Menu
Given a company e-mail and a corresponding password, I need to programatically login to login.microsoftonline.com and access the Office 365 dashboard (office.com). The image shows the user flow where I try to find out the respective endpoints.
This is what I found out about what endpoints are called and how. Note that endpoints might differ if you don't use a company account.
Assumptions:
login.microsoftonline.comFollow the redirects. The resulting HTML contains a config json object wrapped in //<![CDATA[ and //]]>. Search for "sFT": and copy the value. Search for "sCtx": and copy the value. Search for "canary": and copy the value. Search for "sessionId": and copy the value.
https://login.microsoftonline.com/common/GetCredentialType?mkt=en-USI don't think this endpoint is essential. I still include it here.
Send a JSON body as follows:
{
"username": "<your-company-email>",
"flowToken": "<your-sFT-token>"
}
https://login.microsoftonline.com/common/loginSend as form data in the body:
login:<your-company-email>
passwd:<your-password>
flowToken:<your-sFT-token>
type:11
ctx:<your-sCtx-token>
canary:<your-canary-token>
hpgrequestid:<your-session-id>
https://login.microsoftonline.com/kmsi"kmsi" stands for "keep me signed in". This might be an endpoint that is not called if you don't use a company mail for login.
Send as form data in the body:
LoginOptions:3
type:28
ctx:<your-sCtx-token>
flowToken:<your-sFT-token>
canary:<your-canary-token>
hpgrequestid:<your-session-id>
Calling these endpoints in the order displayed here, I am able to successfully retrieve these cookies:
From login.microsoftonline.com (10 cookies):
From office.com (1 cookie):
From www.office.com (2 cookies):
https://www.office.com/landingSend as form data in the body. ??? is indicating that I don't know where this data is coming from.
code:<a code token ???>
id_token:<an id token ???>
state:<a state token ???>
session_state:<a session state token ???>
This endpoint seems to be crucial since it returns the following cookies:
https://www.office.com/The cookies that were set during the previous request are sent in the request headers here. This is why the office.com/landing seems to be crucial. However, I can't figure out how the form data is constructed for that body, e.g. code, id_token etc.
Maybe related question? Note that I've seen this question on stack overflow but I didn't find it useful and don't think it relates to my question.
Why do I need all this?
The main goal is to login users automatically from another tool (SSO). E-Mail and password is given. My approach is to login using these endpoints programatically on the server-side, collect the necessary cookies for subsequent logins, send them to the client. The client uses those cookies to access office.com and see the dashboard immediately without having to login.
A better approach? Note that I have access to the admin center (Microsoft) and to Azure Direct. If you know a much simpler approach to this solution, I'm glad to get to know it. Most of the articles I've read are concerned with how to use Azure to login to another service if you're logged in to Microsoft. But I need the opposite: being logged in to some service and accessing the Microsoft Office 365 dashboard automatically.
791
What you are trying to do is completely wrong - why to reverse-engineer frontend app and one day to find that everything changed?
There is official REST API to ms outlook online and authentication mechanism via Azure AD - exactly to let third-party apps to work with MS online apps.
Try to checkout this:
https://learn.microsoft.com/en-us/graph/overview-major-services
and this:
https://learn.microsoft.com/en-us/graph/azuread-identity-access-management-concept-overview
62
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
