Share via

OAuth- Accessing Guest outlook.office365.com mailbox via IMAP- Authenticate Failed Error

Anonymous
2022-10-11T14:14:08.97+00:00

I have followed 2 different approaches of OAuth to access mailboxes via IMAP.

Client Credential grant flow-

Registered my app on Azure AD (multitenant)

Set Api permissions- office365 exchange online- Application- IMAP.AccessAsApp

Set Service Principals- Added mailbox permissions

Acquiring token with scope- "https://outlook.office365.com/.default" and doing post- https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token

ROPC Grant

Registered my app on Azure AD (multitenant)

Set Api permissions- Microsoft Graph- email, offline_access, IMAP.AccessAsUser.All

Acquiring token with scopes- email, offline_access, IMAP.AccessAsUser.All and using httpclient to post- https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token

Here's the issue-

Lets say the app was created and permissions set using TESTDOMAIN1 account. I'm able to generate token and access emails with ******@TESTDOMAIN1.com, ******@TESTDOMAIN1.com etc. However, if I try to access a guest mailbox (email added in Azure using invitation) like ******@TESTDOMAIN2.com, it fails. Both the approaches work with mailboxes with the same domain name.

Error from Client Credentials grant flow- No error, its stuck on AcquireTokenForClient. Doesnt generate token. Also, how do we set mailbox permission in service principal.

Error from ROPC grant flow- It creates the token but throws No Authenticate Failed error.

Please suggest how we can access guest mailboxes in azure via IMAP/POP. Any documentation that can provide scopes and url, particularly with guest accounts with different domains.

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,181 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. CarlZhao-MSFT 46,376 Reputation points
    2022-10-12T07:58:13.467+00:00

    Hi @Anonymous

    If you want to access the guest user's original mailbox domain name, simply change /{tenant id} to /common to bypass tenant-level login. Before doing so, make sure your application is registered as: Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).

    249490-image.png

    Next use the auth code flow for interactive logins to get an access token. 

     https://login.microsoftonline.com/common/oauth2/v2.0/authorize?  
 client_id=client id  
 &response_type=code  
 &redirect_uri=redirect url  
 &response_mode=query  
 &scope=https://graph.microsoft.com/IMAP.AccessAsUser.All  
 &state=12345

    249643-page9.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.