To assist IT managers in resolving Office 365 connectivity issues, Microsoft offers a web-based connectivity analyzer. It works with POP3 or IMAP clients and OAuth 2.0:
Microsoft will be randomly disabling Basic Auth for some tenants before October 1st 2002, then after October 1 2022, they will disable Basic Auth for IMAP and POP3 regardless of their usage.
For some time it was possible to re-enable Basic Auth for IMAP and POP3 for your tenant – – it is no longer possible to do thatanymore.
OAuth 2.0 client credential flow with Office365/Exchange IMAP/POP3/SMTP
This article shows how to implement OAuth 2.0 client credential flow to access Office365 via IMAP, POP3 using Mail.dll .net email client. This flow is particularly useful for daemon/service apps that need to monitor certain mailboxes, without any user interaction.
Add permissions to your application in the API permissions / Add a permission wizard:
Select APIs my organization uses and search for “Office 365 Exchange Online“:
…then click Application permissions:
For POP access, choose the POP.AccessAsApp permission. For IMAP access, choose the IMAP.AccessAsApp permission. For SMTP access, choose the SMTP.SendAsApp permission.
Remember to Grant admin consent:
Create an application secret in Certificates & secrets panel by clicking ‘New client secret’ button:
Note the secret value as it is shown only during creation.
Use Windows PowerShell on your machine to Register service principals in Exchange.
Set execution policy first:
1
Set-ExecutionPolicyRemoteSigned
Install ExchangeOnlineManagement module:
1
2
Install-Module-NameExchangeOnlineManagement
Import-ModuleExchangeOnlineManagement
Connect and log-in as an administrator (you’ll be prompted for password):
For Exchange running in hybrid mode log-in using following code:
1
2
$lc= Get-Credential
Connect-ExchangeOnline-Credential$lc
Create service principal
1
2
3
4
New-ServicePrincipal
-AppId<APPLICATION_ID>
-ServiceId<OBJECT_ID>
[-Organization <ORGANIZATION_ID>]
You can find ApplicationId and ObjectId in Enterprise applications in your application’s Overview panel:
Make sure you use the Object ID from the Enterprise Application.
Do not use the value from the App Registration screen.
In our case:
1
2
3
New-ServicePrincipal
-AppId061851f7-08c0-40bf-99c1-ebd489c11f16
-ServiceId4352fc11-5c2f-4b0b-af40-447ff10664e8
Note: If you still get an error running the New-ServicePrincipal cmdlet after you perform these steps, it is likely due to the fact thatthe user doesn’t have enough permissions in Exchange online to perform the operation. By default this cmdlet is available to users assigned the Role Management role
Add permissions to a specific mailbox:
1
2
3
4
Add-MailboxPermission
-Identity"<USER@your-domain.onmicrosoft.com>"
-User<OBJECT_ID>
-AccessRightsFullAccess
In our case:
1
2
3
4
Add-MailboxPermission
-Identity"AdeleV@your-domain.onmicrosoft.com"
-User4352fc11-5c2f-4b0b-af40-447ff10664e8
-AccessRightsFullAccess
Shared mailboxes
You need to use Add-MailboxPermission for every shared mailbox you need access to:
Add an authentication redirect uri to your application:
Then you need to apply correct API permissions and grant the admin consent for your domain.
In the API permissions / Add a permission wizard, select Microsoft Graph and then Delegated permissions to find the following permission scopes listed:
In addition, you should request offline_access scope. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.
Now try finding account by an identifier (it will be null on first access) in MSAL cache:
// Microsoft authentication uri and end this request.
}
On the first run user will be redirected to the msUri and will see a Microsoft login screen, with option to log-in, using a known account and granting access to the app (if needed):
After successful authentication Microsoft will redirect user’s browser back to your application – to the app’s RedirectUri (in our case http://localhost/MyApp/):
Please note that most likely you should store this cache in an encrypted form in some kind of a database. Consider using MSAL token serialization implementations available here: