10

I'm using an IMAP client in my program. I'm trying to access to Office 365 outlook by IMAP client using OAuth2 mechanism (using these instructions.)

When I authenticate in IMAP client - authentication failes, but OAuth2 authentication of Google and Outlook.com works fine. Does Office 365 support OAuth2 authentication in IMAP? If it does, how to authenticate?

grebulon
  • 7,697
  • 5
  • 42
  • 66
Yuri B
  • 345
  • 1
  • 3
  • 10

4 Answers4

10

We are actively working on OAuth support for IMAP connections to O365 mailboxes. We will make a public announcement once the same is available.

Sivaprakash-MSFT
  • 476
  • 3
  • 8
  • Our organisation really needs this. Are you able to give any kind of rough timescale? Or is there a beta program we can join? – mfa Oct 02 '19 at 11:31
  • 2
    Is it possible to provide a timeline when OAuth support will be added to IMAP. For a use case we are using Basic Auth. We would like to move to OAuth asap as Basic Auth support is going to be removed in Oct 2020 – bala Nov 14 '19 at 04:48
  • Is it possible to provide a timeline for this feature please. – bala Nov 19 '19 at 09:28
  • 1
    @Sivaprakash-MSFT Anyupdate regarding the OAuth support for IMAP – bala Feb 04 '20 at 14:39
  • This blog post: https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-security-together/ba-p/805892 tells that IMAP should support OAuth and this is how you enable it: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online I did this, however, Thunderbird still says that "The IMAP server outlook.office365.com does not support the selected authentication method". So I'm not sure whether this is supposed to work or not. – Piedone Feb 28 '20 at 10:10
  • Ditto, October is not that far away for organisations needing to schedule key changes – RepellantCoder Mar 03 '20 at 14:02
  • Any news on this matter? Still being able to use IMAP after the OAuth2 authentication would provide massive savings for us – NeutronCode Mar 06 '20 at 15:50
  • They've announced that Basic auth is going away in October, and advise to use OAuth2, but have still not implemented it? – Dave Nottage Mar 16 '20 at 00:42
  • Hi, Were any one able to get IMAP with OAUTH2 working. I tried with an an application that asks for 'Mail.ReadWrite' permission. But IMAP with OAUTH2 login fails. – bala Mar 23 '20 at 08:19
  • What if the permission is 'https://outlook.office365.com/IMAP.AccessAsUser.All'? – Alex Mar 24 '20 at 08:19
  • The permission was present some time backup. Now while registering the application, I no longer see that permission listed. – bala Mar 26 '20 at 11:42
  • hi @bala have you figured out how to do it? I need to use IMAP to access emails in Hotmail. I can see IMAP.AccessAsUser.All, but I cannot get permission for adding it into my app permission. – Franva Apr 02 '20 at 11:51
  • Basic Authentication will be available until the second half of 2021 due to the Corona crisis: https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508 Also: "We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH", which still doesn't work, despite a new scope 'IMAP.AccessAsUser.All' showing up recently. – M66B Apr 05 '20 at 10:26
  • @Alex although configuring and requesting IMAP.AccessAsUser.All is possible, the acquired token still cannot be used to authenticate an IMAP/SMTP session. – M66B Apr 05 '20 at 12:57
  • @Sivaprakash-MSFT, I saw the recent [blog announcement](https://developer.microsoft.com/en-us/graph/blogs/announcing-oauth-2-0-support-for-imap-smtp-client-protocols-in-exchange-online/) and tried implementing it, but looks like something is wrong, here's the summary of what I triend in a question - https://stackoverflow.com/q/61597263/1126831 – ledniov May 04 '20 at 17:26
  • "https://outlook.office365.com/IMAP.AccessAsUser.All" permission now works but only if used standalone. If I'm also requesting "user.read" scope (which contains the user's email address which is needed to build XOAUTH2 key), if fails with "Access token validation failure. Invalid audience." I even tried to move IMAP-specific scope to a separate .WithExtraScopesToConsent(scopesImap) call but it didn't help. Perhaps, I can make two completely separate requests (forcing the user to consent twice) but this would be quite an ugly user experience.. – Alex May 20 '20 at 17:24
  • Oh, actually I don't need "user.read" scope because the email address is already provided in AuthenticationResult itself (AcquireTokenSilent/AcquireTokenInteractive return much more info than just a token itself). Still, getting user's display name would be helpful but it looks like I don't need Graph API for this and can use some call to Outlook REST API (https://outlook.office365.com/user.read scope). – Alex May 20 '20 at 17:40
1

With the new rollout for OAuth 2.0 support for IMAP, I am able to generate the token using the scope

https://outlook.office365.com/IMAP.AccessAsUser.All

But I am still getting

A1 NO AUTHENTICATE failed

I am using the following properties:

props.put("mail.imap.ssl.enable", "true"); 
props.put("mail.imap.auth.mechanisms","XOAUTH2");
props.put("mail.imap.auth.plain.disable", "true");

EDIT: It is working now !

tulak.hord
  • 63
  • 1
  • 9
  • Following the instructions worked for me. I tried with "imaps" not "imap" Could you try with "imaps" i.e connecting to port 993. You could also try adding the following props. props.put("mail.debug", "true") and props.put("mail.debug.auth", "true") . Check what AUTH mechanism is being used to connect. – bala May 02 '20 at 11:44
  • @bala Thank you for the suggestion but still getting error. Shows "A1 NO LOGIN failed". What JavaMail version are you using ? – tulak.hord May 02 '20 at 17:47
  • Same here, can't connect. @bala, would you mind examining my question here, what's wrong there? - https://stackoverflow.com/q/61597263/1126831 – ledniov May 04 '20 at 16:46
  • Can you check via Micrsoft Admin Centre if IMAP access is enabled for the user's mailbox? – Sivaprakash-MSFT May 06 '20 at 05:29
  • It is working with imaps and proper javamail version. Thanks guys ! – tulak.hord May 12 '20 at 13:07
-1

I got this to work as I described here: Connect to outlook Office 365 IMAP using OAUTH2

The App Permissions in Azure AD have been moved to the Graph API Section different to the screenshot that was in the comments above. Also the Scope that Azure AD shows did not work for me, I had to use https://outlook.office365.com/IMAP.AccessAsUser

mrudolf
  • 27
  • 5
  • How did you manage to use `https://outlook.office365.com/IMAP.AccessAsUser`? Since this App-Permission can not be added to App Registrations. And if I just try to fetch a token with this scope, I get: `The application 'XY' asked for scope 'IMAP.AccessAsUser' that doesn't exist on the resource [...]` – L at Tegonal Apr 02 '20 at 11:53
  • I added ```https://graph.microsoft.com/IMAP.AccessAsUser.All``` to the app registration. For some reason that seems to work though it makes no sense. – mrudolf Apr 03 '20 at 14:44
-11

We don't support OAuth for IMAP access to Office 365 and we have no plans to do so as we recommend using our REST APIs to connect to Office 365 for your apps. OAuth is supported for Office 365 REST APIs for mail, calendar and contacts and our older SOAP APIs Exchange Web Services.

Venkat Ayyadevara - MSFT
  • 2,850
  • 1
  • 14
  • 11
  • Ok. thank you for the answer. Do you have any plans to support it in the nearest future? – Yuri B Apr 20 '15 at 12:48
  • Sorry, no plans to support OAuth for IMAP. I updated answer to reflect this. – Venkat Ayyadevara - MSFT Apr 20 '15 at 14:46
  • 5
    @VenkatAyyadevara-MSFT when I connect to outlook.office365.com IMAP endpoint and execute CAPABILITY command, one of the capabilities is AUTH=OAUTH2. So, its supported or not, as server response and your answer to the question are a bit confusing. – qbasso Jul 27 '15 at 09:04
  • @VenkatAyyadevara-MSFT Do you have any plans on implementing IMAP's append through the Outlook 365 API? We are stuck since we needed this IMAP functionality and now OAuth for IMAP is no longer accessible. – Nands Oct 24 '16 at 08:43
  • Hi, I was just wondering if this is still the case, that IMAP for Office365 is not going to be supported. If so, we should keep using IMAP with Live API or should we migrate our apps to start using the Office 365 REST API? Thanks @VenkatAyyadevara-MSFT – Félix Oct 25 '16 at 14:16
  • @VenkatAyyadevara-MSFT, Does Office365 support OAuth2 Authentication using ActiveSync? If so, which scope should I use in the oauth request? I understand from MS publication that it's possible in v16.1, but I couldn't find how. (https://blogs.msdn.microsoft.com/exchangedev/2016/06/13/announcing-exchange-activesync-version-16-1/) – grebulon Dec 28 '16 at 08:37
  • 6
    So imap://outlook.office365.com is reporting that is supports OAUTH2 in it's capability response (wrong?) AND the AUTHENTICATE PLAIN is broken as well (correct password rejected with 2FA). Hilarious guys.... just hilarious. – fret Jun 04 '18 at 01:03
  • 3
    Further to the above comment https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Upcoming-changes-to-Exchange-Web-Services-EWS-API-for-Office-365/ba-p/608055 suggests that Microsoft now _recommends_ the use of Oauth2. perhaps someone from MS could update their answer? – SomeoneElse Sep 22 '19 at 12:14
  • Dear M$, please give us a timeline for when O365 IMAP will support OAuth2! – Dmitri Sunshine Jan 10 '20 at 00:23
  • @Zasyatkin We also have been waiting for OAuth2 + IMAP support. In another microsoft blog , I was told it will be available in Q1 2020. I just tried it today and it seems to be working now :) . Though there is no official announcement . Can you give it a try now and see if it works for you. – bala Jan 13 '20 at 06:36
  • @bala I would like to know more about how you were able to make it work. I've been playing around with Microsoft Identity Platform v2.0 but couldn't figure it out. – Alex Jan 23 '20 at 14:32
  • @bala I would really appriciate it if you could post an answer to my question here: [How do I connect to Exchange Online using OAuth 2.0 in MailKit?](https://stackoverflow.com/q/59881654/3843695) – Alex Jan 23 '20 at 15:19
  • @Alex have shared my suggestion in your question. – bala Jan 26 '20 at 03:26
  • Regarding Oauth2 + IMAP, I had registered client in Azure AD and selected permission 'IMAP.AccessAsUser.All' . You can see a screenshot of this at https://i.stack.imgur.com/HW7Uh.png . But now I am no longer seeing this permission while registering new application. My older app is working though using Oauth2. Looks like Microsoft is still working on this Oauth2 + IMAP – bala Jan 26 '20 at 03:31
  • @bala what e-mail client are you using? I just tried this with Thunderbird and IMAP with OAuth is not working, despite OAuth being enabled on the tenant. – Piedone Feb 28 '20 at 10:20
  • 3
    This should be unchecked as answer as is directly contradicted by more recent information provided below by @Sivaprakash-MSFT – Nathan Neulinger Apr 21 '20 at 14:34