This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 64%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Hello,
I've a really angry problem to access an shared mailbox folder over OAUTH2 with Microsoft.Identity Classes.
Prerequisite:
Exchange Powershell:
Workflow for main user (******@mailbox.de):
VB.NET
Dim confidentalApp As IConfidentialClientApplication = ConfidentialClientApplicationBuilder.Create(clientId).WithTenantId(tenantId).WithClientSecret(clientSecret).Build() Dim result As AuthenticationResult = Await confidentalApp.AcquireTokenForClient(scopes).ExecuteAsync() Dim accessToken As String = result.AccessToken
Dim xOAuthKey = OAuth2.GetXOAuthKeyStatic(imapuser, accessToken)
imap.Login(Nothing, xOAuthKey, AuthenticationMethods.SaslOAuth2, AuthenticationOptions.None, Nothing)
RESULT:
With the master mailbox (******@mailbox.de) it perfect runs. I can get he folder and all Mails in this folder.
[11:00:40.81] [INFO] Will resolve host "outlook.office365.com". [11:00:40.86] [INFO] Host "outlook.office365.com" resolved to IP address(es) 40.99.201.178, 40.99.201.210, 52.97.201.226, 40.99.217.50. [11:00:40.87] [INFO] Will connect to host "outlook.office365.com" on port 993. [11:00:43.90] [INFO] Socket connected to IP address 40.99.201.178 on port 993. [11:00:43.93] [INFO] Will start TLS/SSL negotiation sequence. [11:00:43.97] [INFO] TLS/SSL negotiation completed. [11:00:44.05] [RECV] * OK The Microsoft Exchange IMAP4 service is ready. [Token deleted...]\r\n [Total 160 bytes received.] [11:00:44.07] [INFO] Get the list of IMAP4 capabilities via CAPABILITY command. [11:00:44.08] [SEND] MBN00000001 CAPABILITY\r\n [11:00:44.09] [RECV] * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n [Total 115 bytes received.] [11:00:44.10] [RECV] MBN00000001 OK CAPABILITY completed.\r\n [Total 38 bytes received.] [11:00:44.11] [INFO] Connected to mail service at host "outlook.office365.com" on port 993 and ready. [11:00:44.12] [INFO] Will login as "". [11:00:44.13] [INFO] Will try SASL XOAUTH2 authentication method. [11:00:44.14] [SEND] MBN00000002 AUTHENTICATE XOAUTH2\r\n [11:00:44.15] [RECV] + \r\n [Total 4 bytes received.] [11:00:44.16] [SEND] ********\r\n [11:00:44.99] [RECV] MBN00000002 OK AUTHENTICATE completed.\r\n [Total 40 bytes received.] [11:00:45.00] [INFO] Logged in as "". [11:00:47.76] [INFO] Select folder "Inbox". [11:00:47.77] [SEND] MBN00000003 SELECT "Inbox"\r\n [11:00:47.85] [RECV] * 0 EXISTS\r\n [Total 12 bytes received.] [11:00:47.85] [RECV] * 0 RECENT\r\n [Total 12 bytes received.] [11:00:47.86] [RECV] * FLAGS (\Seen \Answered \Flagged \Deleted \Draft $MDNSent)\r\n [Total 61 bytes received.] [11:00:47.87] [RECV] * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \Deleted \Draft $MDNSent)] Permanent flags\r\n [Total 91 bytes received.] [11:00:47.87] [RECV] * OK [UIDVALIDITY 14] UIDVALIDITY value\r\n [Total 41 bytes received.] [11:00:47.88] [RECV] * OK [UIDNEXT 18609] The next unique identifier value\r\n [Total 55 bytes received.] [11:00:47.88] [RECV] MBN00000003 OK [READ-WRITE] SELECT completed.\r\n [Total 47 bytes received.] [11:00:47.89] [SEND] MBN00000004 LOGOUT\r\n [11:00:47.93] [RECV] * BYE Microsoft Exchange Server IMAP4 server signing off.\r\n [Total 59 bytes received.] [11:00:47.94] [RECV] MBN00000004 OK LOGOUT completed.\r\n [Total 34 bytes received.] [11:00:47.96] [INFO] Will disconnect from host "outlook.office365.com". [11:00:47.98] [INFO] Disconnected from host "outlook.office365.com".
With the shared mailbox (******@mailbox.de) I can't get access.
[11:03:25.38] [INFO] Assembly version: 12.3.0 build 647 for .NET 4.5. [11:03:25.38] [INFO] Will resolve host "outlook.office365.com". [11:03:25.43] [INFO] Host "outlook.office365.com" resolved to IP address(es) 52.97.232.210, 40.99.217.34, 52.97.201.242, 40.99.201.210. [11:03:25.43] [INFO] Will connect to host "outlook.office365.com" on port 993. [11:03:25.46] [INFO] Socket connected to IP address 52.97.232.210 on port 993. [11:03:25.47] [INFO] Will start TLS/SSL negotiation sequence. [11:03:25.52] [INFO] TLS/SSL negotiation completed. [11:03:25.59] [RECV] * OK The Microsoft Exchange IMAP4 service is ready. [Token deleted....]\r\n [Total 160 bytes received.] [11:03:25.61] [INFO] Get the list of IMAP4 capabilities via CAPABILITY command. [11:03:25.62] [SEND] MBN00000001 CAPABILITY\r\n [11:03:25.63] [RECV] * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+\r\n [Total 115 bytes received.] [11:03:25.64] [RECV] MBN00000001 OK CAPABILITY completed.\r\n [Total 38 bytes received.] [11:03:25.65] [INFO] Connected to mail service at host "outlook.office365.com" on port 993 and ready. [11:03:25.66] [INFO] Will login as "". [11:03:25.67] [INFO] Will try SASL XOAUTH2 authentication method. [11:03:25.68] [SEND] MBN00000002 AUTHENTICATE XOAUTH2\r\n [11:03:25.69] [RECV] + \r\n [Total 4 bytes received.] [11:03:25.70] [SEND] ********\r\n [11:03:29.39] [RECV] MBN00000002 OK AUTHENTICATE completed.\r\n [Total 40 bytes received.] [11:03:29.41] [INFO] Logged in as "". [11:03:33.24] [INFO] Select folder "Inbox". [11:03:33.25] [SEND] MBN00000003 SELECT "Inbox"\r\n [10:18:30.20] [RECV] MBN00000003 BAD User is authenticated but not connected.\r\n [Total 58 bytes received.]
[10:18:30.21] [INFO] Error: The server has responded with negative reply. The server responded: MBN00000003 BAD User is authenticated but not connected.
Alternative I can access with main user Token but login with shared mailbox:
imap.Login("******@mailbox.de", xOAuthKey, AuthenticationMethods.SaslOAuth2, AuthenticationOptions.None, Nothing)
but this supported only the folders from the main user.
Has anybody an idea how to access this shared mailbox. Before IMAP access with plain authentification (name, password) we have access the mailbox with ******@mailbox.de\support - Folder INBOX
I don't use MS Graph or EWS!
Kind regards,
Markus Blume
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @Markus Blum ,
Welcome to Microsoft Q&A!
Since from the description your issue involves developing, I’ll change the tag to “Exchange Server Development” instead. Thanks for your understanding!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 84%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
First thing to check is whether IMAP is enabled on the Shared Mailbox generally it will be disabled by the security defaults (even if it was working in the past), Sometimes the Azure signin logs and Mailbox Audit logs [https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide can be helpful from a debug point of view to point to any other issues that might be occurring during the logon/connection process.
Hello,
yes, all IMAP checkboxes are enabled (in the master mailbox and the shared mailbox).
I've checked the access with the site
https://testconnectivity.microsoft.com/tests/O365Imap/input
with modern authentification (OAUTH) and alternative mailbox (optional). So I can access the shared mailbox and its folder. I've checked the access with EWS with the same APP data in Azure and got directly access to the shared mailbox ******@mailbox.de.
I don't think, that only I've the problem. Normally it is very simple:
Register APP in Azure with correct permissions
Set permissions (Service Principals) in Exchange to the mailboxes (normal and shared)
Then:
Create a Token with ClientID, TenantID, SecretValue of the APP
Genenerate a bearer token with Microsoft.Identity.Client (OAuth2.GetXOAuthKeyStatic)
Connect to Microsoft365 (scope: https://outlook.office365.com/.default) and login with the shared mailbox user and get folders and Mails
Is there another way an online site or a testtool to validate the token and the access?
Greetings,
Markus
If you can access a users Mailbox okay with the token but it throwing "BAD User is authenticated but not connected." only on the shared mailbox that indicates your token is good but for whatever reason the permissions on the Shared Mailbox aren't. As a test have you tried creating a new Shared Mailbox, Send a few mails to it and then add the permissions (wait 60 minutes) and test that ?. I can reproduce the error your getting but it only lasts for the time it takes for the permissions to replicated and applied to the Exchange server that is hosting the shared mailbox. I have seen it happen in Migration apps where permissions where applied but never took affect, in that case generally just making some changes that trigger changes to the DCAL on the target mailbox and waiting worked.
Hello. This can't be. The shared mailbox exists since many years. It has many mails in it. Before OAUTH2 (with basic authentification) we have access over ******@mailbox.de/support. With this account we have had access to the shared mailbox. Exists default code c# or vb to access a shared mailbox over oauth2? Perhaps the imap control does not connect right.
Greetings,
Markus
The ACL permission you would have had to add for the Service Principal will be new, there have been many bugs over the years around issues with DACL's on an Exchange Mailbox eg ordering of the DACL's used to be an issue. If you can reproduce the issue on a new shared mailbox you may have a bug, but my money is on something with the DACL going on, given the history of Exchange having this issue and the error message your getting.
Hello.
We have now tested this issue again a new shared mailbox and it runs perfectly direct with the APP Token and the email address of the new shared mailbox. Another existing shared mailbox also running good. So, only one customer of us has the problem with his shared mailbox. I've trigger your information to this customer, so he can check the permissions and settings. Now, I'll waiting of his result of these tests and checkups.
Greetings,
Markus