This article provides a summary of "Access is denied" error encountered in connecting to Exchange Online while trying to perform any exchange related operation. Below error is contained in detailed error message: Connecting to remote server outlook.office365.com failed with the following error message : Access is denied.
This article applies to:
- MachPanel v6 and Later.
- MachPanel's Exchange Online extension for its CSP Module.
- Exchange Online
With the introduction of OAuth 2.0 in the year 2020 from Microsoft as an enhanced, more secure and modern authentication system, Microsoft had informed its users that the older Basic Authentication via PowerShell EXO V1 will be discontinued. It is confirmed that by October 2022 the Modern Authentication via OAuth v2.0 (PowerShell EXO v2) will fully replace the older mechanism.
To further speed up the process, Microsoft started identifying the tenants under its O365 cloud which were not using Basic Authentication and have stopped / blocked them from using it. If you have a new tenant for which Security Defaults are enabled, Basic Authentication will seize to work. For existing tenants as well, their Basic Authentication will stop working if detected by Microsoft and you will start facing the above highlighted error if this is done by Microsoft.
The changes affect all operations via Basic Authentication for Exchange Online whether being performed directly via PowerShell EXO v1, or via any 3rd Party App using PowerShell EXO v1.
More about this on links below:
MachPanel and Exchange Online
MachPanel currently uses PwerShell EXO v1 to communicate with Exchange Online and hence the recent changes by Microsoft as mentioned above will affect control panel's ability to perform operations on a tenant.
While we are working on making changes to our panel to upgrade to PowerShell EXO v2, the current workaround is to allow basic authentication. Please follow steps highlighted in solution section below:
In the Tenant you can run this Command Get-OrganizationConfig | Format-List basic*
(You will see the entry/value: 255 which stand for All Basic Authentications Blocked i.e. BasicAuthBlockedApps=255)
To change this, you need to login with the Global Admin,
then go to the Help section
and run this command Diag: Enable Basic Auth in EXO
After That you can activate the basic Authentication.
More details and pictorial illustration given on links below:
After activating the Basic Authentication for Exchange Online Remote PowerShell and running this Command Get-OrganizationConfig | Format-List basic*
(You will see the entry/value: 239 which stand for All Basic Authentications Allowed i.e. BasicAuthBlockedApps = 239)
Finally you can now connect via Exchnge Online OAuth v1.0
If steps are completed as highlighted above, then the procedure has been completed and you are done! However, sometimes when you hit "Run Test", you will get a different message. Please review below details to cater that scenario:
After Run test:
If you see following message:
These are the current Basic authentication settings:
The organization configuration is dehydrated. In the Microsoft datacenters, an organization configuration being dehydrated means that it has certain objects consolidated to save space. In this state, configuration cannot be modified. This can be changed by running the Enable-OrganizationCustomization cmdlet.
Note that you are only required to run the Enable-OrganizationCustomization cmdlet once in your Exchange Online organization. If you attempt to run the cmdlet again, you will get an error.
To handle this you have to connect tenant using ExchangeOnlineShell module, run the command: Enable-OrganizationCustomization.
- Open PowerShell
- Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.5
- (skip if already installed)
- Import-Module ExchangeOnlineManagement
After this perform the above steps again from start.
To make this change, you need to login with the Global Admin, then go to the Help section and run this command Diag: Enable Basic Auth in EXO