Send email from a .Net Framework Winforms application and service using Microsoft accounts.

Question

Send email from a .Net Framework Winforms application and service using Microsoft accounts.

Fortecho Solutions Ltd 0

Hello.

We provide a .Net Framework Winforms application with a service. Both share code which allows our customers to send email from their own email accounts, currently using MailKit, although we could use another client if necessary.

Where they want to use Microsoft accounts, will they be able to continue to use their username and password? If they choose to use OAuth instead, how would we implement this so that the Winforms application can be configured once, sends mail, and the service can also pick up those credentials? Is that possible? I've tried to follow both Microsoft and MailKit's documentation on MSAL, but it's not clear to me which approach to implement.

Many thanks

Jon

2 answers

Your answer

Answer 1

Raja Pothuraju 23,465 Microsoft External Staff Moderator

Hello @Fortecho Solutions Ltd,

Thank you for your response.

I understand that after adding the line Net.ServicePointManager.SecurityProtocol = Net.SecurityProtocolType.Tls12 to your code, the error "HttpRequestException: SocketException: An existing connection was forcibly closed by the remote host" was resolved. I appreciate the update on this matter.

Regarding the Entra app registration, I see that you have registered the application with the supported account types set to "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)." This means your application can be used by all users with a work or school account, as well as personal Microsoft accounts. But users are getting an error AADSTS50020 when they login with Hotmail account.

To address the issue you're experiencing, please refer to the following Microsoft documentation and review the suggested solutions:

Error Code AADSTS50020 - User account identity provider does not exist

Based on your user behavior, it appears that your scenario falls under Cause 3 as documented. Your current code looks like this:


var app = ConfidentialClientApplicationBuilder.Create(clientId)

            .WithClientSecret(clientSecret)

            .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))

            .Build();

If you are targeting the /tenantID endpoint, encountering this error message is expected. Instead, you should use the https://login.microsoftonline.com/common endpoint.

Please update your code accordingly:


var app = ConfidentialClientApplicationBuilder.Create(clientId)

            .WithClientSecret(clientSecret)

            .WithAuthority(new Uri("https://login.microsoftonline.com/common"))

            .Build();

This change should help resolve the issue.

If the issue persists, I recommend that you review the other causes mentioned in the document linked above and let us know the update.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.

Fortecho Solutions Ltd 0 Reputation points

2024-07-04T09:33:09.7266667+00:00

It was the code from the Winforms sample given above that was giving the AADSTS50020 error;

https://github.com/azure-samples/ms-identity-docs-code-dotnet/tree/main/desktop-winforms

If I go back to using the ConfidentialClientApplicationBuilder, it gives me MailKit.Security.AuthenticationException: '535: 5.7.139 Authentication unsuccessful, the user credentials were incorrect.

How does it work that out? If I use the ConfidentialClient, the only user credential I'm now providing is a Hotmail address.
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-07-04T15:24:30.19+00:00

Hello @Fortecho Solutions Ltd,

Thank you for your response.

To troubleshoot this issue further, I recommend adding the user as a guest user in your tenant.

Please follow the steps mentioned in the document linked below to add the user in your Entra tenant as a guest user: Invite an external guest user.

After adding the Hotmail user as a guest account in your tenant, please check the behavior and let me know the result.

Looking forward for your response.

Thanks,
Raja Pothuraju.
Fortecho Solutions Ltd 0 Reputation points

2024-07-04T18:03:41.4633333+00:00

Thank you. I'm trying to send that invitation. The Invite button is producing the error:

"User invitation failed

Unable to complete due to service connection error. Please try again later."

It wouldn't be appropriate for all our customers to be registering their MS email accounts with us. They will need to be able to use their own accounts without waiting for our approval.
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-07-08T04:51:08.03+00:00

Hello @Fortecho Solutions Ltd,

Thank you for your response.

I understand that when attempting to add a Hotmail user as a guest account in your tenant, you received an error message stating "Unable to complete due to service connection error. Please try again later." This issue may be related to a cookie problem. Please try inviting the user again after clearing the cookies in your browser, or alternatively, log in to the Azure Portal using an incognito browser session.

https://github.com/azure-samples/ms-identity-docs-code-dotnet/tree/main/desktop-winforms

Regarding the GitHub article you referenced earlier, I see that the script was designed for single-tenant logins, which is likely why you encountered the AADSTS50020 error previously. The document specifies that it supports "Accounts in this organizational directory only" (Single tenant), indicating its design for single-tenant logins.

In our case, we need to add users with Hotmail accounts as guest users in our tenant. Please attempt to invite the guest users again and verify if they can successfully complete authentication. You can confirm this by checking the Microsoft Entra sign-in logs.

Thanks,
Raja Pothuraju.
Fortecho Solutions Ltd 0 Reputation points

2024-07-08T15:24:05.48+00:00

Thank you for all your help with this. The test user account has now recived and accepted the invitation email. The call to AcquireTokenForClient() now appears to be succeeding, but our Winforms application is throwing;

SmtpCommandException: 5.7.139 Authentication unsuccessful, the user credentials were incorrect.

at the line;

client.Authenticate("******@outlook.com", accesstoken)
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-07-10T14:27:06.97+00:00
Hello @Fortecho Solutions Ltd,

Thank you for your response.

Based on the error, it appears that your application is rejecting tokens generated with guest or personal user accounts. I would like to explore the scenario where authentication is attempted with a member user in the tenant.

Please try logging in with a work or school account and observe the behavior. Meanwhile, also test with the user account ******@outlook.com.

To address this issue, please refer to the document below and follow the outlined steps:

https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/fix-issues-with-printers-scanners-and-lob-applications-that-send-email-using-off#error-authentication-unsuccessful

Verify that SMTP is enabled for the user by running the PowerShell commands mentioned in the article.

Ensure that security defaults are indeed disabled.

Check if there are any conditional access policies that might be affecting the user.

Review the per-user MFA (Multi-Factor Authentication) settings for the affected user account. If it is enabled, disabled for the user.

Please let me know the output after following the above steps.

Looking forward for your response.

Thanks,
Raja Pothuraju.
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-07-15T07:16:54.5266667+00:00

Hello @Fortecho Solutions Ltd,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.
Jon Harris 0 Reputation points

2024-07-15T11:38:24.11+00:00

Thank you.

We're still having some problems. The call to AcquireTokenForClient() now creates a different error message:

AADSTS7000229: The client application xxx is missing service principal in the tenant xxx. See instructions here: https://go.microsoft.com/fwlink/?linkid=2225119

That article is titled "Create an enterprise application from a multitenant application in Microsoft Entra ID" but we already have an Enterprise Application.

Following the instructions in your latest link, the Get-CASMailbox for the test Hotmail account or my work account both give the error;

Get-CASMailbox: Ex6F9304|Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|The operation couldn't be performed because object '******@account.com' couldn't be found on 'xxx.yyy.PROD.OUTLOOK.COM'.
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-07-29T06:46:55.3833333+00:00

Hello @Jon Harris,

Thank you for your response.

I agree that this issue looks strange, and I wasn't able to reproduce this issue. If you have a support plan, could you please file a support ticket for deeper investigation and do share the SR# with us? In case if you don't have a support plan, please let us know here.

Thanks,
Raja Pothuraju.
Jon Harris 0 Reputation points

2024-07-30T10:27:23.79+00:00

Thank you for this. We are a Visual Studio Professional subscriber. How do we file a support ticket?
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-07-30T14:14:44.7266667+00:00

Hi @Jon Harris,

You can submit a support ticket by following the steps outlined in the document below:

How to Open a Support Request in Microsoft Entra ID

If you encounter any issues while submitting the support ticket, please let me know.

Thanks,
Raja Pothuraju.
Jon Harris 0 Reputation points

2024-07-30T15:00:18.0133333+00:00

Thank you. Our support request ID is 2407300050003931.
Jon Harris 0 Reputation points

2024-07-31T08:05:34.3166667+00:00

The support teams are having problems deciding who should handle the ticket. Are you able to help them, please?
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-08-01T06:12:44.6366667+00:00

Hello @Jon Harris,

I see the case was closed as unresolved. Did your issue addressed by support engineer. May I know reason for closing the case.
Jon Harris 0 Reputation points

2024-08-01T08:09:55.7+00:00

Hi Raja Pothuraju,

Thank you for looking at it. No, the issue hasn't been resolved. It looks like it was assigned to a team who aren't able to help, and closed it instead. The last email I received on it reads;

"Hi Jon,

I've consulted our internal support, and your concern is best handled by our Microsoft Unified Support.

You have reached Microsoft 365 team, and our scope of support is found here: Support limitations for issues with Microsoft 365 Apps for enterprise or Microsoft 365 Apps for business - Microsoft Support.

I understand that you are having an issue with WinForms app & a service and how to setup to allow customer to use Hotmail and other MS accounts to send email, and we only have knowledge about Office635 for business apps related issues within the package. What I can help you is to guide you where to reach out for the support, please go to this link aka.ms/oas (Services Hub (microsoft.com) to provide you proper guidance on your concern.

We haven't received anything from you on any inquiries about Microsoft 365. I hope that you are able to get the assistance that you needed for WinForms.

Thank you.

Thank you for choosing Microsoft 365, Grace Microsoft 365 Support Team

Work hours: 9AM-5PM EST Mon-FriYour Success Is Our Success"
Jon Harris 0 Reputation points

2024-08-01T09:42:45.48+00:00

Hi Raja Pothuraju,

Thank you for looking at this.

No, the issue isn't resolved. It looks like it was assigned to a team who decided they couldn't help with it, and who closed it instead. The last email I received is;

"Hi Jon,

I've consulted our internal support, and your concern is best handled by our Microsoft Unified Support.

You have reached Microsoft 365 team, and our scope of support is found here: Support limitations for issues with Microsoft 365 Apps for enterprise or Microsoft 365 Apps for business - Microsoft Support.

I understand that you are having an issue with WinForms app & a service and how to setup to allow customer to use Hotmail and other MS accounts to send email, and we only have knowledge about Office635 for business apps related issues within the package. What I can help you is to guide you where to reach out for the support, please go to this link aka.ms/oas (Services Hub (microsoft.com) to provide you proper guidance on your concern.

We haven't received anything from you on any inquiries about Microsoft 365. I hope that you are able to get the assistance that you needed for WinForms.

Thank you.

Thank you for choosing Microsoft 365, Grace Microsoft 365 Support Team

Work hours: 9AM-5PM EST Mon-FriYour Success Is Our Success"
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-08-06T08:30:16.9766667+00:00

Hello @Jon Harris,

Thank you for your response.

I see the support ticket was closed stating not having Unified Support plan. But you can ask the support engineer to transfer it to concern team if that is not coming under his scope of support boundary. Please send him an email once from your end.

Thanks,
Raja Pothuraju.

Answer 2

Anonymous

Hi @Fortecho Solutions Ltd , Welcome to Microsoft Q&A,

To send emails from a Microsoft account from a WinForms application or service, you can choose to use OAuth2 for authentication. OAuth2 is more secure than traditional usernames and passwords.

In the service, read the stored token and use it to authenticate and send emails:

public class EmailService
{
    private static readonly string tokenCachePath = "token_cache.json";

    public async Task SendEmailAsync(string to, string subject, string body)
    {
        var token = File.ReadAllText(tokenCachePath);

        var message = new MimeMessage();
        message.From.Add(new MailboxAddress("Your Name", "your-email@example.com"));
        message.To.Add(new MailboxAddress("", to));
        message.Subject = subject;
        message.Body = new TextPart("plain")
        {
            Text = body
        };

        using var client = new SmtpClient();
        await client.ConnectAsync("smtp.office365.com", 587, MailKit.Security.SecureSocketOptions.StartTls);
        await client.AuthenticateAsync("your-email@example.com", token);
        await client.SendAsync(message);
        await client.DisconnectAsync(true);
    }
}

Best Regards,

Jiale

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Fortecho Solutions Ltd 0 Reputation points

2024-06-29T11:25:47.6733333+00:00

Thank you for this quick response. Where would I obtain the token? Using the AccessToken from an Identity.Client.AuthenticationResult raises a

AuthenticationException: '535: 5.7.139 Authentication unsuccessful, the user credentials were incorrect.
Anonymous

2024-07-01T09:28:31.1633333+00:00

This token can be used with Azure. You can open a post about Azure after closing this case. Microsoft also provides a corresponding tutorial: Microsoft identity platform and OAuth 2.0 authorization code flow.
Fortecho Solutions Ltd 0 Reputation points

2024-07-01T12:46:03.51+00:00

Thank you, but the question would be the same. How can our application and service use OAuth2 to send email? The MSAL documentation and the document you provided cover many different scenarios. For example, this might have been useful to us if it referred to a .Net Framework desktop application rather than an ASP.Net Core web app: https://learn.microsoft.com/en-us/entra/identity-platform/msal-acquire-cache-tokens#advanced-accessing-the-users-cached-tokens-in-background-apps-and-services

So, which parts of the documentation pertain to our requirements above? If MSAL isn't suitable for us at all, then what is? How do we use it? That's what I'm asking. My apologies if that wasn't clear.

Anonymous

MSAL is a tool that implements OAuth 2.0. Using MSAL is neither more nor less secure than using OAuth 2.0 directly, as they are actually used together.

The actual code to get an access token in a WinForms application is as follows:

using System;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.Identity.Client;
using MailKit.Net.Smtp;
using MimeKit;

public class EmailSender
{
    private static readonly string clientId = "YOUR_CLIENT_ID";
    private static readonly string tenantId = "YOUR_TENANT_ID";
    private static readonly string clientSecret = "YOUR_CLIENT_SECRET";
    private static readonly string[] scopes = { "https://outlook.office365.com/.default" };
    private static readonly string tokenCachePath = "token_cache.json";

    public async Task<string> GetAccessTokenAsync()
    {
        var app = ConfidentialClientApplicationBuilder.Create(clientId)
            .WithClientSecret(clientSecret)
            .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
            .Build();

        var accounts = await app.GetAccountsAsync();
        AuthenticationResult result;
        try
        {
            result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault()).ExecuteAsync();
        }
        catch (MsalUiRequiredException)
        {
            result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
        }

        File.WriteAllText(tokenCachePath, result.AccessToken);
        return result.AccessToken;
    }

    public async Task SendEmailAsync(string to, string subject, string body)
    {
        var message = new MimeMessage();
        message.From.Add(new MailboxAddress("Your Name", "your-email@example.com"));
        message.To.Add(new MailboxAddress("", to));
        message.Subject = subject;
        message.Body = new TextPart("plain")
        {
            Text = body
        };

        var token = await GetAccessTokenAsync();
        using var client = new SmtpClient();
        await client.ConnectAsync("smtp.office365.com", 587, MailKit.Security.SecureSocketOptions.StartTls);
        await client.AuthenticateAsync("your-email@example.com", token);
        await client.SendAsync(message);
        await client.DisconnectAsync(true);
    }
}

Fortecho Solutions Ltd 0 Reputation points

2024-07-02T14:19:50.4766667+00:00

Thank you for that. I've added it to our code. The call to AcquireTokenForClient is raising a HttpRequestException "SocketException: An existing connection was forcibly closed by the remote host"

Do I need to change the platform configuration in our Entra app registration? We currently have a mobile and desktop platform configuration as this was the closest to Winforms of the available tutorials: https://learn.microsoft.com/en-gb/entra/identity-platform/tutorial-v2-windows-desktop
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-07-02T18:34:16.2366667+00:00

Hello @Fortecho Solutions Ltd,

You don't need to make any changes to your Entra app registered application. This error we will get when secure socket unable to make TLS connections HttpRequestException "SocketException: An existing connection was forcibly closed by the remote host".

To fix this make sure you have enabled TLS 1.2 on your machine. To check TLS 1.2 you can run below script.

PowerShell script to check TLS 1.2

To enable TLS 1.2 you can run below script.

PowerShell script to enable TLS 1.2

Or

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

If issue still persists, please refer below documents.

https://learn.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol?view=net-6.0

https://learn.microsoft.com/en-us/answers/questions/965564/how-to-solve-an-existing-connection-was-forcibly-c

Thanks,
Raja Pothuraju.
Bruce (SqlWork.com) 77,686 Reputation points Volunteer Moderator

2024-07-02T21:22:43.79+00:00

once you fix the ssl, you may need to add a reply url. here is a winform sample:

https://github.com/azure-samples/ms-identity-docs-code-dotnet/tree/main/desktop-winforms
Fortecho Solutions Ltd 0 Reputation points

2024-07-03T11:39:52.7833333+00:00

Thank you for the solution to that error. It is no longer appearing after I added the line;

Net.ServicePointManager.SecurityProtocol = Net.SecurityProtocolType.Tls12

The application is now asking our customers for their hotmail account, but is then responding with;

Sorry, but we’re having trouble signing you in.

AADSTS50020: User account '******@outlook.com' from identity provider 'live.com' does not exist in tenant 'xxx' and cannot access the application xxx in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

(Our Entra App registration is set to;

Supported account types

Who can use this application or access this API?

Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.)

Share via

Send email from a .Net Framework Winforms application and service using Microsoft accounts.

2 answers

Your answer