Utilizing OAuth2 for Office365, through Exchange ActiveSync (EAS)

Question

The blog post: Announcing Exchange ActiveSync v16.1 states that:

While not a part of EAS 16.1, we also want to note that both Office 365 and Outlook.com customers can now utilize the OAuth 2.0 protocol for authorization through EAS.

My question is: which scope should I use in the oauth request?

Is there an example, perhaps of the full request?

Note: there was a similar question about using OAuth for Office365 with IMAP, but here I'm specifically asking about ActiveSync. I referenced this question in a comment to one of the answers on that thread.

Secondary problem:

Thanks to Jason's answer and some additional tweaks, we managed to generate oauth token using https://login.windows.net/common/oauth2 but only for office365 users (Organization Accounts) and not to Microsoft users account (live, hotmail, outlook.com...)

The token allows access to both ActiveSync protocol (via https://eas.outlook.com/Microsoft-Server-ActiveSync) and for EWS API (via https://outlook.office365.com/EWS/Exchange.asmx).

Unfortunately we cannot find a way to generate same token for Microsoft online accounts (hotmail, live, outlook.com). We tried using this endpoint: https://login.live.com/oauth20_authorize.srf which allow only activesync and not EWS.

Is there a way to use the same token for both organization and online accounts on both protocols (ActiveSync and EWS)?

I have the same question! Did you figure it out? – mike nelson Jun 06 '17 at 21:47 — mike nelson, Jun 06 '17 at 21:47
No. I'm still hoping to find an answer... – grebulon Jun 07 '17 at 07:31 — grebulon, Jun 07 '17 at 07:31

score 2 · Answer 1 · answered Jun 29 '17 at 20:59

2

Sorry this took so long, but I wasn't aware of this question until today :). You need to register your app as a native application in Azure Active Directory:

Then add the Access mailboxes as the signed-in user via Exchange Web Services (under Office 365 Exchange Online) delegated permission.

NOTE: You cannot register this in the Application Registration Portal (https://apps.dev.microsoft.com), it needs to be registered in the Azure Portal (https://portal.azure.com/), and you need to use the v1 Azure auth endpoints for authorization and token requests.

answered Jun 29 '17 at 20:59

Jason Johnston

17,194
2
20
34

Thank you for your answer. However, there's a second problem: we need to use the same token for both office365 users and online users (hotmail, live, etc). I added the full description to the question. – grebulon Jul 12 '17 at 13:30
The Azure v1 endpoints do not support Microsoft accounts (Hotmail, Outlook.com, etc.). They only support Office 365. – Jason Johnston Jul 12 '17 at 14:47
Is there a way of having both account types (and both EWS and ActiveSync) work with a single oauth token? We tried with LiveConnect, but it only worked for MS accounts. – grebulon Jul 12 '17 at 14:58
No, there's no way. The EWS scope isn't exposed on Azure's v2 endpoints, which is the only endpoint that supports converged auth (meaning that both work and personal accounts can authenticate). – Jason Johnston Jul 12 '17 at 15:56
OK. What would be the oauth scope and endpoint for personal account (hotmail) that works with EWS? – grebulon Jul 12 '17 at 16:01
I don't believe there is one, but I'm double-checking that. – Jason Johnston Jul 12 '17 at 16:09
I am running into the same issue and I see that Jason Johnston was double checking but did not post back to this thread. Is there a way to use OAUTH2 for an Outlook.com account so that it can work with EWS? – Mark D. Jul 15 '18 at 14:38

Utilizing OAuth2 for Office365, through Exchange ActiveSync (EAS)

1 Answers1

Linked