Closed Bug 1799259 Opened 2 years ago Closed 1 year ago

OAuth2 is not available for Microsoft 365 (Office 365) personal account

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 102
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: cai.0407, Unassigned)

Details

Steps to reproduce:

Microsoft 365 account:
my-account@outlook.com
personal account with annual Microsoft 365 license
initially created in the age of Hotmail

Server settings:
IMAP
Server Name: outlook.office365.com
Pot: 993
Authentication Method: OAuth2
Security: TLS/SSL
User Name: my-account@outlook.com

SMTP
Server Name: smtp.office365.com
Pot: 993
Authentication Method: OAuth2
Security: TLS/SSL
User Name: my-account@outlook.com

Actual results:

  1. Tb opens the OAuth2 window (https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=08162f7c-0fd2-4200-a84a-f25a4db0b584&redirect_uri=http%3A%2F%2Flocalhost&scope=https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office365.com%2FPOP.AccessAsUser.All+https%3A%2F%2Foutlook.office365.com%2FSMTP.Send+offline_access&login_hint=my-account@outlook.com)
  2. Confirm my mail address is correctly input in the field
  3. Click "Next"
  4. It says "Personal account is not available here. Please use company or school account instead" (roughly translated from Japanese).

Expected results:

Tb can access to Microsoft 365 account via OAuth2

Android K-9 Mail 6.202 (which will become Thunderbird for Android in the future) can access via OAuth2 with same settings.

Normal password authentication is of course OK.

Bug 1685414 fixed it. Will be uplifted to 102 soon.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1685414
Resolution: --- → DUPLICATE

(In reply to Magnus Melin [:mkmelin] from comment #1)

Bug 1685414 fixed it. Will be uplifted to 102 soon.

Thanks for navigation.

per https://bugzilla.mozilla.org/show_bug.cgi?id=1810760#c63 it looks like this account is using the wrong scopes. It should be using outlook.office.com, not outlook.office365.com

Status: RESOLVED → REOPENED
No longer duplicate of bug: 1685414
Ever confirmed: true
Resolution: DUPLICATE → ---

(In reply to Andrei Hajdukewycz [:sancus] from comment #3)

per https://bugzilla.mozilla.org/show_bug.cgi?id=1810760#c63 it looks like this account is using the wrong scopes. It should be using outlook.office.com, not outlook.office365.com

Which side have a problem?
Tb? M365?

Status: REOPENED → UNCONFIRMED
Component: Untriaged → Security
Ever confirmed: false

Similar to Bug 1775077 - Thunderbird will not ask for an Oauth2 password for office 365 SMTP ?

(In reply to Kosuke Kaizuka from comment #4)

(In reply to Andrei Hajdukewycz [:sancus] from comment #3)

per https://bugzilla.mozilla.org/show_bug.cgi?id=1810760#c63 it looks like this account is using the wrong scopes. It should be using outlook.office.com, not outlook.office365.com

Which side have a problem?
Tb? M365?

We could use some more detailed testing of this one:

  1. Using 102.7.1, have you tried signing in on a brand new profile? Is that successful?
  2. Using 110 Beta, can you try signing in on a brand new profile? Is that successful?

This is just for testing, I'm not asking you to continue using a new profile. Thanks!

After testing this myself, I think we are retaining oAuth scopes attached to the account somehow even after they're changed in the oAuth settings.

If signing in using a new profile works, you should be able to delete prefs with "oauth2.scope" in the name to get the old account working again, I hope.

(In reply to Andrei Hajdukewycz [:sancus] from comment #6)

(In reply to Kosuke Kaizuka from comment #4)

(In reply to Andrei Hajdukewycz [:sancus] from comment #3)

per https://bugzilla.mozilla.org/show_bug.cgi?id=1810760#c63 it looks like this account is using the wrong scopes. It should be using outlook.office.com, not outlook.office365.com

Which side have a problem?
Tb? M365?

We could use some more detailed testing of this one:

  1. Using 102.7.1, have you tried signing in on a brand new profile? Is that successful?
  2. Using 110 Beta, can you try signing in on a brand new profile? Is that successful?

Environment: Win 10 22H2 x64, M365 personal account
IMAP: outlook.office365.com, TLS/SSL (993), OAuth2
SMTP: smtp.office365.com, STARTTLS (587), OAuth2

  1. Tb 102.7.1 x64 + brand new profile
  2. Tb 110.0b3 x64 + brand new profile
  3. Tb 111.0a1 (20230201095127) x64 + brand new profile

In all cases, IMAP is good. The scope used for OAuth2 is outlook.office.com, not outlook.office365.com.
On the other hand, SMTP is bad. As same as bug 1775077, login failed dialog appears, but neither "Retry" nor "Enter New Password" works, endless loop...

bug 1775077#c10 is not applicable for M365 personal account.
"AADSTS500200: User account 'my\account@outlook.com' is a personal Microsoft account. Personal Microsoft accounts are not supported for this application unless explicitly invited to an organization. Try signing out and signing back in with an organizational account."

(In reply to Andrei Hajdukewycz [:sancus] from comment #7)

After testing this myself, I think we are retaining oAuth scopes attached to the account somehow even after they're changed in the oAuth settings.

If signing in using a new profile works, you should be able to delete prefs with "oauth2.scope" in the name to get the old account working again, I hope.

I have found and deleted two prefs below in my usual profile, and tried OAuth2 again.

user_pref("mail.server.serverX.oauth2.scope", "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access");
user_pref("mail.smtpserver.smtpX.oauth2.scope", "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/POP.AccessAsUser.All https://outlook.office365.com/SMTP.Send offline_access");

Got it! IMAP works now!
I've tried OAuth2 with M365 personal account in the past, wrong scopes might be stored at that time.

new:
user_pref("mail.server.serverX.oauth2.scope", "https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access");
user_pref("mail.smtpserver.smtpX.oauth2.scope", "https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access");

SMTP does not work on the usual profile...

Now,

  1. IMAP with OAuth2 and SMTP with normal password authentication
    and
  2. IMAP and SMTP with normal password authentication
    are available.
    SMTP with OAuth2 is bug 1775077.

I think we can close this bug and should focus on bug 1810760 (IMAP/SMTP issue for some Linux users) and bug 1775077 (SMTP issue).

With version 102.6.1 getting access to the mail server outlook.office365.com with the account of my university works without perfectly.
With 102.7 I can no longer connect to that server.
I reverted back to 102.6.1 and everything worked again. I have waited for 102.7.1 which is supposed to fix this problem. It does not.
Again I reverted back to 102.6.1 to get everything working again.

(In reply to John Bijnens from comment #10)

With version 102.6.1 getting access to the mail server outlook.office365.com with the account of my university works without perfectly.
With 102.7 I can no longer connect to that server.
I reverted back to 102.6.1 and everything worked again. I have waited for 102.7.1 which is supposed to fix this problem. It does not.
Again I reverted back to 102.6.1 to get everything working again.

  1. The scope of this bug is about M365 personal account, not enterprise/organization account like company and university.
  2. The authentication problem after upgrading to 102.7.0/102.7.1 is bug 1810760.

(In reply to Kosuke Kaizuka from comment #11)

(In reply to John Bijnens from comment #10)

With version 102.6.1 getting access to the mail server outlook.office365.com with the account of my university works without perfectly.
With 102.7 I can no longer connect to that server.
I reverted back to 102.6.1 and everything worked again. I have waited for 102.7.1 which is supposed to fix this problem. It does not.
Again I reverted back to 102.6.1 to get everything working again.

  1. The scope of this bug is about M365 personal account, not enterprise/organization account like company and university.
  2. The authentication problem after upgrading to 102.7.0/102.7.1 is bug 1810760.

Thank you for this clear explanation. My apologies.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.