Forum Discussion
Authentication Failure for IMAP and POP3 using Client Credential flow for OAuth2.0 | Java
Hi. I had the same problem, but I think I made some progress.
I read documentation few times, tried few times from the start with same error. I even have tried using client and object ids instead of email as username, in lack of better ideas.
So this is where I think I have made mistake previous times.When you are at the part that you need to register service principal, you need to execute
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]here I put enterprise application object id as ServiceId argument. And that is ok.
But on
Add-MailboxPermission -Identity "email address removed for privacy reasons" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccessI have put my registered application object id as User argument. I also tried setting object id of enterprise application, but it did not have success.
I also tried New-ServicePrincipal but with registered app object id as service id, but it gave me the same result.
When I executed
Get-ServicePrincipal -Organization <ORGANIZATION_ID> | flI did not pay attention to ServiceId property, even with documentation specifying it and saying it will be different.
Now I cleared everything and started fresh.
I executed all the steps again, but on the step when I need to add mail permission, I list service principals, and then use `ServiceId` value from the output, as argument for user.
With that, I was able to authorise.
Unfortunately, now I receive `C3 BAD User is authenticated but not connected.` when I try to list inbox. But it is step forward.
I am not sure if you made the same error as me, but maybe it will help you in some way.
I will post info, when I find fix for the new error if somebody comes across same issue.
Hi. I had the same problem, but I think I made some progress.
I read documentation few times, tried few times from the start with same error. I even have tried using client and object ids instead of email as username, in lack of better ideas.
So this is where I think I have made mistake previous times.
When you are at the part that you need to register service principal, you need to execute
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]
here I put enterprise application object id as ServiceId argument. And that is ok.
But on
Add-MailboxPermission -Identity "email address removed for privacy reasons" -User
<SERVICE_PRINCIPAL_ID> -AccessRights FullAccess
I have put my registered application object id as User argument. I also tried setting object id of enterprise application, but it did not have success.
I also tried New-ServicePrincipal but with registered app object id as service id, but it gave me the same result.
When I executed
Get-ServicePrincipal -Organization <ORGANIZATION_ID> | fl
I did not pay attention to ServiceId property, even with documentation specifying it and saying it will be different.
Now I cleared everything and started fresh.
I executed all the steps again, but on the step when I need to add mail permission, I list service principals, and then use `ServiceId` value from the output, as argument for user.
With that, I was able to authorise.
Unfortunately, now I receive `C3 BAD User is authenticated but not connected.` when I try to list inbox. But it is step forward.
I am not sure if you made the same error as me, but maybe it will help you in some way.
I will post info, when I find fix for the new error if somebody comes across same issue.
I just got IMAP to work thanks to this thread.
Be careful to pass the raw token to store.connect() though. The last mistake I did was to process the token as explained in https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#sasl-xoauth2
But the library already takes care of that.
borist2 Is that Bad user authenticated not connected issue fixed?
- Yes. It was something that I messed up in my code. Thanks.
- I got the same thing after I finally fixed all the other issues and the next day it went away. Seems to be related to too many failed logins in this case.
I'm having a similar problem, where a long running process must have access to send emails using @outlook.com on user's behalf.
After spending a couple days I found this small paragraph in the docs:Link: https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth#smtp-protocol-exchange
So, apparently the combination of client_credentials and SMTP is something that outlook.com doesn't really support.
I can't manage to get a token from my app registration with the correct scope.
Anyone here got it working?
- This took me back to the documentation to register the service principal in exchange. I was using the registered app's objectId in the New-Service-Principal and Add-MailBox-Permission cmdlets. I changed that to AAD Enterprise Applications's objectId in both commands. With that i'm able to authenticate and read mail from INBOX. The documentation is very confusing in terms of service principal identifier. The documentation says service principal identifier in the Add-MailBox-Permissions is different from the previous one. In my case both are same, which is the Enterprise Application's ObjectId. Thanks a lot for pointing this out. I have been stuck on this for days, now everything is working smoothly 🙂
- That sounds very promising! I looked up the error you're getting and maybe the last part of this post helps?
https://www.limilabs.com/qa/196/office-365-bad-user-is-authenticated-but-not-connected- Hi, thank you for the link.
I created mail store through my code and also created it using Spring Integration Mail, one after another.
So when I removed one, I did not get error. Probably something unimportant.
I think I finally have working code. 😄- Congrats on getting in working. A real mind bender Microsoft sent us on. If I may ask, where in the Azure GUI did you get the ORGANIZATION_ID from? Is this the same as the Directory Tenant ID in Azure Application GUI?
