Update: The full timeline for retirement of Basic Authentication in Exchange Online is now published in Basic Authentication Deprecation in Exchange Online – September 2022 Update.
In about 150 day...
Updated Sep 01, 2022
Version 5.0
Blog Post
In the documentation for https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#get-an-access-token it explicitly mentions out that the "https://outlook.office.com/SMTP.Send" scope is needed. When we transitioned our application from basic SMTP auth to OAuth, we began using those scopes.
However, it appears that the Outlook REST API is deprecated and has been deprecated for some time. It's called out within the docs here: https://docs.microsoft.com/en-us/outlook/rest/compare-graph#moving-from-outlook-endpoint-to-microsoft-graph
I have a few questions/concerns:
* When the Outlook REST API is decommissioned, will it impact our ability to authenticate via SMTP, or request/refresh tokens related to the "https://outlook.office.com/" resources?
* Once the Outlook REST API is decommissioned, does that mean we'll no longer be able to access "https://outlook.office.com/api/v2.0/me" to get the authenticating user's ID/email?
* Per the https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#using-permissions, "An access token can be used only for a single resource". If we can no longer get the authenticating user's email via the Outlook REST API, it sounds like the token we fetch will not work on the Graph API. This is consistent with the testing I did when implementing OAuth for SMTP (and requesting scopes for Graph did not work for SMTP authentication). How can we get basic information like the username of the authenticating user (to use within OAuth via IMAP/SMTP)?