1

We have a powershell script that will grab attachments from a shared mailbox in outlook office 365. Now that the mail api v1 is no longer supporting basic auth this script has stopped working last night and now i need to use oAuth?

I will be honest and have no clue how to make this switch and have read the documentation a few times but i think im more lost now. From everything i keep reading it says i need to build an app now, register the app and then generate a bearer or access token via an end point that hits that app? Is this true, do i really need to do all this?

Is there no spot that i can just generate a api token with the microsoft account?

this is essentially the script we used: https://gallery.technet.microsoft.com/office/O365-Email-Attachments-to-6a45e84c

Govna
  • 348
  • 1
  • 4
  • 16

1 Answers1

0

We are in the same situation. Probably because of the outlook.office365.com REST Api shutting down and the Graph API being the default from now on: How to retrieve contents of an itemAttachment via the Microsoft Graph API https://learn.microsoft.com/nl-be/graph/api/attachment-get?view=graph-rest-1.0#request-2

Now, I hacked together a script to do this properly and it works. But (1) it requires a GUI input of the password every time the script starts up (for example after a power failure) and once logged in (2) the access token keeps expiring...

Invoke-RestMethod : {
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token has expired.",
    "innerError": {
      "request-id": "1c991403-ab46-4aec-a7a1-316dbdfb4eb8",
      "date": "2019-01-16T12:29:50"
    }
  }
}

Now when you get into the documentation and start reading up on things like refreshing a token and such... It is just nuts! https://learn.microsoft.com/nl-be/graph/auth-v2-user

I have developed API interfacing for MailChimp which I completed in under ONE hour... (1) Generate API key in MailChimp, (2) use that API key in your scripts and if needed (3) revoke key in MailChimp in case of an emergency (DONE).

This token M$ BS is really mind blowing. As far as I understand, you either have to use an admin PowerShell tool to change tokens to 90 days default duration (but server wide as I understand instead of app wide?) or automatically refresh the access token every 5 minutes in your script.

That's why I'm now looking into using PSMSGraph which does all of that for you apparently: https://psmsgraph.readthedocs.io/en/latest/

If you would get it working properly before I do, please share your code. As my current solution requires manual password entry (which I don't see how I could make this headless by the way) and stops working after an hour, because of the expiring token.

I'm sure there is a good (security) reason to have this access token way of doing things, but if the MailChimp way of generating lifetime tokens JUST WORKS... Than I fail to see why this access token complexity thing with Microsoft Graph API is needed in the first place.

helonaut
  • 1
  • 2
  • Thanks for the response, we are still looking at other options, since we found this (API Graph) to be a little to cumbersome for us considering its outside what we normally do. Instead of making this change, we just developed mail program using imap and pop3 configuration to receive any unread attachments from the mailbox. Its actually using basic auth in the sense where we have the un and pw hashed but inputted. Not tokens required, but i dont think this solution works for a majority of people. We were lucky someone has this old program on their machine and we modified it for our needs. – Govna Jan 23 '19 at 14:19
  • Thanks for your feedback Govna. You are absolutely right about the API graph being to cumbersome and not just a little. I have designed solutions for a lot of API's and it has been a matter of generating a key and using that key in API calls to that service. Nothing more, nothing less. The access token that gets generated in the AD Azure platform should just have in individual "lifetime variable", adjustable by any admin with a dropdown next to the key. Maybe they could add a box like "I know what I'm doing, I trust this user/program". Done. – helonaut Jan 23 '19 at 14:53