EWS and AutoDiscoverURL error using Azure AD Certificate with Powershell-CodePudding

I've tried with and without Secret ID, and now with a self-signed Certificate and I keep getting the same error:

Exception calling "AutodiscoverUrl" with "2" argument(s): "The expected XML node type was XmlDeclaration, but the actual type is Element."

My PowerShell script:

$TenantId = "blahblah"
$AppClientId="blahblah"
$EDIcertThumbPrint = "blahblah"
$EDIcert = get-childitem Cert:\CurrentUser\My\$EDIcertThumbPrint

$MsalParams = @{
    ClientId = $AppClientId
    TenantId = $TenantId
    ClientCertificate = $EDIcert
    Scopes = "https://outlook.office.com/.default"
}
$MsalResponse = Get-MsalToken @MsalParams
$EWSAccessToken  = $MsalResponse.AccessToken

Import-Module 'C:\Program Files\Microsoft\Exchange\Web Services\2.2\Microsoft.Exchange.WebServices.dll'

#Provide the mailbox id (email address) to connect via AutoDiscover
$MailboxName ="[email protected]"
$ews = [Microsoft.Exchange.WebServices.Data.ExchangeService]::new()
$ews.Credentials = [Microsoft.Exchange.WebServices.Data.OAuthCredentials]$EWSAccessToken
$ews.Url = "https://outlook.office365.com/EWS/Exchange.asmx"
$ews.AutodiscoverUrl($MailboxName,{$true})

I've searched that error message everywhere, and I am not getting anywhere. The error doesn't make sense, because I am not referring to XML in any way - unless it's embedded inside the EWS?

The only time this works is when I don't use either a Secret ID nor a Certificate, but the Token only lasts 1 hour! I need to make this automatic, so I can get into my mailbox and extract files from emails.

Thanks

UPDATE

So I've removed the AutoDiscoverUrl() and I now getting another error:

Exception calling "FindItems" with "2" argument(s): "The request failed. The remote server returned an error: (403) Forbidden."

Trace log:

The token contains not enough scope to make this call.";error_category="invalid_grant"

But why when I have an Oauth token!?

My code in trying to open the "Inbox":

$results = $ews.FindItems(
    "Inbox",
    ( New-Object Microsoft.Exchange.WebServices.Data.ItemView -ArgumentList 100 )
)
$MailItems = $results.Items | where hasattachments

CodePudding user response：

AutoDiscoverv1 doesn't support the client credentials flow so you need to remove the line

$ews.AutodiscoverUrl($MailboxName,{$true})

It's redundant anyway because your already setting the EWS endpoint eg

$ews.Url = "https://outlook.office365.com/EWS/Exchange.asmx"

The only time that endpoint would change is if you had mailbox OnPrem in a hybrid environment and there are other ways you can go about detecting that such as autodiscoverv2.