HOW TO REGISTER & GIVE ACCESS TO MAIL 365 WITH OAUTH 2.0 (IMAP OR POP3 OR SMTP)

Introduction

On October 1st 2022, Microsoft will begin disabling Basic authentication in Microsoft 365 for IMAP, POP3 and EWS. This means that classic username/password authentication will no longer work with Exchange Online, and application will have to be upgraded to use OAuth 2.0.

Microsoft 365 (formerly Office 365) supports two kinds of OAuth 2.0 authentication:

Before your application can start accessing mailboxes, you have to register it with Microsoft, assign the relevant permissions and configure mailbox access. The guide below describes what needs to be done to enable POP3 or IMAP access for unattended apps (app-only mode). For EWS, see Office 365 and EWS with OAuth 2.0 in unattended mode.

Register yourself and your company

  1. Log into Azure Portal. If you don't have an account there yet, create it. You also have to set up a tenant that represents your company.

  2. If you administer more than one tenant, use Directories + subscriptions filter to select the tenant for whom to register an application. 6587ef87-2ed4-49a8-91e6-6647981f0709.generate_access_token_ms365

Register your application

  1. In Azure Portal ⇒ expand the left menu ⇒ select Azure Active Directory ⇒ select App registrations ⇒ click + New registration. (Azure Portal is constantly evolving, so if you cannot find this page, use the search bar.) d11af5ab-6e1c-4aa3-a2fc-e103df20594d.generate_access_token_ms365

  2. Name your application, choose which kind of accounts are going to use it, and click Register.

Note: This guide is suitable for single tenant account types. For other types, further steps might be different. 2015c9e6-fe54-4cf4-b106-4d06737dc897.generate_access_token_ms365

  1. You successfully registered your application and you can view its associated IDs. Some of them will be needed later to obtain an OAuth 2.0 token. 3e38e185-8486-4809-8b04-64656747a6ac.generate_access_token_ms365

Set up client secret (application password)

  1. In the left menu, select Certificates & secrets ⇒ click + New client secret. 849cd465-3521-431a-864e-b0f3db442fa2.generate_access_token_ms365

  2. Provide some description for this secret, choose expiration period, and click Add. 075f1587-cd4d-4ef9-8fce-b4c0b5997c6d.generate_access_token_ms365

  3. Immediately copy and save the newly created client secret's Value (not Secret ID). You will not be able to view the Value later anymore. e71fa746-5487-4076-9bd4-aeeeaf7b6683.generate_access_token_ms365

Add app permissions

  1. In the left menu, select API permissions ⇒ click + Add a permission. a477890d-de75-41da-94ae-e10bc9a3915b.generate_access_token_ms365

  2. Navigate to APIs my organization uses tab ⇒ type Office 365 Exchange in the search bar ⇒ click Office 365 Exchange Online entry. 67a84733-ecee-4729-8a0d-5fcd121f7270.generate_access_token_ms365

  3. Click Application permissions ⇒ type AccessAsApp ⇒ check IMAP.AccessAsApp and/or POP.AccessAsApp ⇒ click Add permissions. 9b86929a-c441-497d-9d91-1d06b24b1650.generate_access_token_ms365

  4. The newly-added IMAP.AccessAsApp and POP.AccessAsApp permissions have to be approved by your organization's administrator. Ask them to grant consent to your application by clicking Grant admin consent for [organization]. 5898911b-5cc5-40c9-b1eb-0f69538d84ce.generate_access_token_ms365

  5. Application permissions have been granted. Optionally, you can remove the delegated User.Read permission which is not needed for app-only application - click the context menu on the right side of the permission and select Remove permission. 4063ba47-7a06-4647-b4da-9199d513ead2.generate_access_token_ms365

  6. Now, you have to assign access permissions for your mailboxes. There is no web UI for this yet - you have to use PowerShell.

  7. Install the required PowerShell modules.

You can skip this step if you have already installed AzureAD and ExchangeOnlineManagement modules.

Open your PowerShell as Administrator, and run:

Install-Module -Name AzureAD
Install-Module -Name ExchangeOnlineManagement

Confirm installation from PSGallery by typing Y + Enter.

5164cfc3-4fc6-4257-956a-9945cd3f8d49.generate_access_token_ms365

  1. Get the service principal ID associated with your application.

Note: You will be asked to log into your Azure account.

$AppId = "YOUR_APP_ID_HERE"
$TenantId = "YOUR_TENANT_ID_HERE"

Import-module AzureAD
Connect-AzureAd -Tenant $TenantId

($Principal = Get-AzureADServicePrincipal -filter "AppId eq '$AppId'")
$PrincipalId = $Principal.ObjectId

e1152de9-c531-4fc6-a763-90366232d77a.generate_access_token_ms365

  1. Register the service principal for your application.

Note: You will be asked to log into your Exchange Online account.

$DisplayName = "Some principal name for IMAP/POP3 here"

Import-module ExchangeOnlineManagement
Connect-ExchangeOnline -Organization $TenantId

New-ServicePrincipal -AppId $AppId -ServiceId $PrincipalId -DisplayName $DisplayName

a67f8e4b-0a57-48df-9b3d-c7943cd8dee4.generate_access_token_ms365

  1. Add FullAccess mailbox permissions to all mailboxes you want to access from your application.
Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity "mailbox.1@example.org"
Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity "mailbox.2@example.org"
Add-MailboxPermission -User $PrincipalId -AccessRights FullAccess -Identity "mailbox.3@example.org"

30a64e87-11f8-42e5-bdb5-6d0d14ed86c0.generate_access_token_ms365

  1. Congratulations! Now you have registered an application for accessing Office 365 mailboxes via IMAP or POP3 protocol and received its Application (client) ID, Client secret and Directory (tenant) ID.

These strings are going to be used by your application to authenticate to Microsoft 365 via OAuth 2.0 and receive an OAuth token. This token is then used to authenticate to Exchange Online using IMAP or POP3 protocols.

Read More

Updated on : 2023-07-28 17:04:09. by : nghianh@spc-technology.com. nghianh at 118.69.187.103.

Topic : generate_access_token_ms365