Evolution with Outlook IMAP and oauth2

Hello,

I’m trying to use evolution with a corp Outlook account - but not the EWS backend. I use the outlook.office365.com IMAP server with oauth2 auth. This all ends up working fine in Thunderbird, with the “right” outlook backend also redirecting to my company’s 2fa portal. With Evolution, however, the same server:port settings uses “live.login.com” for login, and the MS site keeps saying my username isn’t found.

I looked through the code, and it doesn’t look like login.live.com is preferred or hard-coded in any way. Why does this work in Thunderbird and not in Evolution? Any way I can convince evolution to use another outlook website for login - one that works for corp accounts?

(I’m on Fedora 40, using evolution from distro packages: evolution-3.52.1-1.fc40.x86_64)

Thanks!

Hi,
I suppose you chose “OAuth2 (Outlook)”, which is dedicated for the login.live.com, aka for the free accounts (it’s part of the evolution-data-server code base, which is the reason why you could not find it in the Evolution code itself).

Try to enter the account in gnome-online-accounts (GOA), aka in GNOME’s Settings->Online Accounts, as the “Outlook” account type. The OAuth2 will be handled on the GOA side instead.

Is there any particular reason why you do not want to use EWS or “Microsoft 365” account type? If you want just email, you can open Edit->Accounts->select-the-EWS-account->Edit and disable Contacts and Calendaring for it.

Bye,
Milan

Thanks for the quick response!

I don’t see “Outlook” in GOA - I have “Microsoft 365” and “Microsoft Exchange”. Neither work as well.

The Microsoft365 option only asks for client ID, and the Microsoft Exchange one doesn’t allow for oauth2 selection - it just asks for a “domain”, which I entered as outlook.office365.com - and that doesn’t work as it doesn’t pop up any window for the subsequent 2fa.

I can’t use evolution-ews because currently my company’s IT policy doesn’t allow Evolution’s application ID via their Azure configuration. It’s a separate fight I’m fighting. They keep telling me to use TB.

So - here’s me trying to use evolution, with imap, and confused as to why that doesn’t work like it does on TB.

Any attempt to use non-imap protocols runs into those Azure application allow-listing. And perhaps that’s happening with goa as well?

I see, I’m sorry, it’s called Microsoft Personal in the gnome-online-accounts-3.50.1-2.fc40.

The GOA’s Microsoft Exchange does not support OAuth2 and the Microsoft 365 does not have enabled email and others (yet, there’s a bug for it).

When you click on the “Help…” link in the Receiving Email tab with chosen “OAuth2 (Office365)” of an evolution-ews account directly in the Evolution, then it’ll open a page, where are listed three application IDs. When those created for the Evolution fail, the third usually works, only read the instructions carefully, otherwise it won’t work even if allowed by your server admins.

Are you rejected by the server also when trying “Microsoft 365” directly in Evolution? That uses Microsoft Graph API and it is more forgiving than the EWS protocol.

If you knew the Thunderbird OAuth2 details, like the App ID they use, redirect URI and the other things, then you could enter it into the evolution-ews’ account dialog and use it too.

Note the changes in the OAuth2 settings might need restart of the background processes, which means to do the change, close evolution, then run evolution --force-shutdown in the terminal and then start Evolution again. It’s a pita, I agree.

Thank you for helping, Milan. No need to be sorry :slight_smile: I know I’m in a weird situation here which others have perhaps not encountered yet.

So - things still don’t work for me:

“Microsoft Personal” in goa also just opens the login.live.com link – which doesn’t work for corp accounts.

For evolution-ews, I’ve tried the application IDs on that page you’ve mentioned (and also on the linked MS page). The first two didn’t work. The third one I’ll describe below in a bit.

I also looked at entra.microsoft.com and found a couple other application IDs that have been approved by our IT org – but I get a “application is not multi-tenant” error - meaning those application IDs are not open by default, but only given to certain users. And for whatever reason, our IT org doesn’t want to add new people to that list.

Back to the 3rd option on the Evolution-EWS OAuth2 setting. This time, the login works, and I also get a prompt asking if I trust this application. I click ‘OK’/‘Continue’ everywhere - then the page auto-redirects to some “none-local://” URI, and then just goes right back to the login screen. So there’s some progress, but not enough to make things work.

Oh - and about Thunderbird, TB doesn’t use EWS, but only plain IMAP - so I didn’t try putting its values earlier.

I looked up thunderbird’s application ID from entra.microsoft.com and plugged that into ews setup. Didn’t work (err message about /common tennant id not being available).

I then picked the tennant id from entra as well, and even that didn’t work - went back to saying it’s an unverified app, and that an admin needs to allow it.

Your IT admins are pretty strict, it seems. I’d expect the third app ID will work, it’s provided by Microsoft and identifies itself as an Outlook plugin app, thus should be fine. It has enabled necessary scopes as well (I think it’s the problem with the Thunderbird app ID, it doesn’t have correct scope (the EWS and some other) set.

I get a “application is not multi-tenant” error

Is it both with the “common” tenant and your org’s tenant ID set?

the page auto-redirects to some “none-local://”

That may show an error or something at that stage, it’s a URI used internally in the embeded browser. You can start Evolution from a terminal as: OAUTH2_DEBUG=1 evolution to see what it does. Maybe the server rejected the auth code after all.

Did you try the in-Evolution “Microsoft 365” account type too?

Alright - strangely, the 3rd option now works when I started with debugging enabled. I shut it down, and restarted w/o debugging - and it still works.

I’m quite stumped by this - I tried this option about a month back when it hadn’t worked - tried again today when you mentioned it - and it hadn’t worked.

And now it does. I wonder if I did something differently earlier, or if the settings hadn’t stuck due to not doing --shutdown then.

Anyway, I’m glad I asked this here, since you’ve helped tickle things in the right way that they’re working fine. Thank you very much for the help, Milan!

I guess the --force-shutdown does the trick, otherwise these things are deterministic, not random :wink:

Yea; wondering why the sign-in page kept auto-redirecting to its homepage, repeatedly asking me for my username/passwd/etc in a loop. I waited for the token to expire - and today it logged in fine - after the last redirect to ‘none-local://’. Not sure if the state wasn’t right yesterday first time to store the cookie; or whether something in --force-shutdown caused the state to reset.

Anyway - I’m happy I get evolution working now - thanks a lot!