OAuth 2.0 device flow with Office365/Exchange IMAP/POP3/SMTP

This article shows how to implement OAuth 2.0 device flow to access Office365 via IMAP, POP3 or SMTP using Mail.dll .net email client.

Device flow allows operator/administrator to authenticate your application on a different machine than your application is installed.

Make sure IMAP/POP3/SMTP is enabled for your organization and mailbox:
Enable IMAP/POP3/SMTP in Office 365

Register your application in Azure Portal, here’s a detailed guide how to do that:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Then you need to apply correct API permissions and grant the admin consent for your domain.

In the API permissions / Add a permission wizard, select Microsoft Graph and then Delegated permissions to find the following permission scopes listed:

  • offline_access
  • email
  • IMAP.AccessAsUser.All
  • POP.AccessAsUser.All
  • SMTP.Send

Remember to Grant admin consent:

Use Microsoft Authentication Library for .NET (MSAL.NET) nuget package to obtain an access token:
https://www.nuget.org/packages/Microsoft.Identity.Client/

string clientId = "Application (client) ID";
string tenantId = "Directory (tenant) ID";

IPublicClientApplication app = PublicClientApplicationBuilder
    .Create(clientId)
    .WithTenantId(tenantId)
    .Build();
// This allows saving access/refresh tokens to some storage
TokenCacheHelper.EnableSerialization(app.UserTokenCache);

var scopes = new string[] 
{
    "offline_access",
    "email",
    "https://outlook.office.com/IMAP.AccessAsUser.All",
    "https://outlook.office.com/POP.AccessAsUser.All",
    "https://outlook.office.com/SMTP.Send",
};

Now acquire an access token and a user name:

string userName;
string accessToken;

var account = (await app.GetAccountsAsync()).FirstOrDefault();
try
{
    AuthenticationResult refresh = await app
        .AcquireTokenSilent(scopes, account)
        .ExecuteAsync();

    userName = refresh.Account.Username;
    accessToken = refresh.AccessToken;
}
catch (MsalUiRequiredException e)
{
    var acquire = await app.AcquireTokenWithDeviceCode(
        scopes, 
        callback=>
    {
        // Write url and code to logs so the operator can react:
        Console.WriteLine(callback.VerificationUrl);
        Console.WriteLine(callback.UserCode);

        // This happens on the first run, manually,
        //  on the operator machine.
        // The code below code is only to illustrate 
        // the operator opening browser on his machine,
        // opening the url and using the code 
        // (extracted from the application logs)
        // to authenticate the app.
        System.Diagnostics.Process.Start(
            new ProcessStartInfo(callback.VerificationUrl) 
                        { UseShellExecute = true }
            );

        return Task.CompletedTask;
    }).ExecuteAsync();

    userName = acquire.Account.Username;
    accessToken = acquire.AccessToken;
}

AcquireTokenWithDeviceCode call waits until operator/administrator gives consent by going to VerificationUrl, entering UserCode and authenticating – this usually happens on a different machine than the application is installed.

Finally your app will exit AcquireTokenWithDeviceCode method and connect using IMAP/POP3/SMTP, authenticate and download emails:

using (Imap client = new Imap())
{
    client.ConnectSSL("outlook.office365.com");
    client.LoginOAUTH2(userName, accessToken);
 
    client.SelectInbox();

    // ...

    client.Close();
} 

You can find more details on this flow here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code

Token serialization

Below is a simple implementation that saves MSAL token cache to file. Please note that most likely you should store this cache in an encrypted form:

static class TokenCacheHelper
{
    public static void EnableSerialization(ITokenCache tokenCache)
    {
        tokenCache.SetBeforeAccess(BeforeAccessNotification);
        tokenCache.SetAfterAccess(AfterAccessNotification);
    }

    private static readonly string _fileName = "msalcache.bin3";

    private static readonly object _fileLock = new object();


    private static void BeforeAccessNotification(TokenCacheNotificationArgs args)
    {
        lock (_fileLock)
        {
            byte[] data = null;
            if (File.Exists(_fileName))
                data = File.ReadAllBytes(_fileName);
            args.TokenCache.DeserializeMsalV3(data);
        }
    }

    private static void AfterAccessNotification(TokenCacheNotificationArgs args)
    {
        if (args.HasStateChanged)
        {
            lock (_fileLock)
            {
                byte[] data = args.TokenCache.SerializeMsalV3();
                File.WriteAllBytes(_fileName, data);
            }
        }
    }
};

More details on MSAL token serialization are available here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization

Extending Sign-in frequency with policies

You can extend how often operator needs to re-authenticate the application up to 1 year:

Side note: Have in mind that similarly a client credential flow requires a client secret which is valid for 2 years maximum.


Get Mail.dll

Office 365 enable IMAP/POP3 and SMTP access

First log in to Microsoft 365 admin portal at https://admin.microsoft.com/ as an administrator, go to Org settings screen and find Modern authentication entry:

Check ‘Turn on modern authentication…‘ for OAuth flows.

Check IMAP, POP3 and SMTP for App passwords flows.

Then go to Users screen:

Select an user and on the Mail tab click Manage email apps

Check IMAP, Pop and Authenticated SMTP to turn on the protocols for this account

Have in mind it takes 20-30 minutes for the changes to take effect.

AD configuration

In your Active Directory, make sure Enable Security defaults is set to No:

Make sure there are no Conditional Access | Policies defined in your AD:

Authentication – Basic Auth [deprecated]

It is no longer possible to re-enable Basic Auth or use App passwords.

To use basic authentication (username/password) you’ll need to
Re-enable Basic Auth for your tenant

For MFA enabled/enforced accounts you must
Create and use App passwords

using (Imap imap = new Imap())
{
    imap.ConnectSSL("outlook.office365.com");
 
    imap.UseBestLogin(
        "AdeleV@limilabs.onmicrosoft.com",  
        "password");
 
    imap.SelectInbox();

    List<long> uids = imap.Search(Flag.Unseen);
 
    foreach (long uid in uids)
    {
        IMail email = new MailBuilder()
            .CreateFromEml(imap.GetMessageByUID(uid));
        string subject = email.Subject;
    }
 
    imap.Close();
}

Authentication – OAuth 2.0

Daemons/Services: Password grant (MFA/2FA must be turned off for this account):
https://www.limilabs.com/blog/oauth2-password-grant-office365-exchange-imap-pop3-smtp

Daemons/Services: Client credential flow:
https://www.limilabs.com/blog/oauth2-client-credential-flow-office365-exchange-imap-pop3-smtp

Web apps (requires user interaction):
https://www.limilabs.com/blog/oauth2-web-flow-office365-exchange-imap-pop3-smtp

Standalone devices (requires very little interaction):
https://www.limilabs.com/blog/oauth2-device-flow-office365-exchange-imap-pop3-smtp

Desktop apps (requires user interaction):
https://www.limilabs.com/blog/oauth2-office365-exchange-imap-pop3-smtp

using (Imap imap = new Imap())
{
    imap.ConnectSSL("outlook.office365.com");
 
    imap.UseBestLogin(
        "AdeleV@limilabs.onmicrosoft.com",  
        "access-token");
 
    imap.SelectInbox();

    List<long> uids = imap.Search(Flag.Unseen);
 
    foreach (long uid in uids)
    {
        IMail email = new MailBuilder()
            .CreateFromEml(imap.GetMessageByUID(uid));
        string subject = email.Subject;
    }
 
    imap.Close();
}

Exchange administration

You can find the same mailbox/user settings through Exchange administration screens:


Get Mail.dll

Office 365 App passwords

It is no longer possible to re-enable Basic Auth or use App passwords.

First make sure IMAP/POP3/SMTP are turned on properly: enable IMAP / POP3 and SMTP in Office 365

To use App passwords, Multi-factor Authentication (MFA) must be turned on for the account.

On the other had, if you have MFA turned on for your account, App passwords are the simplest way to receive your emails – your primary password won’t work.

First log in to Microsoft 365 admin portal at https://admin.microsoft.com/ as an administrator. Go to Users screen and click Multi-factor authentication:

Select a user and change Multi-factor Auth Status to Enforced:

Log in as this user to his My Account at https://myaccount.microsoft.com/, then go My sign-ins and create a new App password on the Security info screen:

Write down the created password (you won’t be able to see it again).

Have in mind it takes 20-30 minutes for the changes to take effect.

Remember to turn IMAP on for those Office 365 accounts as well, now you can now use it as a standard password:

using (Imap imap = new Imap())
{
    imap.ConnectSSL("outlook.office365.com");

    imap.UseBestLogin(
        "AlexW@limilabs.onmicrosoft.com", 
        "qfhnlzsdaqew");

    imap.SelectInbox();

    List<long> uids = imap.Search(Flag.Unseen);

    foreach (long uid in uids)
    {
        IMail email = new MailBuilder()
            .CreateFromEml(imap.GetMessageByUID(uid));
        string subject = email.Subject;
    }

    imap.Close();
}

You can find more details here as well:
https://support.microsoft.com/en-us/account-billing/using-app-passwords-with-apps-that-don-t-support-two-step-verification-5896ed9b-4263-e681-128a-a6f2979a7944

Order process maintenance scheduled for Feb 8th, 2022

We will be conducting planned maintenance to ordering system on Tuesday, Feb 8th, 2022

Time:

4 AM to 8 AM CST (Minnesota, US)
11 AM to 3 PM CET (Berlin, Germany)
6 PM CST to 10 PM CST (Beijing, China)
7 PM JST to 11 PM JST (Tokyo, Japan)

During the planned maintenance, the system will continue to take orders. However customers may see temporary delays in fulfillment and order confirmation emails.

Once the maintenance is finished, we expect all functionality to resume; orders will be processed, and order confirmation emails will be sent to customers.

NavigateToTest VS2022 extension

Extension is available for other Visual Studio versions:

You can download the extension here:
NavigateToTest Visual Studio 2022 extension

Here’s the latest version that supports Visual Studio 2022.

Extension is convention based. It matches ClassName file with ClassNameTest or ClassNameTests and vice-versa, so you can easily navigate to the test file and back.

Here are some screenshots:

Here’s the toolbar name, in case it is not added automatically:

You can download the extension here:
NavigateToTest Visual Studio 2022 extension