Announcing OAuth 2.0 support for IMAP and SMTP AUTH protocols in Exchange Online

Published Apr 30 2020 08:00 AM 139K Views

Ever since we announced our intention to disable Basic Authentication in Exchange Online we said that we would add Modern Auth (OAuth 2.0) support for the IMAP, POP and SMTP AUTH protocols.

Today, we’re excited to announce the availability of OAuth 2.0 authentication for IMAP and SMTP AUTH protocols to Exchange Online mailboxes. This feature announcement is for interactive applications to enable OAuth for IMAP and SMTP. At this time, there are no plans to enable IMAP and SMTP OAuth for non-interactive applications using client credentials flow. For that, we suggest to use our Graph API.

Application developers who have built apps that send, read or otherwise process email using these protocols will be able to implement secure, modern authentication experiences for their users. This functionality is built on top of Microsoft Identity platform (v2.0) and supports access to email of Microsoft 365 (formerly Office 365) users.

Detailed step-by-step instructions for authenticating to IMAP and SMTP AUTH protocols using OAuth are now available for you to get started.

What’s supported?

With this release, apps can use one of the following OAuth flows to authorize and get access tokens on behalf of a user.

  1. OAuth2 authorization code flow
  2. OAuth2 Device authorization grant flow

OAuth2 client credentials grant flow that enables access without a user account is not supported. If your application needs persistent access to all mailboxes in a Microsoft 365 organization, we recommend that you use the Microsoft Graph API’s which allow access without a user in addition to access on behalf of a user, enable granular permissions and let administrators scope such access to a specific set of mailboxes.

Follow these detailed step-by-step instructions to implement OAuth 2.0 authentication if your in-house application needs to access IMAP and SMTP AUTH protocols in Exchange Online, or work with your vendor to update any apps or clients that you use that could be impacted.

Note: We are in the process of rolling out OAuth 2.0 support for POP protocol and will update this blog once the rollout is complete. 

 

The Exchange Team

92 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1353758%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1353758%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20popular%20IMAP%20Clients%20already%20supporting%20OAUTH%20authentication%3F%20Thanks%20Christian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1354119%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354119%22%20slang%3D%22en-US%22%3E%3CP%3EThunderbird%2077%20supports%20IMAP%20using%20OAuth2%20on%20Office%20365.%20See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1528136%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1528136%20%3C%2FA%3Efor%20more%20details.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1354695%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354695%22%20slang%3D%22en-US%22%3E%3CP%3EI%E2%80%99ve%20read%20the%20linked%20documentation%20several%20times%20now%2C%20and%20as%20far%20as%20I%20can%20tell%2C%20there%E2%80%99s%20no%20way%20for%20automated%20(non-interactive)%20applications%20or%20daemons%20to%20access%20Exchange%20Online%20mailboxes%20using%20IMAP%20with%20OAuth.%20Or%20am%20I%20missing%20something%3F%20The%20issue%20is%20requesting%20tokens.%20The%20doc%20suggests%20that%20only%20two%20OAuth%20flows%20-%20Authorization%20Code%20Flow%20and%20Device%20Authorization%20Grant%20Flow%20-%20are%20supported%20by%20IMAP.%20Neither%20of%20which%20appears%20to%20be%20suitable%20for%20non-interactive%20auth.%20The%20doc%20also%20states%20that%20%E2%80%9C%3CSPAN%3EOAuth%20access%20to%20IMAP%2C%20POP%2C%20SMTP%20AUTH%20protocols%20via%20OAuth2%20client%20credentials%20grant%20flow%20is%20not%20supported%E2%80%9D%20and%20that%20is%20the%20flow%20recommended%20by%20Microsoft%20for%20server%20to%20server%20or%20non-%3C%2FSPAN%3E%3CSPAN%3Einteractive%20apps!%20The%20suggestion%20is%20to%20use%20Graph%20API%20%E2%80%9Cif%20your%20application%20needs%20persistent%20access%20to%20all%20mailboxes%20in%20an%20tenant%E2%80%9D.%20But%20we%20just%20need%20individual%20non-interactive%20applications%20to%20have%20access%20to%20specific%20mailboxes%20via%20IMAP%20using%20OAuth.%20Or%20can%20we%20use%20any%20OAuth%20flow%20via%20the%20MSAL%20client%20libraries%2C%20including%20ROPC%20or%20Windows%20Integrated%20Authentication%20that%20should%20support%20non-interactive%20auth%3F%26nbsp%3B%3C%2FSPAN%3EWe%20have%20many%20non-interactive%20apps%20that%20use%20IMAP%20to%20programmatically%20access%20EXO%20mailboxes.%20If%20not%2C%20how%20are%20these%20apps%20supposed%20to%20migrate%20to%20OAuth%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357233%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272511%22%20target%3D%22_blank%22%3E%40stukey%3C%2FA%3EExactly%20my%20question%20also.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357598%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357598%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3Bit%20would%20be%20great%20to%20clarify%20this%20in%20your%20blog%20post.%20We%20have%20discussions%20again%20that%20we%20can%20get%20rid%20of%20app%20registrations%20with%20this%20news.%20But%20for%20applications%20with%20non-interactive%20users%2C%20like%20deamons%20or%20reporting%20tools%2C%20it%20is%20still%20needed%20to%20go%20through%20an%20app%20registration%20with%20application%20permission%2C%20right%3F%3C%2FP%3E%3CP%3EYou%20need%20to%20create%20an%20app%20registration%20anyway%20as%20far%20as%20I%20understand.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359171%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359171%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20waited%20this%20for%20some%20months.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1359490%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359490%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%2C%20thank%20you%20for%20the%20update!%20I'll%20be%20using%20IMAP%20and%20SMTP%20to%20implement%20some%20functionality%20and%20this%20is%20definitely%20helpful.%3C%2FP%3E%3CP%3EI%20tried%20the%20steps%20from%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eprovided%20instruction%3C%2FA%3E%2C%20but%20it%20didn't%20work.%20I've%20submitted%20my%20finding%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fq%2F61597263%2F1126831%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EStackOverflow%20question%3C%2FA%3E%2C%20can%20someone%20from%20your%20team%20have%20a%20look%20at%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1362527%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1362527%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272511%22%20target%3D%22_blank%22%3E%40stukey%3C%2FA%3E%26nbsp%3BE%3CSPAN%3Exactly%20my%20question%20also.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3A%20can%20you%20clarify%20this%20for%20us%20in%20blog%20post%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1373157%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1373157%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3BPlease%20can%20you%20respond%20to%20the%20above%20questions%20from%20myself%20and%20many%20others%20regarding%20support%20for%20non-interactive%20apps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1381176%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1381176%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20feature%20announcement%20is%20for%20interactive%20applications%20to%20enable%20OAuth%20for%20IMAP%2C%20POP%2C%20SMTP.%20At%20this%20time%2C%20there%20are%20no%20plans%20to%20enable%20IMAP%2C%20POP%2C%20SMTP%20OAuth%20for%20non-interactive%20applications%20using%20client%20credentials%20flow.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1330432%22%20slang%3D%22en-US%22%3EAnnouncing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1330432%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EEver%20since%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fimproving-security-together%2Fba-p%2F805892%22%20target%3D%22_blank%22%3Ewe%20announced%20our%20intention%20to%20disable%20Basic%20Authentication%20in%20Exchange%20Online%3C%2FA%3E%20we%20said%20that%20we%20would%20add%20Modern%20Auth%20(OAuth%202.0)%20support%20for%20the%20IMAP%2C%20POP%20and%20SMTP%20AUTH%20protocols.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EToday%2C%20we%E2%80%99re%20excited%20to%20announce%20the%20availability%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOAuth%202.0%20authentication%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%3C%2FA%3E%20to%20Exchange%20Online%20mailboxes.%20This%20feature%20announcement%20is%20for%20%3CEM%3Einteractive%20applications%3C%2FEM%3E%20to%20enable%20OAuth%20for%20IMAP%20and%20SMTP.%20At%20this%20time%2C%20there%20are%20no%20plans%20to%20enable%20IMAP%20and%20SMTP%20OAuth%20for%20%3CEM%3Enon-interactive%20applications%3C%2FEM%3E%20using%20client%20credentials%20flow.%20For%20that%2C%20we%20suggest%20to%20use%20our%20Graph%20API.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EApplication%20developers%20who%20have%20built%20apps%20that%20send%2C%20read%20or%20otherwise%20process%20email%20using%20these%20protocols%20will%20be%20able%20to%20implement%20secure%2C%20modern%20authentication%20experiences%20for%20their%20users.%20This%20functionality%20is%20built%20on%20top%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Identity%20platform%20(v2.0)%3C%2FA%3E%20and%20supports%20access%20to%20email%20of%20Microsoft%20365%20(formerly%20Office%20365)%20users.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDetailed%20step-by-step%20instructions%20for%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eauthenticating%20to%20IMAP%20and%20SMTP%20AUTH%20protocols%20using%20OAuth%3C%2FA%3E%20are%20now%20available%20for%20you%20to%20get%20started.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%20id%3D%22toc-hId-1143426548%22%3E%3CSPAN%3EWhat%E2%80%99s%20supported%3F%20%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EWith%20this%20release%2C%20apps%20can%20use%20one%20of%20the%20following%20OAuth%20flows%20to%20authorize%20and%20get%20access%20tokens%20%3CU%3Eon%20behalf%20of%20a%20user%3C%2FU%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-oauth2-auth-code-flow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOAuth2%20authorization%20code%20flow%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-oauth2-device-code%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOAuth2%20Device%20authorization%20grant%20flow%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-oauth2-client-creds-grant-flow%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOAuth2%20client%20credentials%20grant%20flow%3C%2FA%3E%20that%20enables%20access%20without%20a%20user%20account%20is%20%3CU%3Enot%20supported%3C%2FU%3E.%20If%20your%20application%20needs%20persistent%20access%20to%20all%20mailboxes%20in%20a%20Microsoft%20365%20organization%2C%20we%20recommend%20that%20you%20use%20the%20Microsoft%20Graph%20API%E2%80%99s%20which%20allow%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eaccess%20without%20a%20user%3C%2FA%3E%20in%20addition%20to%20access%20on%20behalf%20of%20a%20user%2C%20enable%20granular%20permissions%20and%20let%20administrators%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-limit-mailbox-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Escope%20such%20access%20to%20a%20specific%20set%20of%20mailboxes%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFollow%20these%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edetailed%20step-by-step%20instructions%3C%2FA%3E%20to%26nbsp%3Bimplement%26nbsp%3BOAuth%202.0%26nbsp%3Bauthentication%26nbsp%3Bif%20your%20in-house%20application%20needs%26nbsp%3Bto%20access%26nbsp%3BIMAP%20and%20SMTP%20AUTH%26nbsp%3Bprotocols%20in%20Exchange%20Online%2C%20or%20work%20with%20your%20vendor%20to%20update%20any%20apps%20or%20clients%20that%20you%20use%20that%20could%20be%20impacted.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ENote%3A%20We%20are%20in%20the%20process%20of%20rolling%20out%20OAuth%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E2.0%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esupport%20for%20POP%20protocol%20and%20will%20update%20this%20blog%20once%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Erollout%20is%20complete%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23FF6600%22%3E%3CSPAN%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1330432%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EEver%20since%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Fimproving-security-together%2Fba-p%2F805892%22%20target%3D%22_blank%22%3Ewe%20announced%20our%20intention%20to%20disable%20Basic%20Authentication%20in%20Exchange%20Online%3C%2FA%3E%20we%20said%20that%20we%20would%20add%20Modern%20Auth%20(OAuth%202.0)%20support%20for%20the%20IMAP%2C%20POP%20and%20SMTP%20protocols.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EToday%2C%20we%E2%80%99re%20excited%20to%20announce%20the%20availability%20of%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjasonjoh%2Foffice-developer-exchange-docs%2Fblob%2Flegacy-protocol-oauth%2Fdocs%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth.md%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EOAuth%202.0%20authentication%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%3C%2FA%3E%20to%20Exchange%20Online%20mailboxes.%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1330432%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eall%20posts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAnnouncements%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Edocumentation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407171%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407171%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20afraid%20of%20how%20many%20multi-function%20copiers%20and%20legacy%20applications%20this%20is%20going%20to%20take%20down.%20A%20very%20real%20and%20major%20concern%20once%20OAuth%202%20is%20the%20only%20way%20to%20send%20email%20through%20the%20Exchange%20Online%20SMTP%20servers!%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsad_40x40_1.gif%22%20alt%3D%22%3Asad%3A%22%20title%3D%22%3Asad%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407183%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407183%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1484%22%20target%3D%22_blank%22%3E%40Jared%20Pickerell%3C%2FA%3E%26nbsp%3B-%20we%20haven't%20said%20when%20SMTP%20AUTH%20will%20require%20OAuth.%20It's%20going%20to%20take%20much%20longer%2C%20we%20know%20that.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415310%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415310%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20will%20Outlook.com%20support%20this%20for%20Imap%20and%20Pop%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415378%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415378%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20be%20more%20precise%2C%20when%20will%20the%20consumer%20version%20of%20Outlook.com%20support%20modern%20auth%2Foauth2%20for%20syncing%200365%20accounts%20to%20personal%20accounts%20via%20the%20sync%20accounts%20option%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418165%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418165%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%2C%26nbsp%3BI%20didn't%20read%20closely%20enough%20so%20appreciate%20you%20clearing%20that%20up%20for%20me!%20A%20big%20sigh%20of%20relief!%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1426282%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1426282%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWith%20this%20(April%2030th%20%E2%80%9920)%20release%20of%20OAuth2%20support%20for%20IMAP%20and%20SMTP%2C%20Sivaprakash-MSFT%20commented%20on%20Stackoverflow%3A%20%E2%80%9CIMAP%2C%20SMTP%20scopes%20are%20targeted%20for%20Exchange%20resource%20and%20not%20Graph%E2%80%9D%20and%20%E2%80%9C...%20we%20will%20only%20allow%20Exchange%20resource%20URLs%20to%20work%20and%20don%E2%80%99t%20have%20plans%20to%20enable%20Graph%20resource%20URLs%E2%80%9D.%20But%20under%20AAD%20API%20permissions%2C%20SMTP.Send%20only%20appears%20as%20selectable%20when%20the%20Microsoft%20Graph%20API%20is%20selected.%20If%20I%20select%20the%20Exchange%20API%20(under%20Supported%20legacy%20APIs%20or%20via%20Enterprise%20apps)%2C%20there%20is%20no%20selectable%20SMTP.Send%20or%20%3C%2FSPAN%3EIMAP.AccessAsUser.All%3CSPAN%3E.%20So%20if%20my%20app%20uses%20a%20scope%20of%20outlook.office365.com%2FSMTP.Send%2C%20or%20outlook.com%2FSMTP.Send%20there%20isn't%20a%20matching%20permission%20in%20AD%20except%20under%20graph.microsoft.com%2F%20(apparently%20the%20wrong%20API%E2%80%A6).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20gather%20from%20Stackoverflow%20posts%20that%20there%20is%20confusion%20over%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20the%20URL%20prefix%20(e.g.%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2F%3C%2FA%3E)%20of%20a%20requested%20scope%20such%20as%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%2FSMTP.Send%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2FSMTP.Send%3C%2FA%3E%20%3C%2FSPAN%3E%3CSPAN%3Eas%20specified%20in%20an%20app%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E-%20the%20API%20selected%20in%20AAD%20to%20allow%20that%20scope%20(e.g.%20Microsoft%20Graph%20or%20Exchange)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EPerhaps%20someone%20in%20the%20Exchange%20Team%20could%20clarify.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ETnx%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1431894%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1431894%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20achieve%20this%20through%20Powershell%3F%20Currently%20most%20of%20the%20internal%20automations%20use%20powershell%20and%20it%20was%20simple%20to%20send%20email%20reports%20using%20Powershell.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1434518%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1434518%22%20slang%3D%22en-US%22%3E%3CP%3EI%20guess%20the%20issue%20is%20one%20of%20delegation%3A%20how%20the%20resource%20owner%20can%20delegate%20permission%20to%20access%20his%2Fher%20resource%20to%20others%20(e.g.%20a%20website).%20It%20goes%20to%20the%20heart%20of%20MSFT's%20(and%20Google's)%20wish%20to%20manage%20delegated%20authentication%20and%20authorisation%20properly.%3C%2FP%3E%3CP%3EThe%20mechanics%20of%20sending%20are%2C%20as%20you%2C%20say%2C%20realisable%20using%20Powershell%2C%20but%20the%20authentication%20of%20Powershell%20jobs%20by%20creation%20of%20a%20service%20principal%20is%20not%26nbsp%3B%20dissimilar%20from%20OAUTH2's%20resource%20owner.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20perhaps%20I%20misunderstand%20your%20comment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1447788%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447788%22%20slang%3D%22en-US%22%3E%3CP%3EMSAL%20libraries%20have%20been%20announced%20for%3A%3C%2FP%3E%3CP%3E-%20.NET%20(unsurprisingly)%3C%2FP%3E%3CP%3E-%20JavaScript%20and%20TypeScript%20superset%20framworks%3C%2FP%3E%3CP%3E-%20Android%3C%2FP%3E%3CP%3E-%20iOS%20and%20MacOS%3C%2FP%3E%3CP%3E-%20Java%20(for%20Windows%2C%20macOS%20and%20Linux)%3C%2FP%3E%3CP%3E-%20Python%20(Windows%2C%20macOS%2C%20and%20Linux)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20lack%20of%20PHP%20support%20for%20SMTP%20AUTH%20with%20Oauth2%20will%20have%20a%20devastating%20impact%20on%20the%20zillions%20of%20backend%20apps%20that%20currently%20use%20Basic%20Authentication.%3C%2FP%3E%3CP%3EAs%20an%20example%2C%20the%20hugely%20popular%20PHPMailer%20used%2C%20I%20guess%2C%20on%20every%20Linux%20%2F%20Apache%20server%20in%20the%20universe%20supports%20Oauth2%20for%20access%20to%20Gmail%2C%20Yahoo%20and%20the%20older%20MSFT%20consumer%20mail%20platforms%20and%20(with%20some%20difficulty)%20for%20the%20Azure%20AD%20for%20developers%20(v1.0)%20endpoint%20but%20not%20for%20the%20MSFT%20identity%20platform%20(v2.0)%20endpoint%3A%20when%20pointed%20at%20V2.0%20in%20order%20to%20use%20SMTP%20AUTH%20for%20outbound%20access%20to%20O365%20Exchange%20Online%2C%20it%20will%20fail%2C%20even%20with%20the%20obvious%20changes%20to%20%E2%80%98authorise%E2%80%99%20and%20%E2%80%98token%E2%80%99%20endpoint%20URLs%20and%20to%20scopes%20(aka%20permissions).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20SMTP%20AUTH%20support%20has%20only%20and%20understandably%20been%20announced%20for%20the%20V2.0%20endpoint%20so%20there%20is%20no%20way%20to%20regress%20via%20V1.0%2C%20even%20as%20a%20stopgap.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDeprecating%20Basic%20Authentication%20is%20a%20sensible%20move%2C%20but%20Oauth2%20is%20FAR%20more%20complex%20to%20work%20with%2C%20and%20since%20MSFT%20wants%20everyone%20to%20be%20on%20O365%20(and%20why%20not%3F)%2C%20MSAL%20support%20for%20PHP%20would%20be%20appreciated.%20All%20the%20backend%20PHP%20apps%20that%20need%20to%20use%20Oauth2%20to%20access%20O365%20services%20will%20need%20rework%2C%20and%20it%20seems%20sensible%20integrate%20MSAL%20instead%20of%20direct%20calls%20to%20the%20V2.0%20endpoint.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470535%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470535%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20the%20Oauth2%20Resource%20Owner%20Password%20Grant%20flow%20supported%20for%20SMTP%2FIMAP%3F%20I%20can't%20seem%20to%20find%20any%20information%20about%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470654%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470654%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20construing%26nbsp%3Bof%20MSFT%E2%80%99s%20announcement%20is%20that%20Resource%20Owner%20Password%20Credentials%20Grant%20(per%20RFC6749%20section-4.3)%20was%20not%20supported%20since%20they%20stated%20specifically%20that%20the%20more%20secure%20Client%20Credentials%20Grant%20(per%20RFC6749%20section-4.4)%20was%20not%20supported.%26nbsp%3B%3C%2FP%3E%3CP%3ERFC6749%20section-4.3%20reads%20as%20if%20the%20authentication%20stage%20is%20essentially%20Basic%20Authentication%20%E2%80%93%20something%20MSFT%20wants%20to%20eradicate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPerhaps%20MSFT%20team%20will%20comment%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470742%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470742%22%20slang%3D%22en-US%22%3E%3CP%3EMeanwhile%2C%20I%20have%20done%20some%20testing%20(send%20an%20email%20with%20SMTP%20using%20an%20access%20token%20received%20with%20ROPC%20as%20described%20here%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-oauth-ropc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv2-oauth-ropc%3C%2FA%3E).%20The%20implementation%20seems%20to%20work%20for%20now.%3C%2FP%3E%3CP%3EThe%20flow%20does%20seem%20to%20use%20some%20form%20of%20Basic%20Authentication%20to%20fetch%20the%20access%20token%2C%20but%20the%20SMTP%20protocol%20is%20done%20with%20Oauth2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20expected%20that%20this%20approach%20will%20also%20be%20made%20unusable%20once%20Basic%20Authentication%20for%20SMTP%2C%20IMAP%2C%20etc.%20is%20disabled%3F%3C%2FP%3E%3CP%3EIt%20would%20be%20very%20useful%20for%20me%20if%20this%20solution%20would%20still%20be%20supported.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470783%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470783%22%20slang%3D%22en-US%22%3E%3CP%3EIndeed%20-%20that%20was%20my%20take%20also.%20Since%20the%20authentication%20stage%20is%20really%20grafted%20in%20the%20front%20of%20Oauth2's%20authorisation%20process%2C%20I%20was%20assuming%20that%20any%20Basic%20Authentication%20currently%20supported%20would%20eventually%20be%20removed.%3C%2FP%3E%3CP%3EBut%20this%20is%20not%20my%20area%20and%20I%20suspect%20you%20know%20much%20more%20about%20it%20than%20I%20do!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1495824%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1495824%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3BCan%20you%20confirm%20if%20IMAP%2FSMTP%20via%20OAuth%20will%20be%20allowed%20without%20disabling%20Security%20Defaults%20as%20described%20in%20this%20post%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults.%3C%2FA%3E%26nbsp%3BI%20want%20to%20confirm%20a%20fresh%20O365%20user%2Forganization%20won't%20have%20to%20do%20anything%20special%20with%20their%20O365%2FAzure%20AD%20configuration%20to%20allow%20an%20OAuth%20IMAP%20connection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E-Joe%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1496973%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496973%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F700919%22%20target%3D%22_blank%22%3E%40tDimache%3C%2FA%3E%26nbsp%3B-%26nbsp%3BROPC%20will%20work.%20But%2C%20it%E2%80%99s%20not%20recommended%20and%20should%20only%20be%20used%20for%20apps%20that%20have%20a%20high%20trust%20relationship%20with%20the%20user.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F594690%22%20target%3D%22_blank%22%3E%40jkemp1011005%3C%2FA%3E%26nbsp%3B-%20will%20double%20check%20but%20I%20believe%20IMAP%2FPOP%20will%20just%20work%20with%20OAuth%20by%20default%20for%20new%20orgs.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1497086%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497086%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3BGiven%20the%20zillions%20of%20server-based%20Contact%20forms%20extant%2C%26nbsp%3B%20many%20of%20which%20will%20simply%20use%20MSFT%20services%20to%20mail%20the%20form%20onwards%20to%20the%20website%20host%2C%20it%20will%20be%20intriguing%20to%20know%20to%20what%20grant%20type%20they%26nbsp%3B%20will%20be%20converted.%20The%20sensitive%20bits%20-%20e.g.%20MSFT%20365%20credentials%20of%20the%20resource%20owner%20-%26nbsp%3B%20are%20hidden%20behind%20PHP%20or%20similar%20and%20the%20user%20of%20the%20form%20does%20not%20present%20any%20credentials%20of%20their%20own.%20This%20all%20sounds%20like%20ROPC%20...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505191%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505191%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F594690%22%20target%3D%22_blank%22%3E%40jkemp1011005%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20implementation%20experience%20is%20that%20with%20older%20Exchange%20accounts%20the%20OAuth%20SMTP%20authentication%20works%2C%20but%20with%20newer%20accounts%20it%20does%20not%2C%20due%20to%20an%20SMTP%20security%20flag%20that%20is%20now%20default%20to%20on%20vs%20before%20it%20was%20off.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fmsoffice%2Fforum%2Fall%2Foffice-365-smtp-authentication-failing-even-with%2F4e2dcfc4-2626-4c3b-a945-9ff1b3404539%3Fpage%3D2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fmsoffice%2Fforum%2Fall%2Foffice-365-smtp-authentication-failing-even-with%2F4e2dcfc4-2626-4c3b-a945-9ff1b3404539%3Fpage%3D2%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20big%20friction%20point%20and%20blocker%20for%20out%20application.%20Essentially%2C%20customers%20use%20OAuth%20to%20grant%20SMTP%20and%20IMAP%20for%20our%20application%20with%20admin%20consent%20(when%20applicable)%20and%20we%20still%20can't%20auth%20with%20SMTP.%20This%20means%20we%20are%20still%20forced%20to%20have%20them%20perform%20basic%20auth.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20all%20please%20prioritize%20this%2C%20we%20have%20thousands%20of%20Office%20365%20customers%20wanting%20this%20ability%2C%20especially%20so%20given%20the%20deadlines%20on%20deprecating%20basic%20auth%20(which%20is%20understandable).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20will%20be%20huge%20amounts%20of%20friction%20and%20support%20if%20we%20have%20to%20guide%20customers%20and%20their%20IT%20staff%20through%20obscure%20settings%20in%20the%20admin%20...%20for%20which%20we%20couldn't%20even%20find%20...%20if%20we%20have%20to%20explain%20powershell%20to%20our%20end%20user%20customers%20...%20this%20isn't%20going%20to%20happen.%20We%20can't%20be%20expected%20to%20take%20on%20that%20support.%20If%20OAuth%20SMTP%20scope%20grant%20is%20given%20and%20there%20is%20admin%20consent%20(when%20applicable)%20...%20we%20should%20be%20able%20to%20authenticate%20as%20a%20delegated%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1505505%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1505505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3BThanks%20a%20lot%20for%20the%20blog.%20I'm%20using%20JavaMail%20to%20connect%20with%20IMAP%20and%20SMTP%20to%20implement%20some%20functionality.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20the%20steps%20from%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eprovided%20instruction%3C%2FA%3E%26nbsp%3Band%20add%20properties%20mentioned%20in%20%3CA%20href%3D%22https%3A%2F%2Fjavaee.github.io%2Fjavamail%2FOAuth2%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EJavaMail%20Article%3C%2FA%3E%26nbsp%3B%20I%20always%20get%20Authenticate%20Failed.%20Saw%20some%20post%20to%20add%20scope%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%3C%2FA%3E%26nbsp%3Bbut%20they%20are%20no%20longer%20available%20which%20indeed%20made%20me%20to%20add%20scope%26nbsp%3B%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2F%3C%2FA%3E%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EIMAP.AccessAsUser.All%3C%2FA%3E%26nbsp%3B%2C%20but%20it%20didn't%20help%20always%20ended%20up%20with%26nbsp%3BAuthenticate%20Failed%20issue.%20I've%20submitted%20my%20finding%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62715227%2Fjavamail-connecting-to-office-365-xoauth2-for-imap-authentication-fails%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EStackOverFlow%20question%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Ecan%20someone%20from%20your%20team%20have%20a%20look%20at%20this%3F%20Can%20we%20still%20able%20to%20add%20scope%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%3C%2FA%3E%26nbsp%3B%3F%20Any%20body%20did%20it%20certainly%20%3F%20Or%20it's%20an%20permission%20issue%20with%20me%20only%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EVinayak%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1531832%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1531832%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F716322%22%20target%3D%22_blank%22%3E%40VinyakPM%3C%2FA%3E%26nbsp%3BCan%20you%20pls%20try%20with%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All%20%3F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1537743%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1537743%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20Auth%202.0%20been%20released%20to%20Oracle.%26nbsp%3B%20We%20use%20IMAP%20EBS%2012.1.3%26nbsp%3Bfor%20email%20notifications%20and%20haven't%20heard%20anything%20from%20Oracle.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538761%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538761%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F735869%22%20target%3D%22_blank%22%3E%40Pat_Truby%3C%2FA%3E%26nbsp%3B-%20that's%20a%20question%20for%20Oracle%20isn't%20it%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538776%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538776%22%20slang%3D%22en-US%22%3E%3CP%3EGreg%3C%2FP%3E%3CP%3EAs%20of%20June%20they%20do%20not%20have%20anything%20from%20Microsoft%2C%20at%20least%20that%20is%20what%20is%26nbsp%3Bmentioned%20in%20Metalink.%26nbsp%3B%20I%20have%20opened%20an%20SR%20with%20Oracle%20was%20just%20hoping%20if%20someone%20knew%20if%20code%20was%20delivered.%26nbsp%3BJust%20trying%20to%20get%20information%2C%20my%20management%20is%20pushing%20me.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538784%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538784%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F735869%22%20target%3D%22_blank%22%3E%40Pat_Truby%3C%2FA%3E%26nbsp%3B-%20the%20dev%20docs%20are%20all%20public.%20Not%20sure%20what%20they%20are%20expecting%20to%20be%20delivered%20as%20such.%20They%20need%20to%20update%20their%20code%20to%20work%20with%20our%20service%2C%20following%20the%20guidance%20we%20have%20publicly%20published.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1544725%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1544725%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F719806%22%20target%3D%22_blank%22%3E%40Anthony_Gentile_FUB%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20Anthony%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20you%20for%20your%20comment.%20New%20organisations%20onboarding%20to%20Exchange%20Online%20now%20have%20SMTP%20AUTH%20disabled%20by%20default%20for%20their%20tenants.%20This%20was%20taken%20with%20security%20in%20mind%2C%20with%20the%20understanding%20that%20there%20may%20be%20friction.%20Given%20that%20this%20is%20a%20protocol-based%20setting%2C%20OAuth%20will%20not%20work%20either%20unless%20the%20protocol%20is%20enabled%20for%20the%20mailbox.%3C%2FP%3E%0A%3CP%3EAs%20part%20of%20onboarding%20to%20use%20your%20app%2C%20they%20will%20need%20to%20either%20turn%20on%20the%20protocol%20for%20the%20mailbox%20or%20for%20their%20entire%20tenant.%20You%20can%20direct%20them%20to%20the%20documentation%20explaining%20how%20to%20do%20this%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fauthenticated-client-smtp-submission%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fauthenticated-client-smtp-submission%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1571008%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1571008%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F384127%22%20target%3D%22_blank%22%3E%40SeanMSFT%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20is%20unfortunate%20to%20hear.%20It%20will%20cause%20SaaS%20companies%2C%20such%20as%20ours%2C%20to%20bear%20the%20brunt%20of%20this%20poor%2C%20non%20obvious%20experience%20mutual%20customers%2C%20which%20in%20turn%20will%20cause%20us%20to%20recommend%20to%20them%20other%20providers%20such%20as%20gsuite.%20Ours%20is%20an%20industry%20of%20hundreds%20of%20thousands%20real%20estate%20agents%20and%20their%20respective%20teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20now%20the%20solution%20for%20this%20friction%20is%20very%20technical.%20We%20are%20left%20to%20explain%20to%20customers%20that%20they%20need%20to%20do%20something%20complicated%20in%20PowerShell%20or%20get%20involved%20with%20their%20IT%20staff.%20Why%3F%20Why%20can't%20this%20be%20a%20setting%20in%20the%20admin%20that%20we%20can%20point%20and%20link%20to%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20why%20is%20this%20SMTP%20setting%20also%20affecting%20the%20IMAP%20protocol%20authentication%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1599380%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1599380%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%3EHi%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EAs%20mentioned%20here%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FA%3E%3CSPAN%3EOauth2%20support%20for%20imap%20and%20smtp%20protocols%20is%20not%20supported%20for%20outlook.com%20customers.%20What%20about%20other%20domains%20like%20hotmail.com%2C%20msn.com%20etc%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3ECan%20you%20please%20tell%20if%20Oauth2%20is%20supported%20for%20hotmail.com%2C%20msn.com%20etc%3F%20or%20is%20it%20only%20supported%20for%20Office365%20users%3F%3C%2FSPAN%3E%3CBR%20%2F%3EAlso%20can%20office365%20user%20have%20domain%20with%20outlook.com%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1600501%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1600501%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F719806%22%20target%3D%22_blank%22%3E%40Anthony_Gentile_FUB%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20Exchange%20Admin%20Center%20is%20currently%20being%20rolled%20out%20and%20we%20do%20plan%20to%20add%20the%20setting%20there%20in%20the%20future.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERe%3A%20SMTP%20and%20IMAP%2C%20IMAP%20is%20the%20protocol%20used%20to%20retrieve%20emails%20from%20a%20mailbox%20and%20is%20paired%20with%20the%20SMTP%20(AUTH)%20protocol%20which%20is%20responsible%20for%20submitting%20emails%20to%20be%20sent%20from%20the%20mailbox.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1601289%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1601289%22%20slang%3D%22en-US%22%3E%3CP%3ETnx%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F719806%22%20target%3D%22_blank%22%3ESeanMSFT%3C%2FA%3E%3C%2FP%3E%3CP%3EFor%20access%20to%20365%20Exchange%2C%20MSFT%20has%20variously%20announced%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20%E2%80%9CWe%20want%20your%20help%20in%20getting%20users%20to%20move%20away%20from%20apps%20that%20use%20Basic%20Authentication%2C%20to%20apps%20that%20use%20Modern%20Authentication%E2%80%9D%20%5BMSFT%E2%80%99s%2020-09.2019%20Basic%20Authentication%20deprecation%20statement%5D%20%3A%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B-%20%26nbsp%3Bthat%20Basic%20Authentication%20is%20deprecated%20and%20will%20be%20disabled%20in%20Q3ish%202021%20(%3F).%20Customers%20should%20replace%20it%20by%20Oauth2%20authorization%20(including%20Openid%20Connect%20authentication)%2C%20aka%20Modern%20Authorization%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20that%20SMTP%20AUTH%20with%20Oauth2%20using%20V2.0%20authorisation%20and%20token%20endpoints%20and%20the%20Graph%20v1.0%20api%20is%20available%20from%20May%20this%20year%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20that%20SMTP%20AUTH%20is%20now%20disabled%20by%20default%20for%20new%20tenants%2C%20and%20can%20be%20enabled%20at%20the%20tenant%20level%20(using%20Powershell)%20or%20mailbox%20level%20(using%20Powershell%20or%20using%20the%20SMTP%20AUTH%20mailbox%20permission.%20Since%20this%20disabling%20is%20at%20the%20protocol%20level%2C%20OAuth2%20for%20SMTP%20will%20be%20disabled%20by%20default.%3C%2FP%3E%3CP%3ESMTP%20itself%20is%20thus%20in%20effect%20deprecated%20but%20with%20no%20discontinue%20date.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20MSFT%20then%20kindly%20clarify%20one%20simple%20point%20which%20may%20be%20obvious%20to%20everyone%20else%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20preferred%20way%20forward%20to%20use%3A%3C%2FP%3E%3CP%3E-%20%26nbsp%3Ban%20Oauth2%20access%20token%20as%20a%20bearer%20token%20acquired%20via%20MSAL%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%20%26nbsp%3Bto%20access%3C%2FP%3E%3CP%3E-%20%26nbsp%3BsendMail%20in%20Graph%20REST%20API%20(currently%20v1.0)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20could%20MSFT%20clarify%20how%20this%20relates%20to%20the%20preferred%20authentication%2Fauthorisation%20and%20%E2%80%98send%20mail%E2%80%99%20%26nbsp%3B%26nbsp%3Bprocesses%20used%20in%3A%3C%2FP%3E%3CP%3E-%20desktop%20Outlook%202016%20(onwards)%20%E2%80%93%20whose%20native%20preferred%20network%20protocol%20is%20MAPI%20over%20HTTP%3C%2FP%3E%3CP%3E-%20Android%20and%20iPhone%20phone%2Ftablets%20%E2%80%93%20whose%20native%20preferred%20network%20protocol%20is%20EAS%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1602825%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1602825%22%20slang%3D%22en-US%22%3E%3CP%3EI'll%20let%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F384127%22%20target%3D%22_blank%22%3E%40SeanMSFT%3C%2FA%3E%26nbsp%3Banswer%20the%20question%20of%20whether%20sendMail%20in%20Graph%20REST%20API%20is%20preferred%20to%20SMTP%20AUTH%20if%20he%20wants%20to%20(both%20are%20options)%2C%20but%20I'll%20answer%20the%20follow%20on%20questions.%20Desktop%20Outlook%20uses%20MAPI%20over%20HTTP%20to%20send%20and%20receive%20(to%20retrieve%20and%20submit%20more%20accurately).%20And%20mobile%20devices%20-%20EAS%20allows%20the%20client%20to%20submit%20mail%20using%20that%20protocol.%20There's%20no%20separate%20sending%20protocol%20(such%20as%20SMTP%20AUTH)%20for%20either.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESMTP%20AUTH%20is%20used%20by%20POP%20and%20IMAP%20clients%2C%20and%20apps%2Fautomation.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1603283%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1603283%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Greg.%3C%2FP%3E%3CP%3EI%20guess%20my%20underlying%20(and%20unstated)%20thread%20was%20that%20the%20implementation%20of%20the%20mail%20protocols%20used%20in%20MSFT's%20cornerstone%20device-based%20products%20-%20MAPI%20over%20HTTP%20(for%20desktop%20Outlook)%20and%20EAS%20(for%20everything%20else)%20-%26nbsp%3B%20would%20appear%20to%20be%20different%20from%20the%20Graph%20API%20implementation%20that%20MSFT%20wishes%20developers%20to%20use.%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20not%20a%20criticism%3B%20I%20am%20just%20trying%20to%20understand%20MSFT's%20development%20direction%20and%20in%20particular%20whether%20the%20implementation%20of%20MAPI%20over%20HTTP%20and%20of%20EAS%20is%20intended%20at%20some%20date%20to%20use%20the%20Graph%20API%20instead.%3C%2FP%3E%3CP%3EMSFT%20has%20-%20correctly%20in%20my%20view%20-%20been%20progressively%20removing%20'non-standard'%20implementations%2C%20e.g.%20the%20massive%20conversion%20of%20hotmail%2C%20live%20and%20outlook.com%20from%20a%20custom%20back-end%20to%20Exchange%20Online.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1608435%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1608435%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F627637%22%20target%3D%22_blank%22%3E%40Decomplexity%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGraph%20will%20always%20be%20the%20recommended%20option%20for%20developers%20looking%20to%20interface%20with%20our%20service%20for%20various%20actions%20including%20sending%20emails%20and%20it%20will%20have%20the%20most%20developer%20support%20and%20functionality.%20However%20given%20that%20SMTP%20AUTH%20is%20the%20widely%20adopted%20standard%20for%20sending%20emails%2C%20it'll%20be%20there%20for%20developers%20who%20wish%20to%20reuse%20code%20as%20much%20as%20possible%20for%20basic%20send%20functions.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1632452%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1632452%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F384127%22%20target%3D%22_blank%22%3E%40SeanMSFT%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362093%22%20target%3D%22_blank%22%3E%40Sivaprakash_saripalli%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EAs%20mentioned%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EOAuth2%20support%20for%20IMAP%2C%20POP%2C%20SMTP%20protocols%20as%20described%20below%20is%20supported%20for%20both%20Microsoft%20365%20(which%20includes%20Office%20on%20the%20web)%20and%20Outlook.com%20users.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3Edoes%20this%20mean%20Oauth2%20support%20for%20imap%2C%20pop%20and%20smtp%20is%20supported%20for%20personal%20accounts%20having%20outlook.com%20domain%3F%20can%20we%20use%20the%20scopes%20and%20authorization%20code%20flow%20as%20mentioned%20in%20the%20doc%20for%20outlook.com%20personal%20accounts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1644536%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1644536%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%26nbsp%3Bcan%20you%20let%20us%20know%20if%20this%20is%20still%20the%20case%3A%20%22%3CSPAN%3EAt%20this%20time%2C%20there%20are%20no%20plans%20to%20enable%20IMAP%20and%20SMTP%20OAuth%20for%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Enon-interactive%20applications%3C%2FEM%3E%3CSPAN%3E%26nbsp%3Busing%20client%20credentials%20flow.%20For%20that%2C%20we%20suggest%20to%20use%20our%20Graph%20API.%22%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20think%20it%20would%20be%20awesome%20if%20we%20could%20do%20app-only%20(certificate%20credentials)%20to%20send%20messages%20via%20smtp.office365.com%3A587.%26nbsp%3B%20Much%20easier%20than%20MS%20Graph's%20s%20messages%2Fsend%2C%20which%20I'm%20overdue%20to%20figure%20out.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1777664%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1777664%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149115%22%20target%3D%22_blank%22%3E%40Greg%20Taylor%20-%20EXCHANGE%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F384127%22%20target%3D%22_blank%22%3E%40Sean_Stevenson%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362093%22%20target%3D%22_blank%22%3E%40Sivaprakash_saripalli%3C%2FA%3E%26nbsp%3BI%20was%20wondering%20if%20it%20is%20possible%20for%20an%20Administrator%20to%20enable%20SMTP%20only%20for%20OAUTH2%20in%20Office365%20but%20leave%20it%20disabled%20for%20AUTH%20(basic%20authentication)%20protocols%3F%20If%20so%2C%20how%3F%20I%20am%20happy%20to%20provide%20more%20information%20and%20clarify%20as%20needed.%20IMAP%20is%20enabled%20for%20OAUTH2%20and%20works%20fine%2C%20but%20the%20administrator%20can%20not%20find%20the%20setting%20for%20enabling%20SMTP%20only%20for%20OAUTH2%20and%20not%20for%20basic%20authentication%2C%20even%20on%20a%20per-user%2Fapplication%20basis.%20For%20obvious%20reasons%2C%20we%20do%20not%20want%20SMTP%20to%20be%20enabled%20for%20both%20basic%20and%20OAUTH2.%20Also%2C%20if%20there%20is%20a%20better%2C%20more%20appropriate%20forum%20to%20post%20in%2C%20please%20let%20me%20know.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1791803%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1791803%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20long-standing%20problems%20authenticating%20SMTP%20using%20the%20V2%20authorize%20and%20token%20endpoints%20and%20with%20the%20scopes%20set%20in%20Graph%20using%20the%20REST%20APIs%20and%20not%20MSAL.%20There%20appears%20from%20StackOverflow%20posts%20to%20be%20a%20widespread%20misunderstanding%20of%20the%20relationship%20between%20client%20scope%20URIs%20and%20AAD%20permissions%20URIs%20and%20so%20perhaps%20the%20Express%20team%20could%20resolve%20once%20and%20for%20all%20the%20question%20at%20the%20end%20of%20this%20post.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EBACKGROUND%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_self%22%3EMSFT%3C%2FA%3E%20said%20that%20SMTP%20AUTH%20would%20not%20be%20included%20in%20Graph%20-%20and%20hence%20in%20its%20permissions%20list%20-%20but%20only%20in%20Office365.%20But%20it%20then%20unexpectedly%26nbsp%3B%20appeared%20in%20Graph%2C%20and%20an%20enable%2Fdisable%20switch%20added%20to%20the%20tenant%20(accessible%20via%20Powershell)%20which%20could%20be%20overridden%20at%20user%20level%20(accessible%20via%20a%20pulldown%20in%20the%20user%20account).%20What%20was%20not%20widely%20publicised%20was%20that%20the%20default%20for%20new%20tenants%20was%20%E2%80%98disabled%E2%80%99%2C%20and%20this%20is%20at%20the%20protocol%20level%20so%20did%20not%20just%20affect%20Oauth2.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EApparently%20less%20well%20known%20was%20that%20access%20tokens%20issued%20for%20the%20Graph%20API%20were%20V1%20tokens%20even%20though%20they%20were%20requested%20from%20a%20V2%20endpoint%20(V2%20endpoints%20can%20issue%20V1%20tokens%20and%20vice%20versa.)%20because%20access%20tokens%20are%20always%20of%20the%20type%20(version)%20appropriate%20for%20the%20API%20so%20you%20cannot%20mix%20API%20types%20in%20the%20same%20client%20scopes%20list.%20This%20caused%20us%20endless%20head-scratching%20when%20debugging%20during%20development.%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20this%20is%20not%20true%20for%20ID%20tokens%20which%20always%20conform%20to%20the%20endpoint%20version%20that%20issued%20them.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFinally%2C%20the%20access%20token%20scopes%20list%20must%20not%20span%20APIs%20anyway%2C%20so%20the%20client%20code%20needs%20to%20request%20tokens%20one%20by%20one.%20Since%20authorization%20codes%20cannot%20be%20reused%2C%20the%20common%20workaround%20appears%20to%20be%20to%20use%20the%20refresh%20token%20(acquired%20along%20with%20the%20first%20access%20token%20by%20specifying%20offline_access)%20to%20request%20a%20new%20access%20token%20for%20the%20second%20API%2C%20and%20so%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fusers%2F1126831%2Fledniov%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eledniov%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%20others%20have%20commented%2C%20IMAP%20and%20SMTP%20AUTH%20scopes%20appear%20only%20to%20work%20when%20the%20scope%20URI%20in%20the%20client%20is%20either%20outlook.office.com%20or%20outlook.office365.com%20but%20the%20corresponding%20permissions%20in%20AD%20are%20in%20set%20in%20Graph%20and%20not%20in%20%E2%80%98legacy%E2%80%99%20Exchange%20(the%20Exchange%20API%20simply%20does%20not%20have%20an%20SMTP.Send%20for%20example%20whereas%20Graph%20does).%20At%20this%20point%20my%20brain%20goes%20numb%20because%20scopes%20requested%20by%20a%20client%20(including%20the%20resource%20API%E2%80%99s%20URI%20-%20which%20for%20the%20V2%20endpoints%20defaults%20to%20graph.microsoft.com%20if%20no%20URI%20is%20specified)%20for%20an%20access%20token%20MUST%20be%20a%20subset%20of%20the%20permissions%20for%20that%20API%20set%20by%20admin%20in%20AAD%20for%20that%20client%20or%20the%20entire%20granular%20permissions%20model%20falls%20apart.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362093%22%20target%3D%22_blank%22%3E%40Sivaprakash_saripalli%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ein%20a%20reply%20to%20question%20StackOverflow%20question%2061597263%20commented%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%E2%80%9CIMAP%2C%20SMTP%20scopes%20are%20targeted%20for%20Exchange%20resource%20and%20not%20Graph.%20Whereas%20User.Read%2C%20Mail.ReadWrite%20are%20meant%20for%20Graph%20resource%E2%80%9D%3C%2FEM%3E.%20Since%20many%20of%20us%20are%20confused%20at%20this%20apparent%20inconsistency%2C%20it%20would%20be%20appreciated%20if%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3ESivaprakash%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eor%20colleague%20could%20explain%20how%20if%20we%20specify%20an%20SMTP%20AUTH%20scope%20using%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%2FSMTP.Send%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2FSMTP.Send%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewe%20should%20specify%20this%20permission%20to%20AAD%20when%20(e.g.)%20SMTP.Send%20is%20only%20selectable%20for%20Graph%20and%20not%20the%20Exchange%20API%3F%20Or%20is%20there%20a%20difference%20between%20a%20%E2%80%98scope%E2%80%99%20URI%20used%20in%20the%20client%20and%20the%20corresponding%20permission%20URI%20specified%20for%20that%20API%20in%20AAD%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1792230%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1792230%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fusers%2F7084642%2Fsivaprakash-msft%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESivaprakash-MSFT%3C%2FA%3E%20stated%3A%20%E2%80%9C%3CEM%3EIMAP%2C%20SMTP%20scopes%20are%20targeted%20for%20Exchange%20resource%20and%20not%20Graph.%20Whereas%20User.Read%2C%20Mail.ReadWrite%20are%20meant%20for%20Graph%20resource%3C%2FEM%3E%E2%80%9D%20and%20developers%20on%20StackOverflow%20have%20noted%20that%20IMAP%20and%20SMTP%20AUTH%20scopes%20appear%20only%20to%20work%20when%20the%20scope%20URI%20in%20the%20client%20is%20either%20https%3A%2F%2F%3CEM%3Eoutlook.office.com%3C%2FEM%3E%20or%20https%3A%2F%2F%3CEM%3Eoutlook.office365.com%3C%2FEM%3E%20but%20with%20the%20corresponding%20resource%20permissions%20in%20AAD%20%3CU%3Eset%20in%20Graph%3C%2FU%3E%20and%20not%26nbsp%3B%20in%20%E2%80%98legacy%E2%80%99%20Exchange%20because%2C%20unlike%20Graph%2C%20the%20Exchange%20API%20does%20not%20have%20(e.g.)%20an%20SMTP.Send%20permission.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CP%3EClient%3A%20%26nbsp%3Bscope%20%E2%80%98%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%3C%2FA%3E%3C%2FSTRONG%3E%2FSMTP.Send%E2%80%99%3C%2FP%3E%3CP%3EAAD%3A%20permission%20from%20Microsoft%20Graph%20(https%3A%2F%2F%3CSTRONG%3Egraph.microsoft.com%3C%2FSTRONG%3E)%20API%E2%80%99s%20list%3A%20SMTP.Send%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20much%20appreciated%20by%20other%20posters%20and%20myself%20if%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3B%20could%20explain%20how%20-%20if%20we%20specify%20an%20SMTP%20AUTH%20scope%20using%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%2FSMTP.Send%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2FSMTP.Send%3C%2FA%3E%20-%20we%20should%20specify%20this%20permission%20to%20AAD%20when%20(e.g.)%20SMTP.Send%20is%20only%20selectable%20for%20Graph%20and%20not%20the%20Exchange%20API%3F%3C%2FP%3E%3CP%3EOr%20is%20there%20a%20subtle%20difference%20between%20a%20%E2%80%98scope%E2%80%99%20URI%20used%20in%20the%20client%20and%20the%20corresponding%20permission%20URI%20specified%20for%20that%20API%20in%20AAD%3F%26nbsp%3B%3C%2FP%3E%3CP%3ESurely%20scopes%20requested%20by%20a%20client%20(including%20the%20resource%20API%E2%80%99s%26nbsp%3B%20URI%20-%20which%20for%20the%20V2%20endpoints%20defaults%20to%20graph.microsoft.com%20if%20no%20URI%20is%20specified)%20for%20an%20access%20token%20MUST%20be%20a%20subset%20of%20the%20permissions%20%3CU%3Ef%3CSTRONG%3Eor%20that%20API%3C%2FSTRONG%3E%3C%2FU%3E%20set%20by%20admin%20in%20AAD%20for%20that%20client%20or%20the%20entire%20granular%20permissions%20model%20falls%20apart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1792756%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1792756%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362093%22%20target%3D%22_blank%22%3E%40Sivaprakash_saripalli%3C%2FA%3E%26nbsp%3B%26nbsp%3Bstated%3A%20%E2%80%9CIMAP%2C%20SMTP%20scopes%20are%20targeted%20for%20Exchange%20resource%20and%20not%20Graph.%20Whereas%20User.Read%2C%20Mail.ReadWrite%20are%20meant%20for%20Graph%20resource%E2%80%9D%20and%20developers%20on%20StackOverflow%20have%20noted%20that%20IMAP%20and%20SMTP%20AUTH%20scopes%20appear%20only%20to%20work%20when%20the%20scope%20URI%20in%20the%20client%20is%20https%3A%2F%2F%3CEM%3Eoutlook.office.com%3C%2FEM%3E%20but%20with%20the%20corresponding%20resource%20permissions%20in%20AAD%20%3CU%3Eset%20in%20Graph%3C%2FU%3E%20and%20not%26nbsp%3B%20in%20(e.g.)%20%E2%80%98legacy%E2%80%99%20Exchange%20because%2C%20unlike%20Graph%2C%20the%20Exchange%20API%20(https%3A%2F%2F%3CEM%3Eoutlook.office365.com)%26nbsp%3B%3C%2FEM%3Edoes%20not%20have%20(e.g.)%20an%20SMTP.Send%20permission%20and%20there%20is%20no%20Outlook%20API%20shown%20in%20the%20API%20list%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EClient%3C%2FSTRONG%3E%3A%26nbsp%3B%20scope%20%E2%80%98%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%2FSMTP.Send%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2FSMTP.Send%3C%2FA%3E%E2%80%99%3C%2FP%3E%3CP%3E%3CSTRONG%3EAAD%3C%2FSTRONG%3E%3A%20permission%20from%20Microsoft%20Graph%20(%E2%80%98%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%3C%2FA%3E%E2%80%99)%20API%E2%80%99s%20list%3A%20SMTP.Send%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20much%20appreciated%20by%20other%20posters%20and%20myself%20if%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F362093%22%20target%3D%22_blank%22%3E%40Sivaprakash_saripalli%3C%2FA%3E%26nbsp%3Bor%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324116%22%20target%3D%22_blank%22%3E%40The_Exchange_Team%3C%2FA%3E%26nbsp%3Bcolleague%20could%20explain%20how%20-%20if%20we%20specify%20an%20SMTP%20AUTH%20scope%20using%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%2FSMTP.Send%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2FSMTP.Send%3C%2FA%3E%20-%20we%20should%20specify%20this%20permission%20to%20AAD%20when%20(e.g.)%20SMTP.Send%20is%20only%20selectable%20for%20Graph%20and%20not%20the%20Exchange%20API%3F%3C%2FP%3E%3CP%3EOr%20is%20there%20a%20difference%20between%20a%20%E2%80%98scope%E2%80%99%20URI%20used%20in%20the%20client%20and%20the%20corresponding%20permission%20URI%20specified%20for%20that%20API%20in%20AAD%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScopes%20requested%20by%20a%20client%20(including%20the%20resource%20API%E2%80%99s%26nbsp%3B%20URI%20-%20which%20for%20the%20V2%20endpoints%20defaults%20to%20graph.microsoft.com%20if%20no%20URI%20is%20specified)%20for%20an%20access%20token%20MUST%20be%20a%20subset%20of%20the%20permissions%20%3CU%3Efor%20that%20API%3C%2FU%3E%20set%20by%20admin%20in%20AAD%20for%20that%20client%20or%20the%20entire%20granular%20permissions%20model%20falls%20apart.%20I%20realise%20that%20Graph%20now%20includes%20much%20of%20the%20features%20of%20the%20Outlook%20REST%20API%2C%20but%20what%20confuses%20me%20and%20my%20colleagues%20is%20why%20the%20client%20scope%20URI%20and%20the%20AAD%20permissions%20URI%20are%20different.%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1830867%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1830867%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20exchange%20team%2C%20I've%20followed%26nbsp%3B%3CSPAN%3Ethe%20steps%20from%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclient-developer%2Flegacy-protocols%2Fhow-to-authenticate-an-imap-pop-smtp-application-by-using-oauth%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eprovided%20instruction%3C%2FA%3E%3CSPAN%3E%2C%20using%20Javamail%20API%2C%20but%20it%20didn't%20work.%20As%20per%20Javamail%20API%2C%20we%20need%20to%20add%20an%26nbsp%3BOAuth2Provider%20which'll%20encrypt%20the%20access%20token%20and%20user%20e-mail%20into%20base64(%22user%3Dxxx%40xxx.onmicrosoft.com%5E1auth%3DBearer%20%3CACCESS%20token%3D%22%22%3E%5E1%5E1).%20We%20have%20done%20the%20same%2C%20yet%20authentication%20fails.%20Can%20you%20please%20guide%20us%20with%20some%20working%20java%20code%20on%20how%20to%20authenticate%20using%20OAuth%20access%20token%3F%3C%2FACCESS%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EVenkatesh%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1831463%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1831463%22%20slang%3D%22en-US%22%3E%3COL%3E%3CLI%3ESuggest%20you%20check%20that%20IMAP%20and%20SMTP%20AUTH%20are%20enabled%20for%20the%20email%20account%20(Admin%20%2F%20Active%20Users%20%2F%20%5Bselect%20user%5D%20%2F%20Mail%20tab%20%2F%20Manage%20email%20apps).%20There%20is%20also%20a%20tenant-wide%20setting%20accessible%20via%20Powershell.%20These%20settings%20are%20disabled%20by%20default%20for%20new%20tenants%3C%2FLI%3E%3CLI%3ECheck%20the%20%E2%80%98aud%E2%80%99%20claim%20setting%20in%20the%20Access%20token%20(before%20base%2064%20encoding%3B%20use%20jwt.ms%20to%20display%20it).%20It%20should%20be%20%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%3C%2FA%3E.%20If%20it%20is%2000000003-0000-0000-c000-000000000000%20(aka%20Graph)%20you%20are%20trying%20to%20access%20the%20wrong%20resource%20API%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1832088%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1832088%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20enable%20SMTP%20OAUTH2%20(and%20not%20also%20enable%20the%20basic%20SMTP%20AUTH)%20for%20a%20tenant-wide%20or%20per-user%20setting%3F%20Where%2Fhow%20can%20this%20be%20set%3F%20Thanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1832340%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1832340%22%20slang%3D%22en-US%22%3E%3CP%3EI%20assume%20you%20want%20to%20enable%20SMTP%20OIDC%20authentication%20and%20Oauth2%20authorisation%20but%20block%20Basic%20(userid%20and%20password)%20Authentication.%3C%2FP%3E%3CP%3EAt%20present%20you%20cannot%2C%20because%26nbsp%3B%20the%20enable%2Fdisable%20of%20SMTP%20AUTH%20is%20at%20the%20protocol%20level%20and%20not%20by%20authentication%20method.%3C%2FP%3E%3CP%3EHowever%2C%20since%20MSFT%20has%20strongly%20deprecated%20Basic%20Authentication%20for%20SMTP%20and%20IMAP%2C%20I%20assume%20it%20will%20be%20blocked%20in%202021%20but%20with%20OIDC%2FOAUTH2%26nbsp%3B%20for%20SMTP%20and%20IMAP%20still%20supported.%20Whether%20the%20block%20will%20be%20accessible%20to%20admin%20to%20unblock%20only%20they%20know.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1833622%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1833622%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%20with%20you!%20But%20the%20decision%20is%20MSFT's%20-%20not%20mine.%3C%2FP%3E%3CP%3EOr%20perhaps%20they%20have%20had%20a%20change%20of%20heart%20by%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1832641%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20OAuth%202.0%20support%20for%20IMAP%20and%20SMTP%20AUTH%20protocols%20in%20Exchange%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1832641%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20this!%20Is%20there%20no%20way%20out%20for%20early%20adopters%3F%20We%20do%20not%20quite%20see%20the%20benefits%20of%20having%20OAUTH2%20athentication%20for%20SMTP%20if%20at%20the%20same%20time%20basic%20AUTH%20can%20not%20be%20disabled%20for%20SMTP.%20If%20we%20can%20not%20have%20the%20secure%20version%20enabled%20without%20the%20less-secure%20version%20also%20enabled%20at%20the%20same%20time%2C%20then%20it%20defeats%20the%20purpose%20of%20having%20OAUTH2%20support%20for%20IMAP%2FSMTP.%20I%20don't%20know%20if%20hackers%20will%20wait%20till%202021%2C%20so%20hopefully%2C%20if%20there%20is%20no%20other%20way%2C%20MSFT%20will%20allow%20settings%20for%20basic%20authentication%20only%20to%20be%20disabled.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎May 12 2020 09:15 AM
Updated by: