Cubbli and Office 365

Last modified by Niko-Ville Koljonen on 2024/02/16 11:06

Here are instructions to configure University of Helsinki Office 365 (O365) account to be used in Cubbli Linux. These instructions aren't Cubbli spesific and can be applied to other Linux versions and even other operating systems. 

Cubbli has multiple email clients installed by default. We provide Office 365 configuration for Thunderbird, Evolution and alpine (text based). These instructions are known to work only on Cubbli 20 installations! 

University has switched to multi factor authentication (MFA) with OAuth2 protocol for security reasons (our users kept giving their passwords for phishers). If your email or calendar configuration which has worked before suddenly stops working even when the user account and passwords are correct, your account probably has had mandatory MFA turned on. These instructions assume that MFA is being used. 

Configuring Office365 to work with desktop applications and MFA can be complicated. Unless you really need a desktop email or calendar application, please consider just using Outlook the web application (OWA) at https://www.helsinki.fi/office365. See also Teams and Outlook as webapps

One option for O365 calendar access is to sync your Office 365 calendar to your Google calendar and then sync Google Calendar from your desktop calendar application. Google then will have access to your O365 calendar too. 

General settings for any email client

Your email client needs to support OAuth2 authentication. You need to use your own AD account instead of youraccount@ad.helsinki.fi and your own email address instead of your.address@helsinki.fi. O365 does not allow you to use any other than your own email address.  

  1. When using Linux you need to have at least Cubbli 20 / Ubuntu 20.04 installation. Older distributions are unlikely to work. 
  2. The authentication domain is ad.helsinki.fi and your account is of the form youraccount@ad.helsinki.fi, while the email domain is just your.address@helsinki.fi. You need to get both correctly entered. 
  3. First, enable some MFA autentication methods for your user account. Here are our local wiki instructions (in Finnish). Here are your personal MFA settings at O365. If you MFA is not yet on for your O365 account these instructions are likely to still work, but without the extra authentication step. 
  4. Set incoming mail settings (IMAP):
    1. User account: youraccount@ad.helsinki.fi
    2. IMAP Mail server: outlook.office365.com
    3. Connection security: SSL/TLS
    4. Authentication method: OAuth2
  5. Set outgoing mail settings (SMTP)
    1. User account: account@ad.helsinki.fi
    2. Your correct exact email address (O365 does not allow changing sender address): your.address@helsinki.fi
    3. SMTP server: smtp.office365.com
    4. Connection security: STARTTLS
    5. Authentication method: OAuth2
  6. The mail client will forward you to University of Helsinki Office 365 authentication server stshy.helsinki.fi for password authentication If you get forwarded anywhere else, something went wrong and you should not give your password.
  7. At this point you do the second authentication with the MFA authentication option you selected.

If your have an application that needs tenant id for ad.helsinki.fi it is 98ae7559-10dc-4288-8e2e-4593e62fe3ee.

Evolution

NOTE: these instructions have been created with the help of Gnome wiki: https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2

You need evolution-ews plugin to be installed for this. It is installed by default in Cubbli. 

Select Edit/Accounts and then Add / Mail account. Do not select the "Look up mail server details" button. It won't work. 

Username: youraccount@ad.helsinki.fi

Change "Server type" to "Exchange Web Services"

Use https://outlook.office365.com/EWS/Exchange.asmx as Host URL. 

On Authentication, click the box "Override Office365 OAuth2 settings" and use 20460e5d-ce91-49af-a3a5-70b6be7486d1 as Application ID. 

image2021-5-4_16-8-0.png

image2021-5-5_10-44-14.png

raimoo.pngimage2021-5-5_10-50-7.png

image2021-5-5_10-50-57.png

image2021-5-5_10-53-0.png

At this point Evolution hung.

After restart the process continued. 

 

image2021-5-5_11-0-56.png

image2021-5-5_11-3-21.png

image2021-5-5_10-59-58.png

Thunderbird

Use Edit / Account settings button to edit your incoming and outgoing email settings. 

Thunderbird IMAP and SMTP settings:

image2021-5-4_14-15-49.png

image2021-5-4_14-16-21.png

Thunderbird Multi Factor Authentication (MFA)

The windows will look slightly different depending if you are doing this in the University internal network or external Internet. You need to accept the MFA authentication in your phone. 

image2021-5-4_13-51-17.png

Login to University first with password

image2021-5-4_13-52-36.png

Approve sign-in request with your phone

image2021-5-4_13-56-6.png

Give Thunderbid permissions to your email.

Alpine (or Pine)

Cubbli 20 has a version of (Al)Pine which works with University O365 email by default. T

  • If you have an old version of ~.pinerc rename or delete it first ($ mv ~/.pinerc ~/.pinerc_old (for example) or rm ~/.pinerc)
  • make .pine-passfile ($ touch ~/.pine-passfile) to which your authentication token will be saved.
  • start Alpine and follow instructions. It will ask you to create a password for the passfile and ask if you want to save the authentication information there. Say yes so you don't have to do the MFA every time you start Alpine. You just need to know the password that you gave earlier.
  • Other than the above the procedure will go as pictured below.

When your INBOX is configured to access O365 Alpine login process looks like this. MFA login probably is simpler when Alpine is treated as a device.

image2021-5-4_15-57-32.png

image2021-5-4_15-58-9.png

image2021-5-4_15-59-24.png

 

 

image2021-5-4_15-59-57.png

image2021-5-4_16-0-34.png

image2021-5-4_16-2-11.png