This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 44%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
I have been trying to connect IMap server in my application through oauth2, i have created an azure application and given all the API permissions including
IMAP.AccessAsUser.All, i'm successfully getting access token, but unable to get authorized for IMAP server. the response is always authentication failed.
def generate_auth_string(user, token):
auth_string = f"user={user}%x01auth=Bearer {token}%x01%x01"
# auth_string= base64.b64encode(auth_string.encode('utf-8'))
return auth_string
client_id = self.client_id
client_secret = self.client_secret
authority = f"https://login.microsoftonline.com/{tenant_id}"
scopes = ['https://outlook.office365.com/.default']
app = msal.ConfidentialClientApplication(
client_id,
client_credential=client_secret,
authority=authority)
result = app.acquire_token_for_client(scopes=scopes)
if "access_token" in result:
if self.server_type == 'imap':
if self.is_ssl:
connection = IMAP4_SSL(self.server, int(self.port))
else:
connection = IMAP4(self.server, int(self.port))
# connection.login(self.user, self.password)
connection.debug = 10
connection.authenticate("XOAUTH2", lambda x: generate_auth_string(
'Hemanth.Bethu@xaana.ai',
result['access_token']))
connection.select('INBOX')
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Hemanth Bethu - Xaana.Ai ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,
Shweta
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 31%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hey @Shweta Mathur ,
Is there anyone from Microsoft who can help us here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 41%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
I used this and it worked for me, had to be patient though for the setup to activate:
@Cédric Counotte , quick question. Did your admin register service principal for your app?
Yes service principal has been registered, and I had to wait quite a bit before it was actually active.
One of the comment on stackoverflow mentioned this link which is mandatory for all this to work:
office365itpros.com/2022/07/04/exchange-online-imap4-pop3
I guess I stumbled across the same thing a week back. And the culprit was Service Principal Registration.
It's clearly written on Microsoft's site that we have to register the service principal. I guess people miss it because they assume once admin grants the consent, PowerShell steps are not required. At least that's what I thought and ended up wasting almost a month.
Finally, I was able to connect to IMAP. :-) Cheers !
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 69%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Hi,
You should ask for the IMAP scope:
https://outlook.office.com/IMAP.AccessAsUser.All
in the access token request. The .default scope is for permissions that are already granted to the app.
Hope this helps!
I'm having the exact same issue.
Asking for IMAP scope as suggested simply fails to obtain token with:
The provided value for scope https://outlook.office.com/IMAP.AccessAsUser.All is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier
Adding .default to that scope, fails again (to obtain token) with:
The resource principal named https://outlook.office.com/IMAP.AccessAsUser.All was not found in the tenant.
The issue is during authenticate() call, as if format was incorrect, but I can't find any logs in office admin.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 0%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIR%3C/text%3E%3C/svg%3E)
I've found a solution and added to this post.
I'm running into a similar issue trying to use IMAP + Oauth as well.
Time is of the essence as basic auth goes away sometime in January 2023.
I am having the exact issue too. The only difference is that I'm able to get an Access Token using https://outlook.office.com/IMAP.AccessAsUser.All as my scope parameter.
How did you manage to get token with the scope https://outlook.office.com/IMAP.AccessAsUser.All?
I don't know how but I've tested this in two languages now C# and PHP.
In PHP using Guzzle my request works when it should but when I use a coding example for C# (using LimiLab) it fails trying to use that as a scope.
If I drop the scope param altogether from Guzzle PHP request I do get an error. This is really odd behavior. The coding example in C# and the code i've done in PHP must be using two different grant types. I'll have to dig deeper into it.
My use case is related to Python and UiPath. I think I overlooked the most important thing i.e. Service Principal Registration by Tenant Admin. Most likely because of this
Waiting for admin to register service principal. Hopefully, it works! Fingers crossed.
DO NOT USE Client Credentials flow with IMAP. YOU WILL BE WASTING YOUR TIME.
This feature was supposed to be supported by December 2021. It's December 2022.
You'll have to use Authentication Code Flow to manually extract the session ID and the code via Web.
YOU MUST SET A REDIRECT URL. Pick Web as your application (because Microsoft loves their questionnaires) and then enter your Redirect URI endpoint. If you don't have an endpoint to handle the URL that is passed you can circumvent this by using http://localhost/test (anything after the slash doesn't matter as long as can carry parameters behind it)
Finally use this example here to create a URL that you will use to sign in on the inbox: https://stackoverflow.com/questions/73370661/php-connect-mailbox-office-365-with-oauth. The page you get after you successfully log in passes a code and session string. If you created a webservice to handle that you should extract that info. Otherwise you'll have to provide it manually somewhere in your process.
Upon grant you should obtain a token and a refresh token (for continuous re-login)
The major drawback is that this process is not fully automated. It requires two points of manual work (one point if you handle the URI request) to connect to your mailbox.