I tried to configure a Mailloop Check with Exchange Online via EWS and Oauth2.
I set up the Appregistration in Azure. Login for the application itself seems to work.
I see successful login atempts for the Check_MK App in the AzureAD logs.
Unfortunately the permissions seem to not be sufficient for the task.
From the output of the Check_MK check itself: reason="The token contains not enough scope to make this call."
Unfortunately i cant find any information on which Permissions the App needs to run the Mailloop and Mailbox Checks.
I added the Delegated Permissions EWS Login as all Users, MailRead and MailWirte permissions.
The permissions also have been given Adminapproval.
The Mailaddresses used are Exchange online user with an Exchange Online Only license.
Does anybody have a Functioning Mailloop Check with Exchange Online and cans share thier configuration.
What exactly are you requesting in regards of scopes when authenticating ?
When one authenticates you send/request the scopes to authenticate for.
And in response you only get authenticated for those scopes.
So it looks like you are requesting information from different scope(s) then what you have authenticated for.
To go into more detail (example)
You authenticate for scope ‘profile’, so you specify it in the request.
→ the return of the (successful) authentication request will be that you receive a token which authorizes you for the ‘profile’-scope.
however you are (actually) in need of scope ‘xyx’ , and try to query it with above authentication.
→ this will lead to the mentioned error, as you haven’t requested access to scope ‘xyz’, just ‘profile’
So please specify all the correct scopes you are in need of in your authentication-request.