Using MS Client Credentials OAuth flow with JavaMail

Our server application uses JavaMail to read inboxes and send e-mails etc from MS Exchange... As Microsoft is shutting down password based authentication, we need to switch over to using OAuth. We are able to successfully integrate MS OAuth using Authorization code flow (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow). However since our application is a background process running in servers, we want to integrate MS OAuth client credentials flow in our app. So, I followed the steps outlined here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow to achieve the same.

However, the JavaMail authentication is failing with error "A1 NO AUTHENTICATE failed." whenever we try to connect to outlook.office365.com. Full trace given below:

DEBUG IMAPS: mail.imap.minidletime: 10
DEBUG IMAPS: enable SASL
DEBUG IMAPS: SASL mechanisms allowed: XOAUTH2
DEBUG IMAPS: closeFoldersOnStoreFailure
DEBUG IMAPS: trying to connect to host "outlook.office365.com", port 993, isSSL true
* OK The Microsoft Exchange IMAP4 service is ready. [UwBJADIAUABSADAAMQBDAEEAMAAwADUAMQAuAGEAcABjAHAAcgBkADAAMQAuAHAAcgBvAGQALgBlAHgAYwBoAGEAbgBnAGUAbABhAGIAcwAuAGMAbwBtAA==]
A0 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN AUTH=XOAUTH2 SASL-IR UIDPLUS MOVE ID UNSELECT CHILDREN IDLE NAMESPACE LITERAL+
A0 OK CAPABILITY completed.
DEBUG IMAPS: AUTH: PLAIN
DEBUG IMAPS: AUTH: XOAUTH2
DEBUG IMAPS: protocolConnect login, host=outlook.office365.com, user=venkatbabukr@myumsoauth.onmicrosoft.com, password=<non-null>
DEBUG IMAPS: SASL Mechanisms:
DEBUG IMAPS:  XOAUTH2
DEBUG IMAPS: 
DEBUG IMAPS: SASL client XOAUTH2
DEBUG IMAPS: SASL callback length: 1
DEBUG IMAPS: SASL callback 0: javax.security.auth.callback.NameCallback@a67c67e
A1 AUTHENTICATE XOAUTH2 <<< Access token value >>>
A1 NO AUTHENTICATE failed.
Got exception while browsing Inbox! AUTHENTICATE failed.
javax.mail.AuthenticationFailedException: AUTHENTICATE failed.
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:732)
    at javax.mail.Service.connect(Service.java:366)

We are not able to understand why the authentication is failing, so need some help here.

1. Is it possible to integrate MS OAuth using client credentials with JavaMail to access inbox using IMAP and send mails using SMTP? If possible, can you please share some reference implementations where it is working?

2. Or otherwise, if you can throw some light on why OAUth authentication is failing with AuthenticationFailedException and how can this be resolved? That would also be helpful.

FYI, here are the parameter values that I have used to get Access token from https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token:

• client_id: <Our client id>
• client_secret: <Our client secret>
• grant_type: client_credentials
• scope: https://graph.microsoft.com/.default

There was some suggestion here: https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#use-client-credentials-grant-flow-to-authenticate-imap-and-pop-connections to use the scope: IMAP.AccessAsApp. But right now, I'm just not able to find this permission in Azure portal. So, is there any other such permission/scope that we can set/use?

Thanks & Regards,

Venkatesh