I tried to configure a Mailloop Check with Exchange Online via EWS and Oauth2.
I set up the Appregistration in Azure. Login for the application itself seems to work.
I see successful login atempts for the Check_MK App in the AzureAD logs.
Unfortunately the permissions seem to not be sufficient for the task.
From the output of the Check_MK check itself: reason="The token contains not enough scope to make this call."
Unfortunately i cant find any information on which Permissions the App needs to run the Mailloop and Mailbox Checks.
I added the Delegated Permissions EWS Login as all Users, MailRead and MailWirte permissions.
The permissions also have been given Adminapproval.
The Mailaddresses used are Exchange online user with an Exchange Online Only license.
Does anybody have a Functioning Mailloop Check with Exchange Online and cans share thier configuration.
What exactly are you requesting in regards of scopes when authenticating ?
When one authenticates you send/request the scopes to authenticate for.
And in response you only get authenticated for those scopes.
So it looks like you are requesting information from different scope(s) then what you have authenticated for.
To go into more detail (example)
You authenticate for scope ‘profile’, so you specify it in the request.
→ the return of the (successful) authentication request will be that you receive a token which authorizes you for the ‘profile’-scope.
however you are (actually) in need of scope ‘xyx’ , and try to query it with above authentication.
→ this will lead to the mentioned error, as you haven’t requested access to scope ‘xyz’, just ‘profile’
So please specify all the correct scopes you are in need of in your authentication-request.
thanks for sharing your solution.
Can you please tell how do you setup the monitoringrule “check IMAP/EWS Mailboxes”?
I dont know what to enter under “Conditions”. i have to enter a host otherwise I get the message for all hosts that the mailbox was not found.
You can just use the explicit host condition to only apply the rule to a single host.
If you still have an On-Prem Exchange you can apply the rule to that one,
or you can create a “pseudo” Host for the Exchange Online Services.
We basically used the FQDN of the Exchange online Endpoint YOUREXCHANGEONLINEENDPOINT.mail.protection.outlook.com as the IPv4 Address of that Pseudo Host, disabled all normal monitoring options for this host and removed it from all other rules that might apply services to it.
Then you can just use the explicit host option in the service rule to assign the rule only to that host.
Since the EWS Checks are special agents that run from the CheckMK Server itself you don’t need a host with its own agent here.
For the CheckMK Agent and discovery Issue you have to set the Agent to No Agent/API Integration on the host.
The actual Check issue looks like the CheckMK Server cant connect to 365.
You might want to check if you can see logins for the User used to access the 365 API in Azure Identity
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
