OutlookOffice365 IMAP :how to get access token(API) using username and App password when MFA is enabled?

Question

Hi Team,

As you all aware that MS Office 365 changed from Basic Auth to Modern Authentication recently, so it blocks all access from protocols such as IMAP/POP/SMTP. In that case we have to use Access token (OAUTH 2.0) generated from MS API by passing the client/secret, username , password & scope.

 

Currently, I'm able to get the access token for users who do not use MFA(able to access user mailboxes with IMAP protocol), but for the users who uses MFA, we have the app password for them. So for mfa users, I'm passing their app password(in the password field) to get the access token, but I'm getting the following error

"error": "invalid_grant", "error_description": "AADSTS50126: Error validating credentials due to invalid username or password.", "error_codes": [ 50126 ],  

grant type I'm using for this request is "password". Any suggestion how to resolve this issue? Do I delegate any API permissions in azure ad application side? I have currently enabled the permission IMAP.AccessforALL for my usage.

Please help.. Thanks in advance

 

Answer 1

@Glen Scales , Sure, currently we are currently looking for a short term solution through IMAP. We will definitely look this out this separately for migrating to Graph API.

For adding mailbox permission access,

"Add-MailboxPermission -Identity "john.smith@Company portal .com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess"

Do we need to execute this code for all the users in our application separately and also whenever there is a new employee join our organization?

Yes its an explicit grant so you are saying that the SERVICE_PRINCIPAL_ID (your application) can now access this mailbox "john.smith@Company portal .com" , you can use groups etc to make it a little more automated if you have multiple SERVICE_PRINCIPAL's that where accessing the same mailboxes. That just makes it one DACL entry eg you grant the group access to the mailbox and then add the Service principals to the group that need to access the mailboxes. There maybe some other more elegant ways of doing this I'm a developer not a Sys Admin but the important part is in IMAP there needs to be that explicit permission entry(in Graph and EWS this isn't required). In terms of migration your not adding any more permissions then would have already been there for IMAP eg a lot of people with IMAP used a Service Account and then grant that Service account access to multiple mailboxes using the above method (they just replace SERVICE_PRINCIPAL with the Service Account) in this instance all your doing is replacing the Service Account with a service principal (and saving a Office365 licence). If you have been using the Credentials of the actual mailboxes it is an extra permission but for a security perspective no better or worse as the credentials and now your service principal (certificate) are at the security storage level (or thread level).

For new accounts yes it has to be now part of your provisioning process, there are lots of ways to automate it this as well eg I've seen people using flow/power apps to run a script that detect and does it automatically. But from where your coming from it sounds like you would have had some type of process to already create the app password etc so you migrating that process.

Answer 2

but for the users who uses MFA, we have the app password for them

App passwords are still basic authentication and are affected by the depreciation, if your trying to use ROPC then the only password that will work is the users current password, if they have MFA enabled then you won't be able to use ROPC and you will need to use the Authentication code flow and deal with MFA else look at the client_credentials flows and use App permissions

Answer 3

Hi @JoTech87 ,

Welcome to our forum.

App passwords don't work for accounts that are required to use modern authentication.

For information on how to get an access token. As GlenScales says, you need to use Authentication code flow and the client credentials flows.
Please refer to this document: Authenticate an IMAP, POP or SMTP connection using OAuth | Microsoft Learn

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

Hi @Glen Scales & @LilyLi2-MSFT ,

Thanks for the reply.

I have tried both flows and listed my updates below,

1. Auth Code Flow - I'm able to get the access token without any issues, but the password accepted by this flow is account password(normal password) and if I provide APP password, it throws error as "invalid username or password".
2. Client Credentials flow - I'm able to get the access token and pass it to the IMAP function, it throws the following error, string(66) "Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed."
   Can not authenticate to IMAP server: A0001 NO AUTHENTICATE failed.

Request Details:

grant_type=client_credentials&scope=https://outlook.office365.com/.default&client_id=xx&client_secret=xx

Any idea why this error on client credentials flow?

Answer 5

@Glen Scales /@LilyLi2-MSFT ,

Thank you for your response.

"Register service principals in Exchange" and you need to perform all the PowerShell tasks outlined, and importantly you need to grant access to the mailbox eg "Add-MailboxPermission -Identity "john.smith@Company portal .com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess"

We will do the workaround for this Client Credentials flow, before that will it there be any impact on azure apps or any kind of breach by providing this access? because we got more number of applications installed.

Thanks