This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 92%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
Hi.
I have a windows service application (it irrelevant) which access user email box (for sending and receiving mails - IMAP/POP3 + SMTP).
To make it work with MS email account (Exchange, Outlook) I have created "App registrations" with "API permissions" from "Microsoft Graph":
IMAP.AccessAsUser.All POP.AccessAsUser.All SMTP.Send 
Authentication is done by "OAuth2 authorization code flow" https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
and work fine unless end-user tenant have change option to "Do not allow user consent":
Even when administrator approves consent:
user every time backs to that admin consent window:
Scope for authorization is: offline_access https://outlook.office365.com/IMAP.AccessAsUser.All
If the scope is: offline_access https://graph.microsoft.com/IMAP.AccessAsUser.All the there is no admin-consent-loop (once tenant admin approves application, then authorization doesn't ask for admin approve), however then IMAP/POP/SMTP connection fails with authentication errors (like NO AUTHENTICATE failed.)
Any hint or ideas? Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hi @Krystian Bigaj ,
According to your description above, your issue is more related to Graph and development. So, I will help you modify the tags to the correct one.
Thanks for your understanding and hope your issue can be resolve soon!
Per that doc, perms are application, not delegated as in your picture:
Also make sure you register it as service principal in Exo:
I'm using authentication code flow, and it works in most cases (for IMAP, POP, SMTP). Authorization does not work (admin consent loop) only when our clients changes user consent to "Do not allow user consent".
Also I dont have "Office 365 Exchange Online" resource in our tenant (is it deprecated?). There is only Microsoft Graph with permissions like IMAP.AccessAsApp (but Delegated).