What scope should be used to connect IMAP store from JAVA application using OAuth 2.0

Question

What scope should be used to connect IMAP store from JAVA application using OAuth 2.0

AV 11

Hello,
I have a backend application that connects to IMAP store and does some jobs inside. It works fine with basic authentication.
Now we're trying to switch it to OAuth 2.0 but it fails with "A1 NO AUTHENTICATE failed." error on an attempt to connect to IMAP store with a token(we are using Resource Owner Password Credentials flow, due to some reasons we can't use other flows).
After reading a huge number of articles it seems to be related to the scope, we have tried "https://graph.microsoft.com/IMAP.AccessAsUser.All", "IMAP.AccessAsUser.All" and "https://outlook.office.com/IMAP.AccessAsUser.All".
With the first two scopes, it gives us the token but "store.connect("outlook.office365.com", 993, "user@Hanes _domain.onmicrosoft.com", "access_token");" it fails with "A1 NO AUTHENTICATE failed.".
With the last one("https://outlook.office.com/IMAP.AccessAsUser.All") we can't get a token with the "AADSTS65001: The user or administrator has not consented to use the application with ID.." error. That kinda makes sense because we can't add the permissions for Outlook but for Microsoft Graph only.
Please see the token request and the error.

Any ideas are highly appreciated.

nick 1 Reputation point

2022-08-17T08:11:58.797+00:00

Hello @AV ,
Did you refer to Carl's answer above? Is it helpful to you? Comment here when you still need any help.

2 answers

Your answer

nick 1 Reputation point

2022-08-17T08:11:58.797+00:00

Hello @AV ,
Did you refer to Carl's answer above? Is it helpful to you? Comment here when you still need any help.

Answer 1

CarlZhao-MSFT 46,376

Hi @AV

This is an expected error, as your error message states, your administrator has not consent the IMAP.AccessAsUser.All permission of the outlook resource.

You can of course add permissions to outlook, the easiest way is to use the admin consent URL. You just need to run this URL in the browser, then log in with an administrator and consent.

https://login.microsoftonline.com/{tenant id}/v2.0/adminconsent  
        ?client_id={client id}  
        &scope=https://outlook.office.com/IMAP.AccessAsUser.All  
        &redirect_uri={redirect url}  
        &state=12345

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

AV 11 Reputation points

2022-08-04T09:41:47.557+00:00

Hi @CarlZhao-MSFT
First of all thanks for the reply and suggestions. I've tried to follow your suggestion and run the URL with specified {client id} and {redirect url} (from Azure Portal - TestApplicationName | Authentication - Redirect URIs). As you mentioned I got the login page with an administrator and consent, but once accepted I see "Check if there is a typo in testdomain.onmicrosoft.com. DNS_PROBE_FINISHED_NXDOMAIN"(please see screenshot below).
That might make sense because the application itself does not have redirect support and it's not a web application. It's basically a JAVA library that connects to the outlook365 and makes some actions(works fine with basic authentication).

I've tried to add the mentioned permission using the Azure Portal interface but I don't see the outlook resource available in the list. Is it expected(please see screenshot below)?

What do I miss?
Thank you!
CarlZhao-MSFT 46,376 Reputation points

2022-08-04T10:28:16.347+00:00

Hi @AV

I did not get this error in the local test, if your administrator has approved the permissions, you can now try to call outlook api, and you should be able to get the access token correctly.

Yes, the Azure AD portal does not have outlook resources, because the outlook api has been deprecated, and currently Microsoft has migrated all the outlook api resources to MS Graph. I recommend you to use graph api to access outlook resources as microsoft has discontinued support for outlook api.
AV 11 Reputation points

2022-08-04T14:29:29.803+00:00

Hi @CarlZhao-MSFT
Permissions were approved by me and that is where I see the error mentioned above. I gave it a try and the error still persists.

Microsoft has migrated all the outlook api resources to MS Graph. I recommend you to use graph api to access outlook resources as microsoft has discontinued support for outlook api.

As I mentioned initially I tried to use MS Graph API and https://graph.microsoft.com/IMAP.AccessAsUser.All or IMAP.AccessAsUser.All scopes but I'm getting the same "A1 NO AUTHENTICATE failed." error while this scope is allowed as you can see on the screenshot.
What do I miss?

Thanks
CarlZhao-MSFT 46,376 Reputation points

2022-08-05T10:44:27.643+00:00

Hi @AV

This is because you are using the token of the graph api to call the outlook api endpoint, so you will receive a 401 unauthorized error.

You just need to change the api endpoint you are calling from outlook endpoint (https://outlook.office.com/) to graph endpoint (https://graph.microsoft.com/v1.0/).

Answer 2

AV 11

@CarlZhao-MSFT
Just to underline and give you all the details. We're attempting to use Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials flow to make a less as possible changes to the existing code.

Thanks

Share via

What scope should be used to connect IMAP store from JAVA application using OAuth 2.0

2 answers

Your answer