AUTHENTICATE failed with O365 IMAP (as Daemon/Service)

Question

Hi

We use the Mail.dll Version 3.0.21134.1059 in a Windows-Service with Client-Credential-Flow of O365. I read all your articles about the exchange configuration, especially this: https://www.limilabs.com/blog/oauth2-client-credential-flow-office365-exchange-imap-pop3-smtp

The Auth with the Identitiy-Server works fine an I receive the access token. But when I call LoginOAUTH2() I receive "AUTHENTICATE failed".

The Exchange-Administrator told me that he configured everything as you defined in you Blog... I checked all IDs several times. Is it possible that the version of Mail.dll is the problem (maybe too old)?

Here is our exchange configuration:
Exchange Configuration

Here is the code:

var app = ConfidentialClientApplicationBuilder
    .Create("f18384ed-***")
    .WithTenantId("8143a502-***")
    .WithClientSecret("IHP8***")
    .Build();

var scopes = new string[] 
{ 
    "https://outlook.office365.com/.default" 
};

var result = await app.AcquireTokenForClient(scopes)
    .ExecuteAsync();

using (Imap client = new Imap())
{
   client.ConnectSSL("outlook.office365.com");
   client.LoginOAUTH2("bill@y******.ch", result.AccessToken);

   client.SelectInbox();

   client.Close();
}

I am quite lost... What can be done next to solve the problem?

I would appreciate your help very much. Thanks in advance.

Answer 1

1.
Start with PowerShell commands:

Get-ServicePrincipal
Get-MailboxPermission -Identity "user@domain.onmicrosoft.com"

Make sure the ServiceId returned the same as the Object ID on the Enterprise Application screen (do not use the value from the App Registration screen)

Make sure the AppId is the same as the Application ID on the Enterprise Application screen.

2.
Check if you can connect to this account using IMAP and regular interactive flow:

https://www.limilabs.com/blog/office-365-oauth-2-0-imap-pop3-email-client-connectivity-tools

This proves you have IMAP access properly configured.

3.
Usually people use incorrect client/tenant ids/secrets – double check every single value you enter (also for additional spaces).

4.
You may need to wait 20-30 minutes for some changes to take effect (it really may take this long!).

Additional notes:
- there is no need to deactivate MFA in this flow
- there is no need to activate public client flows (App Registrations/Authentication/Allow public client flows) in this flow

Comments

Thank you for your answer. I just purchased for the latest version 3.0.22293.1001 - still same error.

1: Yes the ServiceId matches the ObjectId of the Enterprise Application screen: See the last page of my Exchange Configuration Document

2: Yes the connection test was successful: See the last page of my Exchange Configuration Document

3: Yes I did check it more than double

4: I waited over 24 hours

What can be done next to solve the problem?
Thanks in advance
- Jürg

---

I'm almost sure you are not looking at the "Enterprise Application" when you gather "Application ID" and "Object ID".

The screen you should be looking at is "Enterprise Application" it has: Name, Application ID, Object ID in that order.

The screenshot you showed is an App registrations screen (it contains Display name, Application (client) ID, Object ID, Directory (tenant) ID) - wrong screen.

---

Oh! You were right - THANK YOU! I double-checked the wrong IDs multiple times :) Sorry about that - problem solved!

I have one more question on the side:
Do you know a way to configure the New-ServicePrincipal and Add-MailboxPermission inside the Web-UI of Microsoft instead of using Powershell?

Thanks again for your help
- Jürg

---

Perfect. I don't think it is possible via UI currently (at least I haven't seen a way of doing it)

---

Yet another example of an only partially finished and very confusing Microsoft portal. Thank you for your help which I have appreciated very much.