Allow Microsoft 365 channel with disabled user consent

Hi,

I would like to have the option to use the Microsoft 365 channel with disabled user consent in Azure AD.
It is recommended security best practice from Microsoft to disable user consent in Azure AD to prevent OAuth2 phishing, but currently using only admin consent will not work, because the call to the /authorize endpoint explicitly uses prompt=consent.

It should be possible to set a configuration option to switch between the two modes.
Depending on the configuration option the request in lib/external_credential/microsoft365.rb needs to be either “consent” (for user consent) or “select_account” for admin consent (with disabled user consennt). Currently it is hard-coded to “consent”.

2 Likes

I have the same issue as well, we are using office365, our 365 policy does not allow users to consent without admin approval, and Zammad 365 integration keep asking over and over again for admin consent (although we already approved it on admin level)

there are several options to fix/workaround this

  • enable user consent (unacceptable by our security department)
  • add global admin permission (365) to the mailbox Zammad is using (unacceptable by our security department)
  • dig in Zammad code and modify it to not request consent at all (this is what I did for now, I’m afraid i will need to do this again when I will upgrade Zammad), I can elaborate on the changes i made if needed

I think during October it will became a big issue to many Zammad admins, since in October all legacy authentication will be deprecated on 365 side, then admins will have to use Oauth and many of them will get the admin consent loop (like i had) and it will be big issue for them

Admin consent is not supported as of now. Our documentation does state that very clearly to help admins to not run down that rabbit hole.

Admin consent during the process is not that trivial as it works contraire to how Zammad channels work right now. This needs logic stuff etc. If you need this super bad, you could consider sponsoring this functionality to speed things up. If not (which is fine) you’ll have to be patient and hope that it will come one day.

One thing up front: We do not disclose roadmaps nor ETAs. In general no guarantee that this will come.

Thanks for your quick reply, i myself OK with the workaround i did, but i simply rising a flag, as in October all Zammad users who use o365 mailbox will need to move to Microsoft 365 integration (basic IMAP and SMTP will stop working for all 365 users), and will encounter that (assuming they disabled users consent as well as this can be a security risk), just wanted to give a heads up :slight_smile:

this is the relevant o365 article: Deprecation of Basic authentication in Exchange Online | Microsoft Docs

Are you able to share your work around?

This is a feature request thread, please don’t hijack it with your technical questions.

Sure, please note I am not a developer, I used my logic to edit

file: lib/external_credential/microsoft365.rb

original:

def self.generate_authorize_url(credentials, scope = ‘Sign in to Outlook Sign in to Outlook offline_access openid profile email’)
params = {
‘client_id’ => credentials[:client_id],
‘redirect_uri’ => ExternalCredential.callback_url(‘microsoft365’),
‘scope’ => scope,
‘response_type’ => ‘code’,
‘access_type’ => ‘offline’,
‘prompt’ => ‘consent’,
}

new:

def self.generate_authorize_url(credentials, scope = ‘Sign in to Outlook Sign in to Outlook offline_access openid profile email’)
params = {
‘client_id’ => credentials[:client_id],
‘redirect_uri’ => ExternalCredential.callback_url(‘microsoft365’),
‘scope’ => scope,
‘response_type’ => ‘code’,
‘access_type’ => ‘offline’,
}

file: spec/lib/external_credential/microsoft365_spec.rb

original:

RSpec.describe ExternalCredential::Microsoft365 do

let(:token_url) { ‘Sign in to your account’ }
let(:token_url_with_tenant) { ‘Sign in to your account’ }
let(:authorize_url) { “Sign in to your account” }
let(:authorize_url_with_tenant) { “Sign in to your account” }


describe ‘.link_account’ do
let!(:authorization_payload) do
{
code: authorization_code,
scope: scope_payload,
authuser: ‘4’,
hd: ‘example.com’,
prompt: ‘consent’,
controller: ‘external_credentials’,
action: ‘callback’,
provider: provider
}


describe ‘.refresh_token’ do
let!(:authorization_payload) do
{
code: authorization_code,
scope: scope_payload,
authuser: ‘4’,
hd: ‘example.com’,
prompt: ‘consent’,
controller: ‘external_credentials’,
action: ‘callback’,
provider: provider
}

new:

RSpec.describe ExternalCredential::Microsoft365 do

let(:token_url) { ‘Sign in to your account’ }
let(:token_url_with_tenant) { ‘Sign in to your account’ }
let(:authorize_url) { “Sign in to your account” }
let(:authorize_url_with_tenant) { “Sign in to your account” }


describe ‘.link_account’ do
let!(:authorization_payload) do
{
code: authorization_code,
scope: scope_payload,
authuser: ‘4’,
hd: ‘example.com’,
controller: ‘external_credentials’,
action: ‘callback’,
provider: provider
}


describe ‘.refresh_token’ do
let!(:authorization_payload) do
{
code: authorization_code,
scope: scope_payload,
authuser: ‘4’,
hd: ‘example.com’,
controller: ‘external_credentials’,
action: ‘callback’,
provider: provider
}

hope it helps

This topic was automatically closed after 416 days. New replies are no longer allowed.