7

Goal

Given a company e-mail and a corresponding password, I need to programatically login to login.microsoftonline.com and access the Office 365 dashboard (office.com). The image shows the user flow where I try to find out the respective endpoints.

Microsoft Login User flow

Research results

This is what I found out about what endpoints are called and how. Note that endpoints might differ if you don't use a company account.

Assumptions:

  • Always follow redirects.
  • Collect cookies along the way and pass them with every subsequent request.
  • In the bodies of the requests, I only include parts that I found relevant. I could have left out important parts that I'm not aware of.

GET login.microsoftonline.com

Follow the redirects. The resulting HTML contains a config json object wrapped in //<![CDATA[ and //]]>. Search for "sFT": and copy the value. Search for "sCtx": and copy the value. Search for "canary": and copy the value. Search for "sessionId": and copy the value.

POST https://login.microsoftonline.com/common/GetCredentialType?mkt=en-US

I don't think this endpoint is essential. I still include it here.

Send a JSON body as follows:

{
    "username": "<your-company-email>",
    "flowToken": "<your-sFT-token>"
}

POST https://login.microsoftonline.com/common/login

Send as form data in the body:

login:<your-company-email>
passwd:<your-password>
flowToken:<your-sFT-token>
type:11
ctx:<your-sCtx-token>
canary:<your-canary-token>
hpgrequestid:<your-session-id>

POST https://login.microsoftonline.com/kmsi

"kmsi" stands for "keep me signed in". This might be an endpoint that is not called if you don't use a company mail for login.

Send as form data in the body:

LoginOptions:3
type:28
ctx:<your-sCtx-token>
flowToken:<your-sFT-token>
canary:<your-canary-token>
hpgrequestid:<your-session-id>

Calling these endpoints in the order displayed here, I am able to successfully retrieve these cookies:

From login.microsoftonline.com (10 cookies):

  • ESTSAUTH
  • ESTSAUTHLIGHT
  • ESTSAUTHPERSISTENT
  • ESTSSC
  • buid
  • ch
  • esctx
  • fpc
  • stsservicecookie
  • x-ms-gateway-slice

From office.com (1 cookie):

  • MUID

From www.office.com (2 cookies):

  • OH.DCAffinity
  • OH.SID

POST https://www.office.com/landing

Send as form data in the body. ??? is indicating that I don't know where this data is coming from.

code:<a code token ???>
id_token:<an id token ???>
state:<a state token ???>
session_state:<a session state token ???>

This endpoint seems to be crucial since it returns the following cookies:

  • OhpToken
  • UserIndex
  • OhpAuth
  • AjaxSessionKey
  • userid

GET https://www.office.com/

The cookies that were set during the previous request are sent in the request headers here. This is why the office.com/landing seems to be crucial. However, I can't figure out how the form data is constructed for that body, e.g. code, id_token etc.

Maybe related question? Note that I've seen this question on stack overflow but I didn't find it useful and don't think it relates to my question.

Why do I need all this? The main goal is to login users automatically from another tool (SSO). E-Mail and password is given. My approach is to login using these endpoints programatically on the server-side, collect the necessary cookies for subsequent logins, send them to the client. The client uses those cookies to access office.com and see the dashboard immediately without having to login.

A better approach? Note that I have access to the admin center (Microsoft) and to Azure Direct. If you know a much simpler approach to this solution, I'm glad to get to know it. Most of the articles I've read are concerned with how to use Azure to login to another service if you're logged in to Microsoft. But I need the opposite: being logged in to some service and accessing the Microsoft Office 365 dashboard automatically.

Splines
  • 550
  • 1
  • 6
  • 17
  • 1
    This would be a potential security risk. I don't think Microsoft lets you do this without you making them download something. – ethry Feb 01 '22 at 08:05
  • 1
    Why would it be a security risk? I'm just trying to replay here what the browser does anyways. I do know the credential of the users I try to login; I'd like to implement a SSO login, that's why (if there is no simpler solution) I need to be able to log users in programatically and then get back the cookies. – Splines Feb 01 '22 at 15:17
  • 1
    Did you ever figure this one out? My use case is the same but flow is slightly different since we use hybrid architecture and credentials are authenticated against onprem AD server – vandre Jun 23 '22 at 14:47
  • @vandre No sorry, I didn't look further into it as it felt too time-consuming for me to deal with Microsoft APIs and at a certain point it just felt no longer worth the effort... But if I ever figure out a solution (maybe also with Andrey's links), I will of course post it here. – Splines Jun 23 '22 at 19:48
  • @Splines I got it working. You were almost there. code, id_token,state,session_state are returned in the body of the response after posting to https://login.microsoftonline.com/kmsi – vandre Jul 06 '22 at 05:29
  • @vandre - which tokens are you using for those properties? When I hit the KMSI page I get another Config{...} object. similar to the first GET request. I'm trying to accomplish something similar which I had working but recently broke. – Christopher Jazinski Jun 18 '23 at 16:24

2 Answers2

1

What you are trying to do is completely wrong - why to reverse-engineer frontend app and one day to find that everything changed?

There is official REST API to ms outlook online and authentication mechanism via Azure AD - exactly to let third-party apps to work with MS online apps.

Try to checkout this:

https://learn.microsoft.com/en-us/graph/overview-major-services

and this:

https://learn.microsoft.com/en-us/graph/azuread-identity-access-management-concept-overview

Andrey
  • 1,752
  • 18
  • 17
0

POSTing to https://login.microsoftonline.com/kmsi will return a html with all the values you need:

<html>

<head>
    <title>Working...</title>
</head>

<body>
    <form method="POST" name="hiddenform" action="https://admin.microsoft.com/landing">
        <input type="hidden" name="code" value="0.AVwAAmogKpXYg0-1rfltzzT6ZQYAAAAAAPEPzgAAAAAAAAABAAA.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wQA9P-gWiQqeCHo-9FEKAxJ1WYio4IwurbBrT2hB561ujjKXXdH08Yoqwrn7KlDJ2Ybp0SP7VNeX0v0313oQy9u184OF9SUmmPCM9AqRp8cW_Oh9AhenJEP8ZThY680N5XdQ_xvTaxCdyu0G2rMld7Yp-fnmKxQsr3UrdysQW6qe9mEXX_IsUYecF46BYO2kh7XsLGLXDDdm1ZJa46G_wAN00fYPmxgH4dlsauqK0URhVxVFZrws3yuPWTJEn5VNhL2Z2cUdsFfBEAFdHDrjOujdxzJKbfqln2GqLcNP_3LdgHKx-atrIM7JXJfp_oJeKCwXwvK6tUa4bhvEotIeGhES_l_0kxOZQDIbBMU2yUoBYrn17fxUmTAOt-HpeYRQFYr4bymdVnRsfMINZCSbD-lOaW6oh-cvWYpxqbq8ZZ3tZ7OJzZKetSNtAwplcUjZZchysueXy3-t7u2nr8k27jrSe2DudpGcn1GY25kkGQyz-SiqVm70RsKT9Fb6lxoSm7I8zpAWfFnLZJtxYhddHRx4tA521wAXoXOhBZyc5I7_gZYk2a50QcxeJI0K88mXxyPNvndN4F8eCtRYp1X53LSFgs4XyJ2UzWo9LXsWZ_77Fz7Ivlz2n4AEZXVZlE_PnqYylRdOWDV2NdpBhgFB53geIEuiX9t4JVl0o8TdpPrYjgsiqGmtbg3ZO4J4c_CDLOzBBJemdpAEnkukRVKHt-ZcXKwMfWHjWmEi0p6Ji1GI92f0UO_ZTpUdXScKC4UQsPrWAU" />
        <input type="hidden" name="id_token" value="[TOKENVALUE]" />
        <input type="hidden" name="state" value="OpenIdConnect.AuthenticationProperties=78qNGNcn8xtuLU4P5T0Dz5QMprE4YNYcSnczbXtwxwZL-dMfErfi6EuAkBJw0mFDmV_sQY7Q3av60KFahCPqhj6hzPR_JtBiYotBBoHd0zSKjqM7HgdD_QMhKZKReePeYsiTgLZtXAcNmzRBdjtpeflCa4TTRQY7tqOvN2kOUZY" />
        <input type="hidden" name="session_state" value="16f47f33-cf2e-4300-9a9b-72276bd518f0" />
        <input type="hidden" name="correlation_id" value="1a7d67ed-2db0-44ea-a351-f9d70ff14229" />
        <noscript>
            <p>Script is disabled. Click Submit to continue.</p><input type="submit" value="Submit" />
        </noscript>
    </form>
    <script language="javascript">
    document.forms[0].submit();
    </script>
</body>

</html>

You must extract the values of each input and use it on the https://www.office.com/landing. Do not forget to encode the state value

elgato
  • 506
  • 1
  • 5
  • 20