cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Cannot connect to IMAP and SMTP using OAuth2.0 to Exchange Online

ledniov
Copper Contributor

‎May 05 2020 03:21 AM - edited ‎May 06 2020 05:57 AM

‎May 05 2020 03:21 AM - edited ‎May 06 2020 05:57 AM

Cannot connect to IMAP and SMTP using OAuth2.0 to Exchange Online

Last week the support for IMAP and SMTP using OAuth2.0 has been announced.

Following the instruction, I added the required API permissions to Azure App Registration and tried to connect, but it didn't work.

 

I get this error for IMAP:

A1 NO AUTHENTICATE failed.

And this one for SMTP:

535 5.7.3 Authentication unsuccessful

 

The more detailed summary I have submitted to the StackOverflow question, please check it for more in-depth details.

 

Can someone please from the Exchange team look into this?

 

Update 1:

It appears, that when requesting the following scopes everything works as expected:

    "offline_access",
    "https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All",
    "https%3A%2F%2Foutlook.office365.com%2FSMTP.Send"

With these scopes, the token is generated, but IMAP and SMTP auth fails:

        "offline_access",
        "User.Read",
        "Mail.ReadWrite",
        "https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All",
        "https%3A%2F%2Foutlook.office365.com%2FSMTP.Send"

And when requesting these:

        "offline_access", // or "https%3A%2F%2Fgraph.microsoft.com%2Foffline_access"
        "https%3A%2F%2Fgraph.microsoft.com%2FUser.Read",
        "https%3A%2F%2Fgraph.microsoft.com%2FMail.ReadWrite",
        "https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All",
        "https%3A%2F%2Foutlook.office365.com%2FSMTP.Send"

I get the following error:

{
    "error": "invalid_request",
    "error_description": "AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope offline_access https://graph.microsoft.com/user.read https://graph.microsoft.com/mail.readwrite https://outlook.office365.com/imap.accessasuser.all https://outlook.office365.com/smtp.send is not valid.\r\nTrace ID: c3282396-6231-4e11-8300-77bc2ca57f00\r\nCorrelation ID: 5f5145bf-7114-4e6c-ab11-30e7ff84a056\r\nTimestamp: 2020-05-06 08:08:48Z",
    "error_codes": [
        28000
    ],
    "timestamp": "2020-05-06 08:08:48Z",
    "trace_id": "c3282396-6231-4e11-8300-77bc2ca57f00",
    "correlation_id": "5f5145bf-7114-4e6c-ab11-30e7ff84a056"
}
Labels:
21.8K Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by ledniov (Copper Contributor)
ledniov

‎May 17 2020 08:39 AM

‎May 17 2020 08:39 AM

Solution

Re: Cannot connect to IMAP and SMTP using OAuth2.0 to Exchange Online

A quote of the Stack Overflow reply from:

IMAP, SMTP scopes are targeted for Exchange resource and not Graph. Whereas User.Read, Mail.ReadWrite are meant for Graph resource.

We do not support generation of tokens that are meant for two resources. Hence the error "Provided value for the input parameter scope is not valid because it contains more than one resource."

You should generate two tokens separately by two calls to /token. 1. One with the IMAP, SMTP scopes generated for the Exchange resource. 2. The other with Graph scopes (User.Read, Mail.ReadWrite) meant for Graph resource.

https://stackoverflow.com/a/61678485/1126831

0 Likes
Reply
VinyakPM

‎Jul 01 2020 10:46 PM

‎Jul 01 2020 10:46 PM

Re: Cannot connect to IMAP and SMTP using OAuth2.0 to Exchange Online

Hi @ledniov ,

 

I'm trying to perform similar task , connect with exchange online through IMAP and send mail using SMTP. Even I'm getting similar error described above. 

 

Could you please share screenshot of scopes added in MS Azure. I was not able to look for scopes 

https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send.

 

I do have "https://graph.microsoft.com/IMAP.AccessAsUser.All and https://graph.microsoft.com/SMTP.Send" scopes add but I get error for IMAP "javax.mail.AuthenticationFailedException: AUTHENTICATE failed.
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:731)"

and for SMTP "535 5.7.3 Authentication unsuccessful "

Access Token Request

" {
"token_type": "Bearer",
"scope": "IMAP.AccessAsUser.All SMTP.Send User.Read",
"expires_in": "3599",
"ext_expires_in": "3599",
"expires_on": "1593612618",
"not_before": "1593608718",
"resource": "https://graph.microsoft.com",
"access_token": "**",
"refresh_token": "**",
"id_token": "**"
}"

 

It would be help full if you are able to share the screenshot. I have attached mine permission screen , let me know if I'm doing something wrong

Preview file
23 KB
0 Likes
Reply
VinyakPM

‎Jul 02 2020 04:27 AM

‎Jul 02 2020 04:27 AM

Re: Cannot connect to IMAP and SMTP using OAuth2.0 to Exchange Online

@ledniov Even Microsoft support team says that they have removed scopes

https://outlook.office365.com/IMAP.AccessAsUser.All 

https://outlook.office365.com/SMTP.Send 

They are recommending to use Graph permission/scopes.

Is your application still able to connect using Graph scopes 

0 Likes
Reply
Snuff_Daddy

‎Aug 07 2020 06:52 PM

‎Aug 07 2020 06:52 PM

Re: Cannot connect to IMAP and SMTP using OAuth2.0 to Exchange Online

@VinyakPM 

 

The correct scope is "offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/POP.AccessAsUser.All https://outlook.office.com/SMTP.Send"

 

Also, I've seen it fail if you are trying to use a secondary alias.  Make it primary by going to "Manage how you sign in to Microsoft" in your Microsoft account settings at https://account.live.com

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by ledniov (Copper Contributor)
ledniov

‎May 17 2020 08:39 AM

‎May 17 2020 08:39 AM

Solution

Re: Cannot connect to IMAP and SMTP using OAuth2.0 to Exchange Online

A quote of the Stack Overflow reply from:

IMAP, SMTP scopes are targeted for Exchange resource and not Graph. Whereas User.Read, Mail.ReadWrite are meant for Graph resource.

We do not support generation of tokens that are meant for two resources. Hence the error "Provided value for the input parameter scope is not valid because it contains more than one resource."

You should generate two tokens separately by two calls to /token. 1. One with the IMAP, SMTP scopes generated for the Exchange resource. 2. The other with Graph scopes (User.Read, Mail.ReadWrite) meant for Graph resource.

https://stackoverflow.com/a/61678485/1126831

View solution in original post

0 Likes
Reply