0

trying to put together a simple python script to send emails from an office 365 mailbox using exchangelib, but cannot seem to get the authentication going. followed the steps in the documentation to register the app using "Delegated permissions" without any success. error is:

Exception has occurred: UnauthorizedError
Invalid credentials for https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc
  File "C:\Users\sfili\Documents\GitHub\newpythonscripts\V2023\email via ews\email_ewsv30_july_3.py", line 14, in <module>
    account = Account(primary_smtp_address='xxx@yyy.com', credentials=credentials,autodiscover=True, access_type=IMPERSONATION)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
exchangelib.errors.UnauthorizedError: Invalid credentials for https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc

below is the code snippet i am using, the above error is consistent even if access_type=DELEGATE is set

from exchangelib import DELEGATE, IMPERSONATION, Account, Credentials, EWSDateTime, EWSTimeZone, Configuration, NTLM, GSSAPI, CalendarItem, Message, Mailbox, Attendee, Q, ExtendedProperty, FileAttachment, ItemAttachment, HTMLBody, Build, Version, FolderCollection, OAuth2Credentials

credentials = OAuth2Credentials(
    client_id='xxxx', 
    client_secret='xxxx', 
    tenant_id='xxxx'
    )


account = Account(primary_smtp_address='xxx@yyy.com', credentials=credentials,autodiscover=True, access_type=IMPERSONATION)

for item in account.inbox.all().order_by("-datetime_received")[:10]:
    print(item.subject, item.sender, item.datetime_received)
Eugene Astafiev
  • 47,483
  • 3
  • 24
  • 45
Sachin
  • 65
  • 2
  • 6
  • Have you tried without autodiscover? Anyway, auth issues with OAuth against O365 is almost always due to wrong config in Azure. Try going through the exchangelib docs again. – Erik Cederstrand Jul 30 '23 at 21:49
  • would be useful if you could comment 1) is the above block of code good enough to work for office 365 ? different places mention different parameters like username & password besides the client secret are needed 2) if autodiscover is set to FALSE, what does the server need to be. i have used server='outlook.office365.com without any luck until now. and yes the azure configuration with "Delegated permissions" have been configured as per the steps in the documentation, deleted and re-created several times – Sachin Aug 06 '23 at 15:04
  • 1
    Re 1): yes - it's directly from the docs 2) yes, the server is outlook.office365.com. Also mentioned in the docs. Regarding your permission errors, I tested the "Delegated permissions" flow a couple of weeks ago and documented the setup that worked for me. With just an UnauthorizedError it's impossible to say what's wrong in your setup. – Erik Cederstrand Aug 07 '23 at 09:57
  • i was able to get this working by doing 2 things. 1. i used the block of code from the latter part of this link https://github.com/ecederstrand/exchangelib/issues/747 for authentication. no other combination of code has worked for me. 2. i added "full_access_as_app" permissions to the API along with the eisting "EWS.AccessAsUser.All" – Sachin Aug 18 '23 at 17:03
  • while the script can now send email, i am able to send delegated as well as imporsonated email from any mailbox in the tenant, which in my opinion is too powerfull and dangerous. so far not been able to restrict this to delegate permission for a single mailbox only. if i remove anyone of the 2 permissions, the script stops working. suggestions to restrict to a single account are welcome – Sachin Aug 18 '23 at 17:04
  • Which two permissions? And where? https://ecederstrand.github.io/exchangelib/#delegate-oauth-on-office-365 contains the steps to create delegate-only permissions in Azure. They are tested to work. – Erik Cederstrand Aug 20 '23 at 12:42

0 Answers0