This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 25%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
I am trying to create a daemon app that reads a shared mailbox. I do not directly log on to the shared mail box. The app is registered in Azure and I am getting an access token, but when I try to access the inbox, I am getting the following error.
26:14.88 < b'CKLI1 OK AUTHENTICATE completed.'
26:14.88 > b'CKLI2 SELECT inbox'
26:14.88 < b'CKLI2 BAD User is authenticated but not connected.'
My app has access to the mail box. When I run the following command, I get the access granted message like below.
Test-ApplicationAccessPolicy -Identity sharedMailboxAddress -AppId myappnum
AccessCheckResult : Granted
Here is the code.
conf = json.load(open(sys.argv1))
def generate_auth_string(user, token):
return f"user={user}\x01auth=Bearer {token}\x01\x01"
# The pattern to acquire a token looks like this.
result = None
# Firstly, looks up a token from cache
# Since we are looking for token for the current app, NOT for an end user,
# notice we give account parameter as None.
app = msal.ConfidentialClientApplication(conf['client_id'], authority=conf['authority'], client_credential=conf['secret'])
result = app.acquire_token_silent(conf['scope'], account=None)
if not result:
print("No suitable token in cache. Get new one.")
result = app.acquire_token_for_client(scopes=conf['scope'])
if "access_token" in result:
print(result['token_type'])
pprint.pprint(result)
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id"))
#IMAP AUTHENTICATE
imap = imaplib.IMAP4_SSL('outlook.office365.com', 993)
imap.debug = 4
imap.authenticate("XOAUTH2", lambda x:generate_auth_string('sharedMailboxAddress',result['access_token']))
imap.select('Inbox')
My admin also confirmed that the shared mailbox has IMAP enabled. Below is the API permission.
I am not sure if it is the code or the permission that I need to configure differently. Please help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Kei Moon
Thanks for reaching out.
To access the allowed mailboxes via the POP or IMAP protocols using the OAuth 2.0 client credentials grant flow, you need to register service principal in exchange.
Hope this will help.
Thanks,
Shweta
-----------------
Please remember to "Accept Answer" if answer helped you.
The service principal is registered already. That's how I get the result 'granted' when I run the command Test-ApplicationAccessPolicy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have the same problem. Service principal in exchange is already completed. Did you find a solution?
I ended up using Graph API instead of IMAP. It worked right away.
Hi @Anonymous and @Kei Moon
Could you please check my answer in stack overflow and make sure you are using correct object id which registering service principal in Exchange.
[https://stackoverflow.com/questions/74899182/how-to-read-my-outlook-mail-using-java-and-oauth2-0-with-application-regsitratio/74950734#74950734
Thanks,
Shweta
@Kei Moon I did that as well. Worked fine. Thanks! 👍
@Shweta Mathur Yepp, it was correct. Used Graph API instead of IMAP. That solved my problem.