We are using Redemption in an unattended non-interactive service to receive and send mails over Exchange mailboxes. This proved to very stable with on-premise installations but we're facing some stability problems from time-to-time when using this with Exchange Online/O365. One part of this thing seemed to be the used logon method. We've found out that forcing Basic authentication provided the most stable experience. We did this using LogonHostedExchangeMailbox or using a dedicated Outlook profile and disabled Modern Authentication using the appropriate registry keys (EnableADAL=0 and DisableAADWAM=1 for the new WAM authentication method). Now with Basic Authentication finally being disabled for all Microsoft365 tenants we're wondering what would the best method for unattended use:
LogonHostedExchangeMailboxuses basic auth when used with mailbox credentials. One can supply an OAuth Token for the password parameter as well, but this is not an option if there is no way to get an OAuth token unattended/programmatically.- With modern Windows versions Microsoft 365 apps use the Web Account Manager (WAM) for logon. When creating a dedicated Outlook profile to persist the login, using the profile with Redemption running as Windows service (but identity of the user who is owning the profile) doesn't work non-interactive. It works when run as interactive program. Use of WAM can be disabled using registry keys DisableAADWAM (see links below).
- With older windows versions or when disabling WAM the Active Directory Authentication Library (ADAL) is used for modern authentification. When creating a dedicated profile using Outlook and persist the OAuth login, using this profile with Redemption initially works very well running as non-interactive service. But over the time this proved to be not stable enough, sometimes not being able to reconnect to M365 e.g. after reboot without manual intervention. Sometimes it simply helped to open Outlook with the target profile for the non-interactive service to be able to connect again (sometimes with or sometimes without having to sign in again using the OAuth login workflow).
So what would be the best option to use for unattended non-interactive service use?
Some Reference:
- https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/administration/disabling-adal-wam-not-recommended
- https://learn.microsoft.com/en-us/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016?redirectSourcePath=%252fen-us%252farticle%252fHow-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517&view=o365-worldwide
- https://www.ugg.li/office-365-auf-windows-rds-server-ist-ploetzlich-nicht-lizenziert-und-das-office-anmeldefenster-verschwindet-einfach/
