Send email from a .Net Framework Winforms application and service using Microsoft accounts.

Fortecho Solutions Ltd 0

Hello.

We provide a .Net Framework Winforms application with a service. Both share code which allows our customers to send email from their own email accounts, currently using MailKit, although we could use another client if necessary.

Where they want to use Microsoft accounts, will they be able to continue to use their username and password? If they choose to use OAuth instead, how would we implement this so that the Winforms application can be configured once, sends mail, and the service can also pick up those credentials? Is that possible? I've tried to follow both Microsoft and MailKit's documentation on MSAL, but it's not clear to me which approach to implement.

Many thanks

Jon

2 answers

Jiale Xue - MSFT 42,411 Reputation points Microsoft Vendor

2024-06-28T13:20:52.02+00:00
Hi @Fortecho Solutions Ltd , Welcome to Microsoft Q&A,

To send emails from a Microsoft account from a WinForms application or service, you can choose to use OAuth2 for authentication. OAuth2 is more secure than traditional usernames and passwords.

In the service, read the stored token and use it to authenticate and send emails:

public class EmailService { private static readonly string tokenCachePath = "token_cache.json"; public async Task SendEmailAsync(string to, string subject, string body) { var token = File.ReadAllText(tokenCachePath); var message = new MimeMessage(); message.From.Add(new MailboxAddress("Your Name", "your-email@example.com")); message.To.Add(new MailboxAddress("", to)); message.Subject = subject; message.Body = new TextPart("plain") { Text = body }; using var client = new SmtpClient(); await client.ConnectAsync("smtp.office365.com", 587, MailKit.Security.SecureSocketOptions.StartTls); await client.AuthenticateAsync("your-email@example.com", token); await client.SendAsync(message); await client.DisconnectAsync(true); } }

Best Regards,

Jiale

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Fortecho Solutions Ltd 0 Reputation points

2024-06-29T11:25:47.6733333+00:00

Thank you for this quick response. Where would I obtain the token? Using the AccessToken from an Identity.Client.AuthenticationResult raises a

AuthenticationException: '535: 5.7.139 Authentication unsuccessful, the user credentials were incorrect.

Jiale Xue - MSFT 42,411 Reputation points Microsoft Vendor

2024-07-01T09:28:31.1633333+00:00

This token can be used with Azure. You can open a post about Azure after closing this case. Microsoft also provides a corresponding tutorial: Microsoft identity platform and OAuth 2.0 authorization code flow.

Fortecho Solutions Ltd 0 Reputation points

2024-07-01T12:46:03.51+00:00

Thank you, but the question would be the same. How can our application and service use OAuth2 to send email? The MSAL documentation and the document you provided cover many different scenarios. For example, this might have been useful to us if it referred to a .Net Framework desktop application rather than an ASP.Net Core web app: https://learn.microsoft.com/en-us/entra/identity-platform/msal-acquire-cache-tokens#advanced-accessing-the-users-cached-tokens-in-background-apps-and-services

So, which parts of the documentation pertain to our requirements above? If MSAL isn't suitable for us at all, then what is? How do we use it? That's what I'm asking. My apologies if that wasn't clear.

Jiale Xue - MSFT 42,411 Reputation points Microsoft Vendor

2024-07-02T07:03:18.0966667+00:00

MSAL is a tool that implements OAuth 2.0. Using MSAL is neither more nor less secure than using OAuth 2.0 directly, as they are actually used together.

The actual code to get an access token in a WinForms application is as follows:

using System; using System.IO; using System.Linq; using System.Threading.Tasks; using Microsoft.Identity.Client; using MailKit.Net.Smtp; using MimeKit; public class EmailSender { private static readonly string clientId = "YOUR_CLIENT_ID"; private static readonly string tenantId = "YOUR_TENANT_ID"; private static readonly string clientSecret = "YOUR_CLIENT_SECRET"; private static readonly string[] scopes = { "https://outlook.office365.com/.default" }; private static readonly string tokenCachePath = "token_cache.json"; public async Task<string> GetAccessTokenAsync() { var app = ConfidentialClientApplicationBuilder.Create(clientId) .WithClientSecret(clientSecret) .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}")) .Build(); var accounts = await app.GetAccountsAsync(); AuthenticationResult result; try { result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault()).ExecuteAsync(); } catch (MsalUiRequiredException) { result = await app.AcquireTokenForClient(scopes).ExecuteAsync(); } File.WriteAllText(tokenCachePath, result.AccessToken); return result.AccessToken; } public async Task SendEmailAsync(string to, string subject, string body) { var message = new MimeMessage(); message.From.Add(new MailboxAddress("Your Name", "your-email@example.com")); message.To.Add(new MailboxAddress("", to)); message.Subject = subject; message.Body = new TextPart("plain") { Text = body }; var token = await GetAccessTokenAsync(); using var client = new SmtpClient(); await client.ConnectAsync("smtp.office365.com", 587, MailKit.Security.SecureSocketOptions.StartTls); await client.AuthenticateAsync("your-email@example.com", token); await client.SendAsync(message); await client.DisconnectAsync(true); } }

Fortecho Solutions Ltd 0 Reputation points

2024-07-02T14:19:50.4766667+00:00

Thank you for that. I've added it to our code. The call to AcquireTokenForClient is raising a HttpRequestException "SocketException: An existing connection was forcibly closed by the remote host"

Do I need to change the platform configuration in our Entra app registration? We currently have a mobile and desktop platform configuration as this was the closest to Winforms of the available tutorials: https://learn.microsoft.com/en-gb/entra/identity-platform/tutorial-v2-windows-desktop

Raja Pothuraju 1,600 Reputation points Microsoft Vendor

2024-07-02T18:34:16.2366667+00:00

Hello @Fortecho Solutions Ltd,

You don't need to make any changes to your Entra app registered application. This error we will get when secure socket unable to make TLS connections HttpRequestException "SocketException: An existing connection was forcibly closed by the remote host".

To fix this make sure you have enabled TLS 1.2 on your machine. To check TLS 1.2 you can run below script.

PowerShell script to check TLS 1.2

To enable TLS 1.2 you can run below script.

PowerShell script to enable TLS 1.2

Or

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

If issue still persists, please refer below documents.

https://learn.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol?view=net-6.0

https://learn.microsoft.com/en-us/answers/questions/965564/how-to-solve-an-existing-connection-was-forcibly-c

Thanks,
Raja Pothuraju.

Bruce (SqlWork.com) 61,101 Reputation points

2024-07-02T21:22:43.79+00:00

once you fix the ssl, you may need to add a reply url. here is a winform sample:

https://github.com/azure-samples/ms-identity-docs-code-dotnet/tree/main/desktop-winforms

Fortecho Solutions Ltd 0 Reputation points

2024-07-03T11:39:52.7833333+00:00

Thank you for the solution to that error. It is no longer appearing after I added the line;

Net.ServicePointManager.SecurityProtocol = Net.SecurityProtocolType.Tls12

The application is now asking our customers for their hotmail account, but is then responding with;

Sorry, but we’re having trouble signing you in.

AADSTS50020: User account 'xxx@outlook.com' from identity provider 'live.com' does not exist in tenant 'xxx' and cannot access the application xxx in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

(Our Entra App registration is set to;

Supported account types

Who can use this application or access this API?

Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.)
Sign in to comment
Raja Pothuraju 1,600 Reputation points Microsoft Vendor

2024-07-03T16:53:13.49+00:00
Hello @Fortecho Solutions Ltd,

Thank you for your response.

I understand that after adding the line Net.ServicePointManager.SecurityProtocol = Net.SecurityProtocolType.Tls12 to your code, the error "HttpRequestException: SocketException: An existing connection was forcibly closed by the remote host" was resolved. I appreciate the update on this matter.

Regarding the Entra app registration, I see that you have registered the application with the supported account types set to "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)." This means your application can be used by all users with a work or school account, as well as personal Microsoft accounts. But users are getting an error AADSTS50020 when they login with Hotmail account.

To address the issue you're experiencing, please refer to the following Microsoft documentation and review the suggested solutions:

Error Code AADSTS50020 - User account identity provider does not exist

Based on your user behavior, it appears that your scenario falls under Cause 3 as documented. Your current code looks like this:

var app = ConfidentialClientApplicationBuilder.Create(clientId) .WithClientSecret(clientSecret) .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}")) .Build();

If you are targeting the /tenantID endpoint, encountering this error message is expected. Instead, you should use the https://login.microsoftonline.com/common endpoint.

Please update your code accordingly:

var app = ConfidentialClientApplicationBuilder.Create(clientId) .WithClientSecret(clientSecret) .WithAuthority(new Uri("https://login.microsoftonline.com/common")) .Build();

This change should help resolve the issue.

If the issue persists, I recommend that you review the other causes mentioned in the document linked above and let us know the update.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.
Please sign in to rate this answer.
Fortecho Solutions Ltd 0 Reputation points

2024-07-04T09:33:09.7266667+00:00

It was the code from the Winforms sample given above that was giving the AADSTS50020 error;

https://github.com/azure-samples/ms-identity-docs-code-dotnet/tree/main/desktop-winforms

If I go back to using the ConfidentialClientApplicationBuilder, it gives me MailKit.Security.AuthenticationException: '535: 5.7.139 Authentication unsuccessful, the user credentials were incorrect.

How does it work that out? If I use the ConfidentialClient, the only user credential I'm now providing is a Hotmail address.

Raja Pothuraju 1,600 Reputation points Microsoft Vendor

2024-07-04T15:24:30.19+00:00

Hello @Fortecho Solutions Ltd,

Thank you for your response.

To troubleshoot this issue further, I recommend adding the user as a guest user in your tenant.

Please follow the steps mentioned in the document linked below to add the user in your Entra tenant as a guest user: Invite an external guest user.

After adding the Hotmail user as a guest account in your tenant, please check the behavior and let me know the result.

Looking forward for your response.

Thanks,
Raja Pothuraju.

Fortecho Solutions Ltd 0 Reputation points

2024-07-04T18:03:41.4633333+00:00

Thank you. I'm trying to send that invitation. The Invite button is producing the error:

"User invitation failed

Unable to complete due to service connection error. Please try again later."

It wouldn't be appropriate for all our customers to be registering their MS email accounts with us. They will need to be able to use their own accounts without waiting for our approval.

Raja Pothuraju 1,600 Reputation points Microsoft Vendor

2024-07-08T04:51:08.03+00:00

Hello @Fortecho Solutions Ltd,

Thank you for your response.

I understand that when attempting to add a Hotmail user as a guest account in your tenant, you received an error message stating "Unable to complete due to service connection error. Please try again later." This issue may be related to a cookie problem. Please try inviting the user again after clearing the cookies in your browser, or alternatively, log in to the Azure Portal using an incognito browser session.

https://github.com/azure-samples/ms-identity-docs-code-dotnet/tree/main/desktop-winforms

Regarding the GitHub article you referenced earlier, I see that the script was designed for single-tenant logins, which is likely why you encountered the AADSTS50020 error previously. The document specifies that it supports "Accounts in this organizational directory only" (Single tenant), indicating its design for single-tenant logins.

In our case, we need to add users with Hotmail accounts as guest users in our tenant. Please attempt to invite the guest users again and verify if they can successfully complete authentication. You can confirm this by checking the Microsoft Entra sign-in logs.

Thanks,
Raja Pothuraju.

Fortecho Solutions Ltd 0 Reputation points

2024-07-08T15:24:05.48+00:00

Thank you for all your help with this. The test user account has now recived and accepted the invitation email. The call to AcquireTokenForClient() now appears to be succeeding, but our Winforms application is throwing;

SmtpCommandException: 5.7.139 Authentication unsuccessful, the user credentials were incorrect.

at the line;

client.Authenticate("userhotmail@outlook.com", accesstoken)

Raja Pothuraju 1,600 Reputation points Microsoft Vendor

2024-07-10T14:27:06.97+00:00

Hello @Fortecho Solutions Ltd,

Thank you for your response.

Based on the error, it appears that your application is rejecting tokens generated with guest or personal user accounts. I would like to explore the scenario where authentication is attempted with a member user in the tenant.

Please try logging in with a work or school account and observe the behavior. Meanwhile, also test with the user account userhotmail@outlook.com.

To address this issue, please refer to the document below and follow the outlined steps:

https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/fix-issues-with-printers-scanners-and-lob-applications-that-send-email-using-off#error-authentication-unsuccessful

Verify that SMTP is enabled for the user by running the PowerShell commands mentioned in the article.

Ensure that security defaults are indeed disabled.

Check if there are any conditional access policies that might be affecting the user.

Review the per-user MFA (Multi-Factor Authentication) settings for the affected user account. If it is enabled, disabled for the user.

Please let me know the output after following the above steps.

Looking forward for your response.

Thanks,
Raja Pothuraju.

Raja Pothuraju 1,600 Reputation points Microsoft Vendor

2024-07-15T07:16:54.5266667+00:00

Hello @Fortecho Solutions Ltd,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

Jon Harris 0 Reputation points

2024-07-15T11:38:24.11+00:00

Thank you.

We're still having some problems. The call to AcquireTokenForClient() now creates a different error message:

AADSTS7000229: The client application xxx is missing service principal in the tenant xxx. See instructions here: https://go.microsoft.com/fwlink/?linkid=2225119

That article is titled "Create an enterprise application from a multitenant application in Microsoft Entra ID" but we already have an Enterprise Application.

Following the instructions in your latest link, the Get-CASMailbox for the test Hotmail account or my work account both give the error;

Get-CASMailbox: Ex6F9304|Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|The operation couldn't be performed because object 'test@account.com' couldn't be found on 'xxx.yyy.PROD.OUTLOOK.COM'.
Sign in to comment

Share via

Send email from a .Net Framework Winforms application and service using Microsoft accounts.

2 answers