IMAP + OAuth client credentials: AUTHENTICATE failed

Question

We are using Mail.dll to read messages using IMAP. The mailbox is an office 365 email box.

We are trying to migrate to oauth2 as basic authentication is getting deprecated.

We have followed the following article to the letter:

https://www.limilabs.com/blog/oauth2-client-credential-flow-office365-exchange-imap-pop3-smtp

The access token gets generated successfully.

However we are getting an exception with a message "AUTHENTICATE failed"

Code:

var app = ConfidentialClientApplicationBuilder
            .Create(clientId)
            .WithTenantId(tenantId)
            .WithClientSecret(clientSecret)
            .Build();

string[] scopes = new string[] { 
    "https://outlook.office365.com/.default" 
    };

var result = await app.AcquireTokenForClient(scopes)
    .ExecuteAsync();

string accessToken = result.AccessToken;
Console.WriteLine(accessToken);

using (Imap client = new Imap())
{
    client.ConnectSSL("outlook.office365.com");
    client.LoginOAUTH2(userEmail, accessToken);

    client.Close();
}

We did a lot of research and browsing through the forums before asking this question.

Our Microsoft 365 admin also went through this checklist:

https://www.limilabs.com/blog/office365-enable-imap-pop3-smtp

But we are still getting the issue after ensuring everything in your instructions was applied.

Please advise.

Answer 1

Your code looks correct.

I'm sure that the article you mentioned is correct and accurate.
Remember, that you need to perform every single step that is described there (including powershell part).

Usually people use incorrect client/tenant ids/secrets - double check every single value you enter (also for additional spaces).

Another common mistake is not performing "Grant admin consent" step,
it is also important to allow modern authentication:

https://www.limilabs.com/blog/office365-enable-imap-pop3-smtp

Have you performed Power Shell configuration of accounts in Exchange?
Double check using PowerShell commands:

Get-ServicePrincipal -Organization [TODO]
Get-MailboxPermission -Identity [TODO]

Comments

Remember, that you need to perform every single step that is described
there (including powershell part).

Yes we have followed all the steps including the powershell scripts.

Usually people use incorrect client/tenant ids/secrets - double check
every single value you enter (also for additional spaces).

App credentials are correct, otherwise the access token would not be generated.

Another common mistake is not performing "Grant admin consent" step,
it is also important to allow modern authentication:

Admin consent are granted and modern authentication is enabled.

Have you performed Power Shell configuration of accounts in Exchange?
Double check using PowerShell commands:

Yes we ran the powershell commands.
Still getting the error.

---

Check the IDs and the secret - this is the most likely reason.
Even with incorrect IDs you may receive a token.

Check if you are using exactly the same email address when logging-in as you granted permissions to.

What were the result of the PowerShell commands?

---

I'm getting this issue too, using POP3 and OAUTH2 with Service Principal set up.

✅ AppID matches
✅ ServiceID matches ObjectID
✅ Scope set correctly to https://outlook.office365.com/.default
✅ Getting an AccessToken
✅ Username correct
✅ Mailbox has FullAccess permissions and can see in Delegation admin portal

Short of deleting the Service Principal and registering again...

Limilabs.Client.POP3.Pop3ResponseException: Authentication failure:
unknown user name or bad password`.

I'm hoping it's something obvious

Mail.Dll v3.0.22234.1038

---

Resolved -- make sure you use the Object ID from the Enterprise Application not the App Registration. It also takes time for permissions to propagate, so give it 15 to apply.

---

Thanks all, this is resolved. Recreated the app and followed the instructions again