We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Thunderbird blocked by o365 Conditional Access - Does not supply required device ID

more options

Many Organizations and Schools are currently implementing conditional access policies in o365 which validate that clients are permitted to connect. Even on approved clients Thunderbird is blocked from connecting when o365 Conditional access policies are in place.

Thunderbird does not supply the required "DeviceID" in the token as part of the OAuth2 authentication process. As a result the client cannot be identified. This value is available on all windows machines and all AD joined MAC machines.

When connecting from a valid client Thunderbird is blocked from connecting and simply receives a popup error:

This application contains sensitive information and can only be accessed from: Devices and Client applications that meet <organizations> management compliance policy.

Under the "more details" section of the client popup the DeviceID information will show as blank indicating this information was not provided by the Thunderbird client. Similarly the O365 signin logs will show this information was not provided by the client and as a result it was blocked.

Is there any potential to have the Thunderbird OAuth2 authentication process updated to support providing DeviceID so its compatible with Conditional Access policies ?

Many Organizations and Schools are currently implementing conditional access policies in o365 which validate that clients are permitted to connect. Even on approved clients Thunderbird is blocked from connecting when o365 Conditional access policies are in place. Thunderbird does not supply the required "DeviceID" in the token as part of the OAuth2 authentication process. As a result the client cannot be identified. This value is available on all windows machines and all AD joined MAC machines. When connecting from a valid client Thunderbird is blocked from connecting and simply receives a popup error: ''This application contains sensitive information and can only be accessed from: Devices and Client applications that meet <organizations> management compliance policy.'' Under the "more details" section of the client popup the DeviceID information will show as blank indicating this information was not provided by the Thunderbird client. Similarly the O365 signin logs will show this information was not provided by the client and as a result it was blocked. Is there any potential to have the Thunderbird OAuth2 authentication process updated to support providing DeviceID so its compatible with Conditional Access policies ?

All Replies (2)

more options

I think you will get much better information on Bugzilla, which has a post that looks very much like the one above (perhaps the same poster).

https://bugzilla.mozilla.org/show_bug.cgi?id=1528136#c186

more options

Yes I have already opened a Bug there. Just posted here additionally in case anyone had already come across the issue.