When trying to generate the token we get the following error from Microsoft
AADSTS50194: Application '12cfafd3XXXXX b379'(Itop email processor.) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
We have a standalone IMAP processor for a different system , and we have to specify the authority for our specific tenancy
I got further, no additional code changes required but I had to define in Azure the matching redirect URL that is provided in the Outh setup in iTop, and I had to allow both Token types in the Azure setup associated with this URL.
This was not required (a redirect url) in our python application.
Last edit: Tim Hoffman 2022-11-30
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No I have an Oauth token I tried to create a mail Azure Mail Inbox.
It seems to create OK, however no mail is retrieved.
I have debug turned on and get the following in the log
Removing the port number (leave it blank) I got further, but not able to retrieve email. Odd we could only make a connection when not defining the IMAP port.
As I mentioned earlier we have a python application using OAuth2 for Auth reading and processing email via IMAP for a different service which successfully works with Azure - so we feel reasonaly confident we have the Azure side of the Oauth equation mostly correct.
I think (but can't prove it, as their is no debug trace being emitted by the underlying libraries, that the tenant ID is not being sent when authenticating when accessing the mailbox.
Our python code explicily includes tenant id with the the authority
Have now setup a principal that is multi-tenant so tenant id is not required. However still in exactly the same place, can generate a token, but cannot log in.
Has anyone been able to get this to work if not using onmicrosoft address ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Did some more digging - "Multitenant account type requires registration with the Microsoft Partner Network, please consult the Microsoft documentation for full details."
I really believe this means that any single tenant domain will not work with the current code base as there is no way (other than modifying the code) to present the tenant ID when authenticating against the IMAP service
I really hope I am wrong, but I can't see any way around this, and the forums ehere suggest this is the problem, as I don't think any one has got this working so far
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Did some more digging - "Multitenant account type requires registration with the Microsoft Partner Network, please consult the Microsoft documentation for full details."
I really believe this means that any single tenant domain will not work with the current code base as there is no way (other than modifying the code) to present the tenant ID when authenticating against the IMAP service
I really hope I am wrong, but I can't see any way around this, and the forums ehere suggest this is the problem, as I don't think any one has got this working so far
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
Indeed I'm just figuring out multiple people don't have a multi tenant app configured...
A ticket is opened and currently reviewed, please continue discussion there : [#2107].
Hi
Trying to configure Oauth2 for Azure IMAP access.
When trying to generate the token we get the following error from Microsoft
AADSTS50194: Application '12cfafd3XXXXX b379'(Itop email processor.) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.
We have a standalone IMAP processor for a different system , and we have to specify the authority for our specific tenancy
app = ConfidentialClientApplication(
client_id=client_id,
authority="https://login.microsoftonline.com/7ea1XXXXXXXXXXXe7f",
client_credential = client_credential
)
Based on this information, the question would be how to define in the Ouath2 client a tenant specifci endpoint ?
As an aside I have set the debugging level as outlined in the docs for debugging OAuth2, but unable to find any debug output.
Last edit: Tim Hoffman 2022-11-30
Ok, made some progress
I found that in
/var/www/html/itop/env-production/itop-oauth-client/src/Controller/AjaxOauthClientController.php
There is defined
public $urlLogin = 'https://login.microsoftonline.com/';
public $tenant = 'common';
changing
public $tenant = '<my tenand="" id="">';</my>
Allows the Auth process to advance. This means if you are a specific tenant tenant ID will need to be a configurable parameter.
How ever when signing I then I know get the following error
AADSTS500113: No reply address is registered for the application.
The reply address is being supplied in the auth and
HI
I got further, no additional code changes required but I had to define in Azure the matching redirect URL that is provided in the Outh setup in iTop, and I had to allow both Token types in the Azure setup associated with this URL.
This was not required (a redirect url) in our python application.
Last edit: Tim Hoffman 2022-11-30
No I have an Oauth token I tried to create a mail Azure Mail Inbox.
It seems to create OK, however no mail is retrieved.
I have debug turned on and get the following in the log
2022-11-30 04:35:45 | Debug | 3 | IMAPOAuthEmailSource Start for outlook.office365.com | OAuth |||
2022-11-30 04:36:15 | Debug | 3 | IMAP Sending: TAG1 LOGOUT | OAuth |||
2022-11-30 04:36:45 | Error | 3 | Failed to initialize the mailbox: <name>@rct-global.com. Reason: cannot read - connection closed? | IssueLog |||</name>
A little bit more progress but not working yet.
Removing the port number (leave it blank) I got further, but not able to retrieve email. Odd we could only make a connection when not defining the IMAP port.
As I mentioned earlier we have a python application using OAuth2 for Auth reading and processing email via IMAP for a different service which successfully works with Azure - so we feel reasonaly confident we have the Azure side of the Oauth equation mostly correct.
Last edit: Tim Hoffman 2022-11-30
I think (but can't prove it, as their is no debug trace being emitted by the underlying libraries, that the tenant ID is not being sent when authenticating when accessing the mailbox.
Our python code explicily includes tenant id with the the authority
authority="https://login.microsoftonline.com/<tenant id=""></tenant>
And many other examples online do this.
Last edit: Tim Hoffman 2022-12-02
Lastly all of the tests (for correct operation) using powershell also pass, however they too require tenantID
Have now setup a principal that is multi-tenant so tenant id is not required. However still in exactly the same place, can generate a token, but cannot log in.
Has anyone been able to get this to work if not using onmicrosoft address ?
Did some more digging - "Multitenant account type requires registration with the Microsoft Partner Network, please consult the Microsoft documentation for full details."
I really believe this means that any single tenant domain will not work with the current code base as there is no way (other than modifying the code) to present the tenant ID when authenticating against the IMAP service
I really hope I am wrong, but I can't see any way around this, and the forums ehere suggest this is the problem, as I don't think any one has got this working so far
Did some more digging - "Multitenant account type requires registration with the Microsoft Partner Network, please consult the Microsoft documentation for full details."
I really believe this means that any single tenant domain will not work with the current code base as there is no way (other than modifying the code) to present the tenant ID when authenticating against the IMAP service
I really hope I am wrong, but I can't see any way around this, and the forums ehere suggest this is the problem, as I don't think any one has got this working so far
Hello,
Indeed I'm just figuring out multiple people don't have a multi tenant app configured...
A ticket is opened and currently reviewed, please continue discussion there : [#2107].
Related
Tickets:
#2107And by the way, many thanks for all the details given here ! This will help others !