resource Details Endpoint instead of /api/v1.0/me use /api/v2.0/me. And lastly for scopes replace profile,email with https://graph.microsoft.com/.default.
If that doesn’t work then you might need the new build of the plugin and the new patches coming on Monday with RC2. Stay tuned!
Cheers.
Tried, but not working.
On the Endpoints list at azure i dont get OAuth 2.0 authorization endpoint (v2) with the tenant-id mine says: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
But i tried with the tenant-id and it didn't work either.
- Edited
KevinTheJedi
I've tried what suggested, using right endpoints with my tenant_id, all go well 'till the modern authentication, that ask for user, password and scope accept, but unfortunately the response from auth is invalid_client.
As already suggested, there is maybe a problem on how the scope is handled during authentication process, even with
"https://graph.microsoft.com/.default" setted up the scope passed is "offline_access https://outlook.office.com/IMAP.AccessAsUser.All" as per screenshot below
@edgarnadal
As KevinTheJedi suggested, you will find the right urls with your tenentid inside your azure registration portal, in the "Endpoints" link, as seen in the image below
I apologize, we were testing a bunch of scope options and I suggested the wrong one. For the scopes use offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send - this will cover all that we need for access tokens for IMAP/POP and SMTP. You may need the new build of the Plugin and RC2 which should be released today. So if using that information and those scopes still cause issues then you'll need to wait for RC2.
I will say that I'm running into an issue with my Personal Outlook account. I get the error MailboxNotEnabledForRESTAPI - The mailbox is either inactive, soft-deleted, or is hosted on-premise. after singing in and consenting to scopes. I reached out to microsoft support and they told me this issue is on their end and that "they are working hard to resolve the issue". 
Cheers.
KevinTheJedi
Thank you very much for the reply!
Unfortunately things still doesn't work, neither with the scope you mentioned, nor the one from my endpoints (are a little bit different for azure env, they refer to graph: https://graph.microsoft.com/offline_access https://graph.microsoft.com/IMAP.AccessAsUser.All https://graph.microsoft.com/POP.AccessAsUser.All https://graph.microsoft.com/SMTP.Send)
I will check with the new plugin when ready and let you know, in the meantime if there's something I can do for you, do not hesitate to contact me.
Cheers
I'm using Azure AD and the scopes I'm using are what I mentioned above. It even says to use these scopes in their own documentation:
This is why I don't use anything MS. They are literally the worst, docs are always outdated and useless, and their support is the worst I've ever seen.
Cheers.
- Edited
KevinTheJedi
Yes it's true, the msft documentation is often not up to date, even during their courses you may facing things that must be configured differently than what is written in the prodivded documentation 
Anyway this is what i find when i manually try to allow the scopes:
Hope this helps!
Cheers
I see that too but if I use the graph URLs nothing works at all. If I change to the ones I mentioned above I at least get a valid error.
Cheers.
Please send an email to support [at] osticket [dot] com explaining the issue and mention that the devs sent you. From there we can schedule a call with you to help look into MS stuff. All I have is a personal Outlook account and I have to use the outlook scope urls otherwise I get AUTHENTICATE failed (when using graph urls).
Also as I mentioned when I try to setup Modern Auth and authenticate against IMAP it says MailboxNotEnabledForRESTAPI which means MS hasn't migrated my account yet so I'm unable to test.
Cheers.
- Edited
Hello @KevinTheJedi
I would like to confirm I got this to work by updating the scopes, V2.0 API and email attribute in the plugin. In fact the outlook.office365.com URLs/API had to be used instead of Graph.
class MicrosoftEmailOauth2Provider extends GenericOauth2Provider {
static $id = 'oauth2:msmail';
static $name = 'OAuth2 - Microsoft';
static $defaults = [
'urlAuthorize' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize',
'urlAccessToken' => 'https://login.microsoftonline.com/organizations/oauth2/v2.0/token',
'urlResourceOwnerDetails' => 'https://outlook.office.com/api/v2.0/me',
// scopes for offline access & mail (IMAP, POP & SMTP)
'scopes' => 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send',
'attr_username' => 'EmailAddress', // This was "mail" before
'attr_email' => 'EmailAddress', // This was "mail" before
'attr_givenname' => 'givenname',
'attr_surname' => 'surname',
];
static $urlOptions = [
'tenant' => 'common',
'accessType' => 'offline_access',
];
}
With the https://outlook.office.com/api/v2.0/me API the email attribute is "EmailAddress" (https://outlook.office.com/api/v2.0/$metadata)
I must admit this is really confusing by Microsoft, if you use the new Graph API/scopes at all the IMAP authentication won't work (even though you successfully get an access token, but imap auth fails with "NO AUTHENTICATION FAILED"). Yet they announced the outlook.office365.com APIs will be decommissioned in November...
Edit, related issues:
https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/87#issuecomment-628590496
https://github.com/MicrosoftDocs/office-developer-exchange-docs/issues/100#issuecomment-847845126