I am facing an authentication failure issue while trying to connect for both IMAP and POP3 protocols using the Client Credential Grant flow for OAuth2.0
public static void connectPOP(String email, String accessToken){
Properties properties= new Properties();
properties.put("mail.pop3.port", 995);
properties.put("mail.pop3.forgettopheaders", "true");
properties.put("mail.pop3.auth.mechanisms", "XOAUTH2");
properties.put("mail.pop3.auth.login.disable", "true"); // If true, prevents use of the USER and PASS commands. Default is false.
properties.put("mail.pop3.auth.plain.disable", "true"); // If true, prevents use of the AUTH PLAIN command. Default is false.
properties.put("mail.pop3.auth.xoauth2.disable","false"); // If true, prevents use of the AUTHENTICATE XOAUTH2 command. Hence set it to false
properties.put("mail.pop3.auth.xoauth2.two.line.authentication.format", "true"); // If true, splits authentication command on two lines. Default is false.
properties.put("mail.pop3.connectiontimeout", 15000);
properties.put("mail.pop3.timeout", 15000);
properties.put("mail.debug", "true");
Session session = Session.getInstance(properties);
session.setDebug(true);
try{
Store store = session.getStore("pop3");
store.connect("outlook.office365.com", email, accessToken);
if(store.isConnected()){
System.out.println("Connected with pop3 successfully !");
}
}catch(Exception e){
e.printStackTrace();
}
}
Following are the credentials which I have used while performing the Client Credential Grant flow
userEmail:- Email of the user which is used to login to Azure portal (eg, email address removed for privacy reasons)
Note: I have been using the Default Active Directory, and the default user(Admin) for my Azure account. Is it fine this way ? or does it require a new custom Azure AD and a separate tenant for performing client credential flow
Below Image contains list of permissions I have applied in my app:
@manish1614I'm also facing the same issue with IMAP OAuth Authentication with Client Credentials flow. I have followed Microsoft's documentation as you mentioned above. I have given IMAP.AccessAsApp, POP.AccessAsApp permissions, but the access_token is not working with those permissions. Did you find any solution for this?
I'm having the same issue as well. I've tried every combination of things the documentation provides. If anyone finds a solution, please post it here.
Not sure if it helps you guys but I noticed the first post shows the scope as "https://outlook.office.com/.default" but in this post from 7/12/22 it specifically says to use "https://outlook.office365.com/.default".
Thanks for you reply Anjitha. As of now I have not found any solution for this issue. I will update on the same thread as soon as I find out a working fix for this situation.
We're in the same same boat here.. been working on this the entire day and haven't been able to get it to work. One thing I am confused about. How does Office 365 link the username (.e.g. email address removed for privacy reasons) to the OAUTH2 credential? Am I supposed to be able to login into any mailbox using the access token? I am getting the access token from a certificate attached to a created application in Azure.
I was confused about that at first too. So I believe the answer is that in each of the mailboxes you want your app to access you must run the PowerShell commands that grant the App you've setup to the mailbox. You can see the app (if it's assigned correctly) in the user detail under "Applications". So, you request the access token as the client_id/secret for the app, then you can use that in the IMAP session, but for the "user" you use the email address you want to check. Whichever email addresses your app is assigned to it can read the email for. That's at least how I read it described.
I have the Microsoft Graph -> IMAP.AccessAsUser.All app permission but I *think* that only applies if you're accessing email from the Graph API (https://graph.microsoft.com) and not when using regular IMAP at https://outlook.office365.com. For that I added the IMAP.AccessAsApp permissions the "Office 365 Exchange Online", which I think is the right resource.
In API Permissions, I click on "+Add a permission". Then in the popup on the right (at the top), select "APIs my organization uses". In there, type "office 365" in the search and you should see "Office 365 Exchange Online".
Thanks, However, in my case it doesn't help as my app access Imap in the background, and therefore requires an application permission. I don't see the requisite permissions in the Azure GuI. To me, it looks like Microsoft has some unfinished work to do.
My app is also (attempting) to access IMAP in the background (grant_type=client_credentials) and according to Microsoft this now works as of June 2022. You must use Application Permissions for Office 365 Exchange Online.
@jambo and @DestryHines As per my understanding, if you are unable to find "Office 365 Exchange Online" in <API-Permissions -> +Add a permission -> APIs my organization uses> then probably it is because you are not having an active subscription. However I have tried applying the Service Principals (like POP.AccessAsApp and IMAP.AccessAsApp) as suggested by the step-by-step guide, using GUI as well as PowerShell(as given in "Register service principals in Exchange" section), but didn't got any success yet.
All I wanted was to access a mailbox, did not know I was trying to build a nuclear submarine. Microsoft did a terrible job of replacing a trivial process with something incredibly complicated, with multiple steps, and next to none support
If your app is a long-running process that runs in the background, my understanding is that you need to add https://ps.outlook.com/IMAP.AccessAsApp permission. I've done this, but still AUTHENTICATE failed.
best response confirmed by
manish1614 (Occasional Contributor)
Hi. I had the same problem, but I think I made some progress.
I read documentation few times, tried few times from the start with same error. I even have tried using client and object ids instead of email as username, in lack of better ideas.
So this is where I think I have made mistake previous times.
When you are at the part that you need to register service principal, you need to execute
I have put my registered application object id as User argument. I also tried setting object id of enterprise application, but it did not have success.
I also tried New-ServicePrincipal but with registered app object id as service id, but it gave me the same result.
I did not pay attention to ServiceId property, even with documentation specifying it and saying it will be different.
Now I cleared everything and started fresh.
I executed all the steps again, but on the step when I need to add mail permission, I list service principals, and then use `ServiceId` value from the output, as argument for user.
With that, I was able to authorise.
Unfortunately, now I receive `C3 BAD User is authenticated but not connected.` when I try to list inbox. But it is step forward.
I am not sure if you made the same error as me, but maybe it will help you in some way.
I will post info, when I find fix for the new error if somebody comes across same issue.
