Exchange Online O365 Emailing inside Dynamics GP
Like
Share
ReportHello All,
Continuing to expand on the Exchange Emailing inside Dynamics GP blog from my colleague Dan Peltier, today’s article deals specifically with Exchange e-mailing with Microsoft Exchange Online (Office 365).
MFA/App Passwords
The EWS endpoint for Exchange Online does not support Multi-Factor Authentication at this time. As Dynamics GP uses the EWS endpoint, you will not be able to use Multi-Factor Authentication or App Passwords with Dynamics GP. You can use Fiddler to track the exact calls that are made from your Dynamics GP server to the Exchange Online server (and the responses), to confirm if you are receiving an error related to MFA, App Passwords or potentially a different authentication issue.
If you have a problem with any of these aspects of Exchange Online, you will need to contact the Exchange Online team directly for assistance.
See “Solution #1” in the following article regarding capturing a Fiddler trace:
https://blogs.msdn.microsoft.com/maheshk/2016/05/03/easy-way-to-collect-fiddler-log-fiddlercap/
For example, here is a Fiddler trace from a case where the user is able to authenticate from the Exchange Login prompt in GP:
In this example, note that we first hit “outlook.office365.com/Autodiscover/Autodiscover.xml”, receive two 401 Unauthorized responses, are then redirected (302) from "autodiscover.microsoft.com/autodsicover/autodiscover.xml" to “Autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml” (the autodiscover endpoint) and then ultimately let into “outlook.office365.com/EWS/Exchange.asmx” (the EWS endpoint).
Here is a Fiddler trace from a case where the user is unable to authenticate from the Exchange Login prompt in GP:
Here we’re seeing similar network traffic, until the point of failure on line 30 where we are seeing a 456 error because we are being prompted for a Multi-Factor Authentication App Password (as highlighted under the Response Headers). As the Exchange Online EWS endpoint does not support MFA or App Passwords, we are unable to log into Exchange from GP with this user.
We also see the full error when scrolling to the right under the “Raw” tab in Fiddler:
The customer needs to fully disable MFA for this Exchange Online user, in order to use them in GP. Again, this would need to be handled directly by the Exchange Online team.
Basic Authentication
Using Exchange Online with Dynamics GP also requires Basic Authentication to be enabled for the Exchange Online user account. Note that per https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online
“You block Basic authentication in Exchange Online by creating and assigning authentication policies to individual users. The policies define the client protocols where Basic authentication is blocked, and assigning the policy to one or more users blocks their Basic authentication requests for the specified protocols.
When it's blocked, Basic authentication in Exchange Online is blocked at the first pre-authentication step (Step 1 in the previous diagrams) before the request reaches Azure Active Directory or the on-premises IdP.”
An Exchange Administrator can view which security policies are applied to a user in Exchange PowerShell. Here are the guides for connecting to PowerShell:
Connect to Exchange Online PowerShell
Connect to Exchange Online Powershell using multi-factor authentication
***PowerShell needs to be run as Administrator for the following commands to work, and they need to connect to Exchange Online PowerShell as an Exchange Admin.
Once connected, the Administrator can run this command to view the list of users and the security policies applied to each user:
get-user |format-list Name,AuthenticationPolicy*
Here is an example list of the output of this command from my colleague Karsten Johnson’s testing:
PS C:\Users\kajoh> get-user |format-list Name,AuthenticationPolicy*
Name : DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}
AuthenticationPolicy :
Name : karstenejohnson
AuthenticationPolicy : Block Basic Auth
Name : azure
AuthenticationPolicy : Block Basic Auth
Note that this outputs the username, and the policies applied to the user (bolded above).
From there, we can view the flags set for each policy with the following command:
Get-AuthenticationPolicy
Sample results of this command from Karsten’s testing:
PS C:\Users\kajoh> get-authenticationpolicy
RunspaceId : 6d721fe5-697c-4e6c-8b0f-5ac7b291061f
AllowBasicAuthActiveSync : False
AllowBasicAuthAutodiscover : False
AllowBasicAuthImap : False
AllowBasicAuthMapi : False
AllowBasicAuthOfflineAddressBook : False
AllowBasicAuthOutlookService : False
AllowBasicAuthPop : False
AllowBasicAuthReportingWebServices : False
AllowBasicAuthRest : False
AllowBasicAuthRpc : False
AllowBasicAuthSmtp : False
AllowBasicAuthWebServices : False
AllowBasicAuthPowershell : False
AdminDisplayName :
ExchangeVersion : 0.20 (15.0.0.0)
Name : Block Basic Auth
DistinguishedName : CN=Block Basic Auth,CN=Auth Policies,CN=Configuration,CN=kejohnson.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR22A001,DC=PROD,DC=OUTLOOK,DC=COM
Identity : Block Basic Auth
ObjectCategory : NAMPR22A001.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Auth-Policy
ObjectClass : {top, msExchAuthPolicy}
WhenChanged : 5/3/2019 3:55:11 PM
WhenCreated : 5/3/2019 3:55:11 PM
WhenChangedUTC : 5/3/2019 8:55:11 PM
WhenCreatedUTC : 5/3/2019 8:55:11 PM
ExchangeObjectId : efe34fc6-5d8b-485b-8760-87109888baf4
OrganizationId : NAMPR22A001.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/kejohnson.onmicrosoft.com -
NAMPR22A001.PROD.OUTLOOK.COM/ConfigurationUnits/kejohnson.onmicrosoft.com/Configuration
Id : Block Basic Auth
Guid : efe34fc6-5d8b-485b-8760-87109888baf4
OriginatingServer : CY4PR22A001DC12.NAMPR22A001.PROD.OUTLOOK.COM
IsValid : True
ObjectState : Unchanged
The two bolded lines above are what is needed for the user’s Exchange Online account to work with Dynamics GP. If you need assistance with changing these settings, this would also need to be handled directly the Exchange Online team.
Tracking Messages
If you are able to successfully authenticate to Exchange Online but the email is still not received, you can review the Mail Flow log in the Admin center of the Exchange Online portal:
- Open Portal.office.com
- Open Admin Center
- Expand Admin Centers
- Click on Security & Compliance
5. Click on Mail Flow -> Message Trace
6. Start a trace
Then, choose settings and search:
Here is an example of a Message Trace from my colleague Derek Albaugh. In this case, it is a successful sending of a financial Trial Balance report from Dynamics GP using an O365 email account entered in the Exchange Log On window for GP:
Under “Message events” we see that the email was received by the Exchange Online server and then sent out to Derek’s e-mail address. If we were to see that the message was received by the Exchange server but not sent out for some reason, then this would confirm that Dynamics GP is working as intended but there is an issue at the Exchange level that would need to be addressed by the Exchange Online team.
Comments
-
Basic Authentication is still a requirement for now, although there is an update to fix this hopefully this fall: "This is scheduled to change in the upcoming Fall 2020 release of Dynamics GP (18.3.####), though we're still in the testing stages so I can't confirm anything 100%." community.dynamics.com/.../1087393
-
We are a Cloud Systems Provider and therefore are required by Microsoft to enable MFA and disable basic authentication. Has any progress been made to work with MFA/Modern Authentication? I'm hoping to see a service pack for GP 2018 to fix this. It's very difficult when one division of MSFT sets a requirement but limitations within other teams don't allow us to comply with it.
-
-
-
Hi all , **Please also note that EWS with Basic auth will be retired by Microsoft as per MS October 13th, 2020. techcommunity.microsoft.com/.../608055 Do we know if there are any GP plans to address this ?
-
-
5
*This post is locked for comments