OutlookOffice365 IMAP :how to get access token(API) using username and App password when MFA is enabled?

Question

Hi Team,

As you all aware that MS Office 365 changed from Basic Auth to Modern Authentication recently, so it blocks all access from protocols such as IMAP/POP/SMTP. In that case we have to use Access token (OAUTH 2.0) generated from MS API by passing the client/secret, username , password & scope.

 

Currently, I'm able to get the access token for users who do not use MFA(able to access user mailboxes with IMAP protocol), but for the users who uses MFA, we have the app password for them. So for mfa users, I'm passing their app password(in the password field) to get the access token, but I'm getting the following error

"error": "invalid_grant", "error_description": "AADSTS50126: Error validating credentials due to invalid username or password.", "error_codes": [ 50126 ],  

grant type I'm using for this request is "password". Any suggestion how to resolve this issue? Do I delegate any API permissions in azure ad application side? I have currently enabled the permission IMAP.AccessforALL for my usage.

Please help.. Thanks in advance

 

Answer 1

@Glen Scales , Sure, currently we are currently looking for a short term solution through IMAP. We will definitely look this out this separately for migrating to Graph API.

For adding mailbox permission access,

"Add-MailboxPermission -Identity "john.smith@Company portal .com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess"

Do we need to execute this code for all the users in our application separately and also whenever there is a new employee join our organization?

Yes its an explicit grant so you are saying that the SERVICE_PRINCIPAL_ID (your application) can now access this mailbox "john.smith@Company portal .com" , you can use groups etc to make it a little more automated if you have multiple SERVICE_PRINCIPAL's that where accessing the same mailboxes. That just makes it one DACL entry eg you grant the group access to the mailbox and then add the Service principals to the group that need to access the mailboxes. There maybe some other more elegant ways of doing this I'm a developer not a Sys Admin but the important part is in IMAP there needs to be that explicit permission entry(in Graph and EWS this isn't required). In terms of migration your not adding any more permissions then would have already been there for IMAP eg a lot of people with IMAP used a Service Account and then grant that Service account access to multiple mailboxes using the above method (they just replace SERVICE_PRINCIPAL with the Service Account) in this instance all your doing is replacing the Service Account with a service principal (and saving a Office365 licence). If you have been using the Credentials of the actual mailboxes it is an extra permission but for a security perspective no better or worse as the credentials and now your service principal (certificate) are at the security storage level (or thread level).

For new accounts yes it has to be now part of your provisioning process, there are lots of ways to automate it this as well eg I've seen people using flow/power apps to run a script that detect and does it automatically. But from where your coming from it sounds like you would have had some type of process to already create the app password etc so you migrating that process.

Answer 2

After adding mailbox permissions, i can able to get the user mailboxes .. Thanks for your timely help