invalid_scope error when using auth code flow for IMAP with personal account

Sean Burke 26 Reputation points
2022-09-22T16:51:50.467+00:00

I have configured an application as a mobile/desktop client with the IMAP.AccessAsUser.All permission and "https://localhost" as the redirect URI. I am making a GET request to https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=CLIENT_ID&response_type=code&redirect_uri=https://localhost&scope=https://outlook.office365.com/IMAP.AccessAsUser.All&login_hint=PERSONAL_ACCOUNT in order to get an auth token, which causes a redirect to https://login.live.com/oauth20_authorize.srf with the same parameters as well as some additional ones. At this point, it redirects to https://localhost with an invalid_scope error and getting the auth token fails. If I make the same request with an AD account in place of PERSONAL_ACCOUNT in the login_hint, I'm instead redirected to https://login.live.com/Me.htm?v=3 and I am able to continue with the process and eventually get an auth token.

I have verified that the application is set up for AzureADandPersonalMicrosoftAccount. (If set instead to AzureADMultipleOrgs, attempting to use a personal account will correctly give me a page with an error message saying that personal accounts cannot be used.) On the surface, this seems like a bug, but is there something that I'm doing incorrectly in making the request?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,292 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 36,001 Reputation points
    2022-09-23T10:02:48.167+00:00

    Hi @Sean Burke

    You just need to change https://outlook.office365.com/IMAP.AccessAsUser.All to https://graph.microsoft.com/IMAP.AccessAsUser.All, and Microsoft recommends using Microsoft Graph to access Outlook mail, calendar, and contacts. All of the Outlook Mail APIs Features have been migrated to the MS Graph API.

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?  
    client_id=CLIENT ID  
    &response_type=code  
    &redirect_uri=https://localhost  
    &scope=https://graph.microsoft.com/IMAP.AccessAsUser.All  
    &login_hint=PERSONAL_ACCOUNT  
    

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful