Forum Discussion
Authentication Failure for IMAP and POP3 using Client Credential flow for OAuth2.0 | Java
Hi. I had the same problem, but I think I made some progress.
I read documentation few times, tried few times from the start with same error. I even have tried using client and object ids instead of email as username, in lack of better ideas.
So this is where I think I have made mistake previous times.When you are at the part that you need to register service principal, you need to execute
New-ServicePrincipal -AppId <APPLICATION_ID> -ServiceId <OBJECT_ID> [-Organization <ORGANIZATION_ID>]here I put enterprise application object id as ServiceId argument. And that is ok.
But on
Add-MailboxPermission -Identity "email address removed for privacy reasons" -User <SERVICE_PRINCIPAL_ID> -AccessRights FullAccessI have put my registered application object id as User argument. I also tried setting object id of enterprise application, but it did not have success.
I also tried New-ServicePrincipal but with registered app object id as service id, but it gave me the same result.
When I executed
Get-ServicePrincipal -Organization <ORGANIZATION_ID> | flI did not pay attention to ServiceId property, even with documentation specifying it and saying it will be different.
Now I cleared everything and started fresh.
I executed all the steps again, but on the step when I need to add mail permission, I list service principals, and then use `ServiceId` value from the output, as argument for user.
With that, I was able to authorise.
Unfortunately, now I receive `C3 BAD User is authenticated but not connected.` when I try to list inbox. But it is step forward.
I am not sure if you made the same error as me, but maybe it will help you in some way.
I will post info, when I find fix for the new error if somebody comes across same issue.
the "Office 365 Exchange Online", which I think is the right resource.
If your app is a long-running process that runs in the background, my understanding is that you need to add https://ps.outlook.com/IMAP.AccessAsApp permission. I've done this, but still AUTHENTICATE failed.
- jambo and DestryHines As per my understanding, if you are unable to find "Office 365 Exchange Online" in <API-Permissions -> +Add a permission -> APIs my organization uses> then probably it is because you are not having an active subscription.
However I have tried applying the Service Principals (like POP.AccessAsApp and IMAP.AccessAsApp) as suggested by the step-by-step guide, using GUI as well as PowerShell(as given in "Register service principals in Exchange" section), but didn't got any success yet. - Thanks for the hint. I added Exchange Online scope https://ps.outlook.com/IMAP.AccessAsApp as per your suggestion. I tried requesting https://outlook.office365.com/.default and then https://outlook.office.com/.default. Neither worked for me. Authentication failed.
- My app is also (attempting) to access IMAP in the background (grant_type=client_credentials) and according to Microsoft this now works as of June 2022. You must use Application Permissions for Office 365 Exchange Online.
Thanks, However, in my case it doesn't help as my app access Imap in the background, and therefore requires an application permission. I don't see the requisite permissions in the Azure GuI. To me, it looks like Microsoft has some unfinished work to do.
- In API Permissions, I click on "+Add a permission". Then in the popup on the right (at the top), select "APIs my organization uses". In there, type "office 365" in the search and you should see "Office 365 Exchange Online".
