Today, we’re excited to announce the availability of OAuth 2.0 authentication via client credentials grant flow for the POP and IMAP protocols for accessing Exchange Online mailboxes.
Applications that need to access Exchange Online mailboxes without user interaction and using the identity of the application as opposed to user identity are now supported. This is enabled by using service principals in Exchange and mailbox permissions. While no user interaction is needed, Exchange Online admins will need to provide specific mailbox access (using Exchange Online PowerShell) for applications’ service principals to access the mailboxes.
How it works
Once an admin has granted consent to an Azure Active Directory application, they must register the application’s service principal in Exchange Online. This is done using the new Exchange Online PowerShell cmdlet, New-ServicePrincipal (this cmdlet is currently rolling out).
Once the application’s service principal is registered in Exchange Online, the admin can give the application access to specific mailboxes using the Add-MailboxPermission cmdlet. The application can then authenticate POP and IMAP connections to the Exchange Online mailboxes.
The OAuth 2.0 client credentials grant flow can be used to generate access tokens, which can be used as the authentication token in SASL XOAUTH2 format for POP and IMAP connections to Exchange Online mailboxes.
You can follow these step-by-step instructions on how to implement client credentials flow support for POP and IMAP in your application.
Exchange Online Team