Cubbli and Office 365

1

Here are instructions to configure University of Helsinki Office 365 (O365) account to be used in Cubbli Linux. These instructions aren't Cubbli spesific and can be applied to other Linux versions and even other operating systems.

2

3

Cubbli has multiple email clients installed by default. We provide Office 365 configuration for Thunderbird, Evolution and alpine (text based). These instructions are known to work only on Cubbli 20 installations!

4

5

University has switched to multi factor authentication (MFA) with OAuth2 protocol for security reasons (our users kept giving their passwords for phishers). If your email or calendar configuration which has worked before suddenly stops working even when the user account and passwords are correct, your account probably has had mandatory MFA turned on. These instructions assume that MFA is being used.

6

7

**Configuring Office365 to work with desktop applications and MFA can be complicated. Unless you really need a desktop email or calendar application, please consider just using Outlook the web application (OWA) at [[https:~~/~~/www.helsinki.fi/office365>>url:https://www.helsinki.fi/office365||shape="rect"]]. See also **[[Teams and Outlook as webapps>>https://wiki.helsinki.fi/xwiki/bin/view/Cubbli/User%20documentation/Microsoft%20Teams/]]

8

9

One option for O365 calendar access is to sync your Office 365 calendar to your Google calendar and then sync Google Calendar from your desktop calendar application. Google then will have access to your O365 calendar too.

10

11

== General settings for any email client ==

12

13

Your email client needs to support OAuth2 authentication. You need to use your own AD account instead of **youraccount@ad.helsinki.fi **and your own email address instead of **your.address@helsinki.fi**. O365 does not allow you to use any other than your own email address.

14

15

1. When using Linux you need to have at least Cubbli 20 / Ubuntu 20.04 installation. Older distributions are unlikely to work.

16

1. The authentication domain is **ad.helsinki.fi** and your account is of the form **youraccount@ad.helsinki.fi**, while the email domain is just **your.address@helsinki.fi**. You need to get both correctly entered.

17

1. First, enable some MFA autentication methods for your user account. Here are our [[local wiki instructions (in Finnish).>>url:https://wiki.helsinki.fi/display/IAMasioita/Monivaiheinen+tunnistautuminen||shape="rect"]] Here are [[your personal MFA settings at O365>>url:https://mysignins.microsoft.com/security-info||shape="rect"]]. If you MFA is not yet on for your O365 account these instructions are likely to still work, but without the extra authentication step.

18

1. Set incoming mail settings (IMAP):

19

11. User account: **youraccount**@ad.helsinki.fi

20

11. IMAP Mail server: outlook.office365.com

21

11. Connection security: SSL/TLS

22

11. Authentication method: OAuth2

23

1. Set outgoing mail settings (SMTP)

24

11. User account: account@ad.helsinki.fi

25

11. Your correct exact email address (O365 does not allow changing sender address): **your.address@helsinki.fi**

26

11. SMTP server: smtp.office365.com

27

11. Connection security: STARTTLS

28

11. Authentication method: OAuth2

29

1. The mail client will forward you to University of Helsinki Office 365 authentication server stshy.helsinki.fi for password authentication If you get forwarded anywhere else, something went wrong and you should **not give your password.**

30

1. At this point you do the second authentication with the MFA authentication option you selected.

31

32

If your have an application that needs tenant id for ad.helsinki.fi it is 98ae7559-10dc-4288-8e2e-4593e62fe3ee.

== Evolution ==

NOTE: these instructions have been created with the help of Gnome wiki: [[https:~~/~~/wiki.gnome.org/Apps/Evolution/EWS/OAuth2>>url:https://wiki.gnome.org/Apps/Evolution/EWS/OAuth2||shape="rect"]]

37

38

You need evolution-ews plugin to be installed for this. It is installed by default in Cubbli.

39

40

Select Edit/Accounts and then Add / Mail account. Do **not** select the "Look up mail server details" button. It won't work.

41

42

Username: **youraccount**@[[ad.helsinki.fi>>url:http://ad.helsinki.fi||shape="rect"]]

43

44

Change "Server type" to "Exchange Web Services"

45

46

Use (% class="nolink" %)**https:~/~/outlook.office365.com/EWS/Exchange.asmx**(%%) as Host URL.

47

48

On Authentication, click the box "Override Office365 OAuth2 settings" and use **20460e5d-ce91-49af-a3a5-70b6be7486d1** as Application ID.

49

50

(% class="wrapped" %)

51

|=(((

52

(% class="content-wrapper" %)

53

(((

54

[[image:attach:image2021-5-4_16-8-0.png]]

55

)))

56

)))|=(((

57

(% class="content-wrapper" %)

58

(((

59

[[image:attach:image2021-5-5_10-44-14.png]]

60

)))

61

)))|=(((

62

(% class="content-wrapper" %)

63

(((

64

[[image:attach:raimoo.png]][[image:attach:image2021-5-5_10-50-7.png]]

)))

)))

|(((

(% class="content-wrapper" %)

69

(((

70

[[image:attach:image2021-5-5_10-50-57.png]]

71

)))

72

)))|(((

73

(% class="content-wrapper" %)

74

(((

75

[[image:attach:image2021-5-5_10-53-0.png]]

76

)))

77

)))|(((

78

At this point Evolution hung.

79

80

After restart the process continued.

81

82

(% class="content-wrapper" %)

(((

)))

)))

|(% colspan="1" %)(% colspan="1" %)

88

(((

89

(% class="content-wrapper" %)

90

(((

91

[[image:attach:image2021-5-5_11-0-56.png]]

92

)))

93

)))|(% colspan="1" %)(% colspan="1" %)

94

(((

95

(% class="content-wrapper" %)

96

(((

97

[[image:attach:image2021-5-5_11-3-21.png]]

98

)))

99

)))|(% colspan="1" %)(% colspan="1" %)

100

(((

101

(% class="content-wrapper" %)

102

(((

103

[[image:attach:image2021-5-5_10-59-58.png]]

)))

)))

== Thunderbird ==

Use Edit / Account settings button to edit your incoming and outgoing email settings.

110

111

=== Thunderbird IMAP and SMTP settings: ===

112

113

(% class="wrapped" %)

114

|=(((

115

(% class="content-wrapper" %)

116

(((

117

[[image:attach:image2021-5-4_14-15-49.png]]

118

)))

119

)))|=(((

120

(% class="content-wrapper" %)

121

(((

122

[[image:attach:image2021-5-4_14-16-21.png]]

)))

)))

=== Thunderbird Multi Factor Authentication (MFA) ===

127

128

The windows will look slightly different depending if you are doing this in the University internal network or external Internet. You need to accept the MFA authentication in your phone.

129

130

131

(% class="wrapped" %)

132

|=(((

133

(% class="content-wrapper" %)

134

(((

135

[[image:attach:image2021-5-4_13-51-17.png]]

136

137

Login to University first with password

138

)))

139

)))|=(((

140

(% class="content-wrapper" %)

141

(((

142

[[image:attach:image2021-5-4_13-52-36.png]]

143

144

Approve sign-in request with your phone

145

)))

146

)))|=(% colspan="1" %)(% colspan="1" %)

147

(((

148

(% class="content-wrapper" %)

149

(((

150

[[image:attach:image2021-5-4_13-56-6.png]]

151

152

Give Thunderbid permissions to your email.

)))

)))

(% id="HAlpine28orPine29" class="auto-cursor-target" %)

157

=== Alpine (or Pine) ===

158

159

Cubbli 20 has a version of (Al)Pine which works with University O365 email by default. T

160

161

* If you have an old version of {{code language="none"}}~.pinerc {{/code}}rename or delete it first ({{code language="none"}}$ mv ~/.pinerc ~/.pinerc_old{{/code}} (for example) or {{code language="none"}}rm ~/.pinerc{{/code}})

162

* make .pine-passfile ($ touch ~~/.pine-passfile) to which your authentication token will be saved.

163

* start Alpine and follow instructions. It will ask you to create a password for the passfile and ask if you want to save the authentication information there. Say yes so you don't have to do the MFA every time you start Alpine. You just need to know the password that you gave earlier.

164

* Other than the above the procedure will go as pictured below.

165

166

When your INBOX is configured to access O365 Alpine login process looks like this. MFA login probably is simpler when Alpine is treated as a device.

167

168

(% class="wrapped" %)

169

|=(((

170

(% class="content-wrapper" %)