#2707 ✓closed
Jonathan Lemon

O365 permissions

Reported by Jonathan Lemon | December 8th, 2020 @ 07:59 PM

I was trying to get our admin to add MailMate to O365 support, and encountered several problems:

1) When trying to authorize the MailMate application with the authorization URL, it replies with "Need admin approval". When reporting this to the administrator, they need the application UUID in order to review the link. This should be reported on the error page. (I dug this out of the binary and used "6433eda3-0646-4cd2-afc1-12ce89641715".

2) MailMate apparently requests overly broad permissions:
a) R/W mail in all mailboxes, b) send mail as any user, c) sign in and read user profile. This allows the user to impersonate any user, which isn't workable in a corporate environment. Mailmate should use delegated permissions, where the permissions are scoped only to the logged-in user. The delegated Mail permissions are in delegated Mail permissions: https://docs.microsoft.com/en-us/graph/permissions-reference#delega... I believe the ones that shouldd be used are Mail.ReadWrite, MailboxSettings.ReadWrite, and Mail.Send.

Comments and changes to this ticket

  • benny

    benny January 21st, 2021 @ 04:50 PM

    • State changed from “new” to “closed”

    Sorry for the late reply. I kind of have to start over every time I re-visit the myriad of Microsoft documentation pages :-)

    The permissions you refer to in item 2 are not available to an IMAP email client. Microsoft documents IMAP/SMTP access here.

    Item 1 is trickier and I just had feedback from a user with a similar issue. I'm pretty sure I'm doing what Microsoft recommends right now (and likely the only way to do OAuth2 for IMAP with Office365). I'm also pretty sure I'm doing the exact same thing as Thunderbird does. Microsoft documentation even states that the offline_access permission is added by default by the MSAL framework (which I'm not using though).

    Also note the discussion at the end of this very long Thunderbird thread which seems to touch on this subject. Note that I'm not really concerned about how these things should or should not work in order live up to some kind of security standard. I'm just concerned about MailMate being in compliance with what Microsoft requires/specifies. IT departments will have to discuss with Microsoft if that is not good enough. I hope that makes sense :)

    If you have any information/links (from Microsoft or others) which shows how MailMate (and Thunderbird) should do IMAP OAuth2 authentication differently then I'm naturally listening.

    Just for the record (for anyone reading this ticket), at the time of writing Office365 OAuth2 is only supported in test releases of MailMate.

  • Jonathan Lemon

    Jonathan Lemon February 18th, 2021 @ 07:45 PM

    In that IMAP/STMP access link, there's a second link to configure the permissions used by the AzureID that is assigned to MailMate. It seems these are what needs to be set properly.

    Our admin states that the requested permissions for the AzureID must be set by the developer, so they can't change those. What's currently unacceptable is the "send mail as any user" application impersonation. Can the permissions that are registered be reduced?

    It also seems that Thunderbird uses the correct delegated permissions.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Mac OS X email client.

Shared Ticket Bins

People watching this ticket

Referenced by