How to retrieve customer mails with oauth instead of basic auth imap in Microsoft Exchange

Shawn J 20 Reputation points
2023-02-23T08:12:27.8966667+00:00

I have made a .Net WPF Desktop-App which allows customers outside of our domain(outside of our azure tenant etc.) to automatically export mails from IMAP Office365 Accounts. Since Microsoft disabled this legacy authentication method, it seems we need to switch to OAuth.

Would the correct approach be to setup an Azure Account, generate Tenant and Client id and put both into the desktop app and implement something like this: https://github.com/jstedfast/MailKit/blob/master/ExchangeOAuth2.md to get the imap-client ?

I can't figure out by any documentation from Microsoft if this is supposed to be an method for the companies own users or external Microsoft accounts from customers which adresses we dont know. Also is it safe to put the Client- and Tenant ID into the desktop app for customers?

It also seems we need to invite any third party Office365 User to out tenant as guest for this. Is this correct? Can we setup self sign up flow for this purpose?

Thanks for reading.

Microsoft Exchange Online
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,190 questions
Accepted answer
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,246 Reputation points
    2023-03-08T14:45:36.1966667+00:00

    Hello @Shawn J , yes in order to be able to access Outlook mailboxes using OAuth2 you need to create/have an Azure AD tenant, create an app registration, and register the required delegated/user permission (https://outlook.office.com/IMAP.AccessAsUser.All). It is ok to hard-code tenant id, client id, redirect Uri and other values provided they're not passwords or secrets.

    If you want external users to be able to read their own mailboxes then you need to create a multi-tenant app so that they can access them (since they're hosted in their tenant, not yours)

    If you want external users to be able to read your tenant mailboxes, you will need to authenticate as an application using client credentials flow. This requires registering an application permission instead of the user's.

    The Using OAuth2 With Exchange (IMAP, POP3 or SMTP) sample provided looks great for user/delegated authentication. For application authentication take a look to Use client credentials grant flow to authenticate IMAP and POP connections for how to configure your app registration and Initializing a confidential client application from code for how to initialize an IConfidentialClientApplication as replacement for the IPublicClientApplication included in your sample code.

    Finally, it's possible to implement either IPublicClientApplication or IConfidentialClientApplication in a desktop application, however it's recommended to implement the latter in an API that your desktop application can consume since it's safer to store client secrets or certificates in an API than in a desktop app. In this scenario it's recommended to create 2 app registrations: 1 for the desktop app and one for the API.

    Let us know if you need additional assistance. If the answer was helpful, please accept it so that others can find a solution.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 16,611 Reputation points
    2023-02-23T12:36:15.2266667+00:00

    Thank you for asking this question on the Microsoft Q&A Platform.

    Please check this documentation, there you have different options to set up an application to send email using Microsoft 365.

    Hope this helps!

    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

    NOTE: To answer you as quickly as possible, please mention me in your reply.

  2. Limitless Technology 43,951 Reputation points
    2023-02-23T16:39:37.4266667+00:00

    Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

    According to this article https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#:~:text=In%20the%20Microsoft%20365%20admin%20center%20at%20https%3A%2F%2Fadmin,no%20longer%20require%20Basic%20authentication.

    In the Microsoft 365 admin center at https://admin.microsoft.com, go Settings > Org Settings > Modern Authentication. In the Modern authentication flyout that appears, you can identify the protocols that no longer require Basic authentication.

    For more information, you can also check https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments