Tuesday, 9 November 2021

Configuring Evolution-EWS to connect to Exchange Online

Let me quickly get something off my chest:

I hate MS Exchange. 

I loathe it. There are few things I despise more. 

I would prefer almost any other integrated messaging system than it. The reasons why are far too long to go into here. It really deserves its own blog entry - which I may do some day.

Unfortunately, unless you are the decision maker for the organisation for which you work, or at least hold some good sway with your IT Steering Committee. You are probably stuck with it.

If your organisation is like most, you are probably migrating to Office 365 or have already done so. If Linux is your primary or preferred platform and you want to be able to receive your email, calendar etc. on your Linux desktop, this may be something of a problem. So, here's my explanation of how to use Evolution as your messaging client for Exchange Online using Exchange Web Services via evolution-ews.

What is "Exchange Web Services" (and why should I care)?

Exchange Web Services (EWS) is an application program interface (API) that allows programmers to access Microsoft Exchange items such as calendars, contacts and email. 

EWS first became available in Exchange Server 2007. It provides the ability to store, retrieve, move and modify email and related data for a single user, a group of users or an entire Exchange Server organisation on an Exchange server. EWS can be used to migrate Exchange data on-prem or to a third-party host in the cloud, or simply as an interface for a mail app or messaging client. Previously, if you wanted to do this you had to leverage Outlook Web Access (OWA).

As well as being available for On-prem editions of Exchange, EWS is available for Office 365, however that access is slightly different.

Evolution-EWS

Evolution-ews from 3.27.91 on has had the capability of connecting to office 365 with OAuth2 authentication. The administrator of the account must allow access via this method. Fortunately this is the default, so I suggest you don't mention it to your Exchange administrator as they may decide to block access.

Users of free accounts at live.com/hotmail.com/outlook.com addresses can also configure EWS account with the same Host URL, but they cannot use OAuth2, it's required to create an application specific password. Organisation accounts can use application specific passwords too, but administrators can disable this feature.
There are two existing application IDs, but the organisation administrators can create their own application and have everything under their control.

To be able to use OAuth2 with outlook.office365.com server an Application ID, which identifies the application which requests access to user data, and a Tenant ID, which basically identifies the organisation, are required.

First make sure everything is installed:

Ubuntu/Debian Instructions

sudo apt-get remove evolution
sudo apt-get update
sudo apt-get install evolution
sudo apt-get install evolution-ews

Note that the first line is there to remove the old version - which may not be up to date. This may not be necessary for you but YMMV.

CentOS/RedHat/Rocky instructions

sudo yum update
sudo yum install evolution
sudo yum install evolution-ews

If you are using DNF, replace 'yum' with 'dnf'

Finding your Tenant ID

Each organisation has assigned its directory (tenant) ID, which is used to identify the organisation when authenticating the user. How to find out the tenant ID is described here. A short walk-through is:

  1. login to https://portal.azure.com

  2. click the View button below Manage Azure Active Directory near the top of the page

  3. the Overview section (selected by default) shows a Tenant information where is the Tenant ID

It can be seen also when:

  1. login to https://portal.azure.com

  2. click the View button below Manage Azure Active Directory near the top of the page

  3. pick App registrations subsection

  4. click Endpoints at the top of the subsection

It opens a table, where can be seen OAuth 2.0 authorization endpoint (v2) and OAuth 2.0 token endpoint (v2). Evolution-ews uses

https://login.microsoftonline.com/$TENANT/oauth2/token

and

https://login.microsoftonline.com/$TENANT/oauth2/authorize
,

where the $TENANT is replaced with the same value as the Tenant ID from the above.

If you are a normal user and do not have the required permission to check in the portal.azure.com, you might find the tenant ID in your browser history. Search for URLs containing tenantId=........-....-....-....-.............

Copy this Tenant ID, it'll be used together with Application ID when configuring evolution-ews.

Choosing an Application ID

There are two unverified applications (for testing purposes). They are setup in a way that they can be used by the organisations, though, depending on the organisation settings, the administrators may or may not need to approve them first. These applications can be used with the organisation tenant ID or with the common (or left empty) tenant ID. Again, it depends on the actual organisation settings. 

  1. 20460e5d-ce91-49af-a3a5-70b6be7486d1 - has both EWS and Microsoft Graph API usages enabled, but the Graph API is not enabled (in evolution-ews 3.38.x) due to its incompleteness. The application identifies itself as GNOME Evolution. It's preferred in case the Graph API would be used in the future, thus the transition to it will be smooth.

  2. 751cf8be-ca07-484b-9308-fac4b9d85eff - has only the EWS protocol enabled. The application identifies itself as GNOME Evolution EWS.

  3. Users can also try application IDs shown at point 12 of this Microsoft page, like d3590ed6-52b3-4102-aeff-aad2292ab01c or ea5a67f6-b6f3-4338-b240-c655ddc3cc8e, with the Redirect URI set to urn:ietf:wg:oauth:2.0:oob and other values kept empty.

If your organisation has its own Application ID, use that one. If you are the administrator for your organisation, and want to create your own Application ID by following this link.

Evolution Instructions

Launch the Evolution application. If this is a new installation, follow the prompts below to configure your account. Otherwise, select the menu items File -> New -> Mail Account, click Next, then follow the prompts.

  • Enter your name and your primary SMTP address, uncheck Look up mail server details… and click Next
  • For Server Type, select Exchange Web Services
  • For Username, specify your email address
  • Change Host URL to https://outlook.office365.com/EWS/Exchange.asmx
    Click the Fetch URL button, providing your EID password when prompted. (If this doesn't work, don't worry, it can be done later). This will result in the OAB URL field being populated, which is the address from which the client can download a copy of the Offline Address Book.
  • Change Authentication to OAuth2 (Office365).
  • Make sure that Override Office365 OAuth2 settings is checked and populate the Tenant ID and Application ID fields as follows:
    • Tenant ID: your tenant ID
    • Application ID: choose from above
  • Finish the New Mail Account Wizard, and you will then be taken to the University’s login page. Authenticate with your EID credentials and perform Duo multi-factor authentication.

Configuring Evolution-EWS to connect to Exchange Online

Please note that the initial synchronization with your account may take an extended period of time if you have a large mailbox.

If you've used EWS previously, you would have noticed that credential management is handled by the Gnome settings under online accounts. With O365 this does not happen. I'm not sure why it's different - it may have something to do with how the data is presented via the App ID, but I'm only guessing here. If anyone knows, please enlighten me in the comments.

Acknowledgements

The following links were helpful to me and acted as source material:

https://sites.utexas.edu/glenmark/2021/02/01/how-to-setup-your-office-365-email-using-evolution-ews-linux/

https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2

https://bugzilla.redhat.com/show_bug.cgi?id=972562