How to generate client secret for specific users?

Question

How to generate client secret for specific users?

Prajwal Ogale 20

I am trying to generate a client ID, tenant ID, and client secret for specific users so that I can log into their accounts and read emails via IMAP. I want the generated token to be available only for selected users. Can anyone help me with this?

Accepted answer

0 additional answers

Your answer

Answer 1

Obinna Ejidike 1,835

To generate credentials for accessing specific users' emails via IMAP, you'll need to set up an Azure AD application with the correct permissions and user restrictions. Here's how to do it properly:

Register an Application in Azure AD

Go to Azure Portal → Azure Active Directory → App registrations → New registration
Create a new application (e.g., "Email Access App")
Kindly note the Application (client) ID and Directory (tenant) ID

Find documentation: https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate%2Cexpose-a-web-api

Configure API Permissions

Under your app → API permissions → Add a permission
Select Microsoft Graph → Delegated permissions
Add:
- Mail.Read (to read emails)
- IMAP.AccessAsUser.All (for IMAP access)
- User.Read (basic profile access)

Find: https://learn.microsoft.com/en-us/graph/permissions-reference#mail-permissions

Create a Client Secret

Under your app → Certificates & secrets → New client secret

Set expiration period (recommend 12-24 months for production)

Copy the secret value (only visible once)

Restrict Access to Specific Users

Under your app → Authentication

Set "Supported account types" to "Accounts in this organizational directory only."

Under "Advanced settings" → Allow public client flows → Set to "No"

Implement User Assignment (This is optional but recommended)

Under your app → Properties

Set "Assignment required?" to Yes

Go to "Users and groups" → Add user/group → Select specific users

To access emails via IMAP, use the OAuth 2.0 authorization code flow to get access tokens for each user:

from msal import PublicClientApplication
import requests

app = PublicClientApplication(
    "your-client-id",
    authority="https://login.microsoftonline.com/your-tenant-id"
)

result = app.acquire_token_interactive(scopes=["https://outlook.office.com/IMAP.AccessAsUser.All"])

# Use the token for IMAP access
imap_token = result["access_token"]

Important Security Considerations:

Least privilege: Only request permissions you need.
Secret rotation: Implement a process to regularly rotate client secrets.
Audit logs: Monitor usage in Azure AD → Monitoring → Sign-in logs.
Conditional Access: Consider adding CA policies for extra protection.
Admin consent: You may need admin consent for some permissions.

Alternative Approach;

Instead of client secrets, consider using:

Certificate-based authentication (more secure than client secrets)
Managed identities (if running in Azure)
Device code flow (for user-specific access without storing secrets)

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Regards,

Obinna

Sanoop M 4,145 Reputation points Microsoft External Staff Moderator

2025-04-03T04:10:16.3833333+00:00

Hello @Prajwal Ogale ,

I am just checking in to see if the above answer provided by @Obinna Ejidike helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query please do let us know.
Prajwal Ogale 20 Reputation points

2025-04-04T10:34:31.08+00:00

Thanks @Obinna Ejidike . I have received the client ID, tenant ID, and client secret value, but when I send a request to generate a token, I get the following error:

"error":"invalid_grant","error_description":"AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access."

Below is the request I used for token generation:

curl -X POST \

"https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token" \

-H "Content-Type: application/x-www-form-urlencoded" \

-d "client_id=<CLIENT_ID>" \

-d "scope=https://outlook.office365.com/.default" \

-d "client_secret=<CLIENT_SECRET>" \

-d "grant_type=password" \

-d "username=myusername" \

-d "password=mypassword"

Could you please advise on how to proceed?
Obinna Ejidike 1,835 Reputation points

2025-04-04T11:03:38.7466667+00:00

Hello @Prajwal Ogale

Thanks for the feedback, the error: "invalid_grant", "error_description": "AADSTS50076 suggests that the user account you're trying to authenticate with is MFA-enabled, and the password grant flow cannot satisfy MFA, because it only supports username + password.

The recommended alternative is to use OAuth 2.0 authorization code flow or device code flow(no client secret needed, MFA-compatible)

Find:https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

Also: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code

If this is just for testing and you're 100% sure this won't compromise security, you can try to disable MFA; however, ensure this won't compromise security before proceeding.

Find additional documentation to guide you: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates
Prajwal Ogale 20 Reputation points

2025-04-04T11:41:49.09+00:00

Hi @Obinna Ejidike . I got the authorization code from the redirected URL. But when I send a request to get the token, I receive the following error: "{"error":"invalid_client","error_description":"AADSTS700025: Client is public, so neither 'client_assertion' nor 'client_secret' should be presented."

The request I am sending is given below:

curl -X POST "https://login.microsoftonline.com/tenantID/oauth2/v2.0/token" \

-H "Content-Type: application/x-www-form-urlencoded" \

-d "client_id=clientId" \

-d "client_secret=clientSecret" \

-d "code=AuthCode \

-d "grant_type=authorization_code" \

-d "redirect_uri=redirectURI"
Obinna Ejidike 1,835 Reputation points

2025-04-04T13:13:48.2133333+00:00

Hi, @Prajwal Ogale the error "AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented" usually occurs if you are using a Public Client Application and passing the client_secret to generate the access token.

You can verify whether your application is a public client or not, like below:

You can update your curl command to exclude the client_secret because the client is assumed to be untrusted and unable to securely store secrets.

Alternatively, you can convert your App to a confidential client by turning off "Allow public client flows."
Prajwal Ogale 20 Reputation points

2025-04-07T04:48:01.73+00:00

Hi @Obinna Ejidike , my client is public and I have excluded client secret then I was able to generate token.
{"token_type":"Bearer","scope":"https://outlook.office365.com/User.Read https://outlook.office365.com/.default","expires_in":3839,"ext_expires_in":3839,"access_token":"token","refresh_token":"refreshToken"}

I tried using the token given in response to login programmatically but still getting the error javax.mail.AuthenticationFailedException: AUTHENTICATE failed.

Could you please help me with this?
Obinna Ejidike 1,835 Reputation points

2025-04-07T10:20:06.19+00:00

Hi, @Prajwal Ogale The error javax.mail.AuthenticationFailedException: AUTHENTICATE failed, suggest there's a mismatch between the OAuth2 token and the email protocol (IMAP/SMTP) configuration.

The token you generated has User.Read and .default scopes, but IMAP/SMTP requires https://outlook.office365.com/Mail.ReadWrite or https://outlook.office365.com/SMTP.Send.

Also, OAuth2 tokens for Microsoft Graph/Outlook API cannot be used directly with IMAP/SMTP unless configured properly, as JavaMail needs OAuth2-specific authentication handlers.

Find https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#scopes
https://learn.microsoft.com/en-us/entra/identity-platform/permissions-consent-overview

Do remember to mark as “Accepted Answer” and consider giving it an upvote. This helps others in the community as well.
Sanoop M 4,145 Reputation points Microsoft External Staff Moderator

2025-04-08T10:41:20.6066667+00:00

Hello @Prajwal Ogale ,

I am following up to check if the above provided information is helpful. Please feel free to reach out if you have any further questions.
Prajwal Ogale 20 Reputation points

2025-04-14T06:41:08.48+00:00

Hi @Obinna Ejidike ,

Thanks again for your help!

I'm still encountering the same authentication error. I just wanted to confirm— is it absolutely necessary to register the service principals in Exchange for OAuth2.0 to work with IMAP?

We haven’t completed that step yet, so I’m wondering if that might be the root cause.
Obinna Ejidike 1,835 Reputation points

2025-04-14T07:55:19.1133333+00:00

Hi Prajwal Ogale

To successfully authenticate IMAP access using OAuth 2.0 in Microsoft 365, you must register your application and configure the necessary permissions.

https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth?utm_source=chatgpt.com#register-your-application

Regards,

Obinna.
Prajwal Ogale 20 Reputation points

2025-04-14T09:57:08.1966667+00:00

Hi @Obinna Ejidike , I'm referring to the step about registering service principals in Exchange, as outlined in the official documentation. Is this step required for OAuth2.0 to work with IMAP?
Obinna Ejidike 1,835 Reputation points

2025-04-14T10:09:13.8766667+00:00

Hi Prajwal Ogale

Unlike Microsoft Graph or REST APIs, which work once permissions and consent are set in Azure AD, IMAP, POP, and SMTP are considered "legacy protocols" and require explicit registration in Exchange Online for OAuth 2.0 access.

If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This helps others in the community as well.

Regards,

Obinna

Share via

How to generate client secret for specific users?

0 additional answers

Your answer