Login/Register
Office365 autodiscover.xml returns 403 Forbidden
Asked Answered
Solved exchange-serverexchangewebserviceshttp-status-code-403autodiscovery
U

2

6

I'm working on a simple benchmark script that requires information provided by https://outlook.office365.com/autodiscover/autodiscover.xml. I am using basic authentication with my outlook.com email credentials and it works fine when testing from my computer.

When I shared the script with my colleague (using the same credentials) he was getting a 403 Forbidden response for the request. After some trial and error, it seems like the script is working from multiple different networks inside my country but as soon as I run it from a different country, I get the 403 Forbidden. Since this is a benchmark script it is essential I use the same credentials.

I cannot get any information as to what might cause the issue, given that the script is always the same, I suspect this could be a security feature preventing a user to authenticate from different countries, but I was unable to find any documentation or even mention of it.

Does anyone have an idea what might be causing the 403?

Usm answered 27/5, 2020 at 8:29 Comment(3)
can you post some of the code your using, 403's in Office365 with Auto-discover can be caused if you don't set the user-agentAboulia
Absolutely: fetch(url, { method: "POST", headers: { "Content-Type": "text/xml; charset=utf-8", "Accept": "*/*", "Authorization": "Basic <<BASE-64 ENCODED U:P>>", "X-User-Identity": "<<USER-EMAIL>>, "User-Agent": "MacOutlook/16.37.20051002 (Intelx64 Mac OS X Version 10.15.3 (Build 19D76))" }, body: "<<XML-PAYLOAD>>" I've also tried my browser and curl User-Agent strings to no avail.Usm
Maybe there be 2-factor authentication involved. Once you passed 2-factor O365 will remember your system for a certain period. Maybe the other locations should first try with a (private) browser session before trying your script? Did you check if the returned 403 error also comes with an actual HTML page?Parahydrogen
U
0

I found the answer. When a request against autodiscover.xml and other APIs is sent from a country/region that has no previous logins through the website, API requests are responded with 403 Forbidden and marked as Unusual activity in Activity log:

Unusual activity detected

After logging in to the account using the browser from that country/region API requests started to work in a few minutes. At this point, I don't know for how long the country/region will be whitelisted before I will have to redo a manual login.

Usm answered 18/6, 2020 at 11:47 Comment(0)
K
0

See if you can find the 403 response in the IIS log file. There are about 20 different types of 403 error. The most usual is caused by using http instead of https to access a resource where SSL is required. But if you are sure you're using https from the external locations, then it must be one of the other types of 403 error. The iis log file will reveal which one it is.

You can reset the AutoDiscover Virtual Directory within IIS, and ensure that the external DNS entries existed for each of the SMTP Domains.

Please refer to this for more info.

Kovacs answered 17/6, 2020 at 14:16 Comment(1)
I don't have access to the IIS log in this case as this is O365 outlook.office365.com service, not hosted by me.Usm
U
0

I found the answer. When a request against autodiscover.xml and other APIs is sent from a country/region that has no previous logins through the website, API requests are responded with 403 Forbidden and marked as Unusual activity in Activity log:

Unusual activity detected

After logging in to the account using the browser from that country/region API requests started to work in a few minutes. At this point, I don't know for how long the country/region will be whitelisted before I will have to redo a manual login.

Usm answered 18/6, 2020 at 11:47 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.