Share via

How to enable IMAP access via OAUTH for application without ROBC flow?

James Sconfitto 20 Reputation points
2023-03-23T20:08:52.0166667+00:00

I'm developing a daemon application that intends to read and send emails through IMAP and SMTP. Right now, I'm testing using an Exchange Online mailbox.

I've followed the instructions posted here: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth.

I can read and send email when I acquire tokens through an interactive log in (using MSAL), and through ROBC (using raw POST, and I do not want to use ROBC because of security concerns), but not through MSAL's ConfidentialClientApplication with secrets-based client or certificates based clients, which I assume to be valid for obtaining tokens through the client credential flow.

The instructions seem to indicate that an application should be able to access a mailbox using client credentials but I am unable to do this. What am I missing?

Microsoft Exchange Online
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,113 questions
0 comments
Accepted answer
  1. Shweta Mathur 29,781 Reputation points Microsoft Employee
    2023-03-24T05:24:41.1433333+00:00

    Hi @James Sconfitto ,

    Thanks for reaching out .

    For client credentials flow, you need to add application permissions under Office 365 Exchange Online

    enter image description here

    Make sure to grant admin consent for all the application permissions.

    Once consent has been provided, the admin must register your AAD application's service principal in Exchange using powerShell by following commands:

    Install ExchangeOnlineManagement

    Install-Module -Name ExchangeOnlineManagement -allowprerelease Import-module ExchangeOnlineManagement Connect-ExchangeOnline -Organization

    Register Service Principal in Exchange:

    1.New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]

    Make sure to use ObjectId from enterprise applications rather than object id of application registration. For the same application you registered in Application Registration. A corresponding application has been created in Enterprise Application as well. You need to pass object id from there while registering service principal in Exchange: enter image description here

    2.Get-ServicePrincipal | fl

    3.Add-MailboxPermission -Identity "john.smith@contoso.com" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccess

    In the application, you need to use scope = 'https://outlook.office365.com/.default'

    Once you get the access token, you can create and open a Mail connection to read mails.

    Reference: https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-imap-and-pop-connections

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.