This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 95%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
We have a Java Spring application having a scheduled job that read mails from outlook inbox and complete the process based on the content of mail. Currently application uses IMAP basic authentication. Since IMAP basic authentication is getting deprecated we are working on a solution to implement IMPA OAuth2 protocol.
As a first step, we completed the application registration in AzureAD. We have done necessary configuration in Microsoft365. Below is the API Permission scope we setup
Microsoft Graph
IMAP.AccessAsUser.All
mail.ReadWrite
User.Read
Office365 Exchange online
full_access_as_app
IMAP.AccessAsApp
mail.Read
mail.ReadWrite
mail.send
We have received the Application(Client)ID, Client secret, Tenant ID. Below is the page we have referenced for creating the source code.
We have verified office 365 and Azure AD settings with PowerShell command and its working fine and able to get the token created successfully. We have verified the token with jwt.ms . We had connect with Microsoft support team verified all configurations from their side as well.
But we are not able to connect to the IMAP store and getting the below error at this line (store.connect(host,userEmailId, oauth2AccessToken);) We have the Administrator of the office365 account running a PowerShell script on the Exchange as per the suggestion provided in one of the forum , but still the issue persist.
javax.mail.AuthenticationFailedException: AUTHENTICATE failed.
We have gone through many Microsoft discussion forums and searched for a solution but still couldn't succeed. Below are some of the pages we tried
https://learn.microsoft.com/en-us/answers/questions/828094/how-to-access-to-a-shared-mail-box-using-oauth2-wi.html
https://learn.microsoft.com/en-us/answers/questions/872062/how-to-authenticate-a-backend-java-imap-applicatio-1.html
https://social.msdn.microsoft.com/Forums/en-US/6086d4f3-4288-4bad-b290-9aaa7423a9cc/outlook-oauth2-access-mails?forum=WindowsAzureAD
https://stackoverflow.com/questions/73039215/authentication-failure-for-imap-using-client-credential-flow-for-oauth2-0-java
Please advice any specific configuration or setup is required to connect to IMAP store and read the mail.
Any help to get this issue resolved will be highly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Biji ,
Thanks for reaching out.
Are you using delegated permissions or application permissions?
Did you get a chance to look into this thread: https://learn.microsoft.com/en-us/answers/questions/875398/index.html
Thanks,
Shweta
Hi @Shweta Mathur , Thank you for your response !! We are using Delegated permissions as of now. The main information what we are looking is , what would be the actual settings/permissions to fulfil the requirements we have .Thanks
Hi @Biji ,
Thanks for reaching out and provide the update.
The sample you are referring is using client credential flow to get the access token which require Application permissions.
All the permissions which you mentioned are both Delegated permissions and Application permissions as well.
To get the access token using delegated permissions (which require user interaction) , you need to provide below permissions to your application:
With delegated permissions, you can get access token using authorization grant flow by passing https://outlook.office365.com/IMAP.AccessAsUser.All in scope.
Once you will get the access token, you can create and open a Java Mail connection to read mails.
Hope this will help.
Thanks,
Shweta
---------------------------------------
Please remember to "Accept Answer" if answer helped you.
Hi @Shweta Mathur , Thank you so much for your response !! Sorry, i believe I confused you little bit.
Our application is using client credential flow . We were able to receive the access token earlier also . Based on the comment you have provided , we added 'Mail.Read' application permission under Graph and we were able to make a call to read the mail through Postman. We received a success response that the mail was read. That itself was a great moment for us. Thanks for that !!
Then we tried to make the necessary change in the code to reflect the scope change but we are still getting authentication error from code.
Could you please share the required permissions and scope details for Client credential , Single tenant application flow ?
Hi @Biji ,
For client credentials flow, you need to add application permissions instead of delegated permissions under Office 365 Exchange Online
Make sure to grant admin consent to your application.
Once consent has been provided, the admin must register your AAD application's service principal in Exchange by following commands:
Install ExchangeOnlineManagement
Install-Module -Name ExchangeOnlineManagement -allowprerelease
Import-module ExchangeOnlineManagement
Connect-ExchangeOnline -Organization <tenantId>
Register Service Principal in Exchange:
In the application, you need to use scope = 'https://outlook.office365.com/.default'
Once you will get the access token, you can create and open a Java Mail connection to read mails.
Hope this will help.
Thanks,
Shweta
Hi @Shewalkar, Snehal Thank you for your guidance !! Based on your comments , we have set the permissions under Office 365 Exchange Online as you mentioned and we were able to get the token created. However , our code is unable to read the emails from the mail box with the current code we are using. Below is the code snippet we are using to connect to Inbox and read the mail. But we are getting Authenticate Failed exception in the log.
Properties props = new Properties();
props.put("mail.store.protocol", "imaps");
props.put("mail.imap.host", "outlook.office365.com");
props.put("mail.imap.port", "993");
props.put("mail.imap.ssl.enable", "true");
props.put("mail.imap.starttls.enable", "true");
props.put("mail.imap.auth", "true");
props.put("mail.imap.auth.mechanisms", "XOAUTH2");
props.put("mail.imap.user", emailInput.getReceiveEmailId());
props.put("mail.debug", "true");
props.put("mail.debug.auth", "true");
Store store = null;
Session session = Session.getInstance(props);
session.setDebug(true);
store = session.getStore("imaps");
store.connect("outlook.office365.com", usermailId, token);
Since we come across the Authentication failure, we tried with the Application permissions in Graph API and we tried to trigger the requests through postman and received the success response. Our application is in Java and we consume Graph API through Rest call and the job was able to read the mails successfully. But the job is not making the mails to 'read' status and job reads the same set of emails every time it runs.
Is there any built-in function/class available with Microsoft Graph which can be used to mark the emails as READ status. or mark the emails with Flag ? We were able to see a similar function/method exist in IMAP (ImapMailReciver.receive()) .So would like to understand whether a similar method is available with Graph .
Any recommendation would be highly appreciated. Thanks