OAuth 2.0 with Office365/Exchange IMAP/POP3/SMTP

In this series:

First you need to register your application in Azure Portal.

Here’s a detailed guide how to do that:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Remember to add authentication entries (localhost is needed for .net core):

Then you need to apply correct API permissions and grant the admin consent for your domain.

In the API permissions / Add a permission wizard, select Microsoft Graph and then Delegated permissions to find the following permission scopes listed:

  • offline_access
  • email
  • IMAP.AccessAsUser.All
  • POP.AccessAsUser.All
  • SMTP.Send

Remember to grant admin consent.

Use Microsoft Authentication Library for .NET (MSAL.NET) nuget package to obtain an access token:

https://www.nuget.org/packages/Microsoft.Identity.Client/ 

var pcaOptions = new PublicClientApplicationOptions
{
    ClientId = "Application (client) ID",

    TenantId = "Directory (tenant) ID",
    // -or-
    // for @outlook.com/@hotmail accounts instead of setting TenantId use:
    // AadAuthorityAudience = AadAuthorityAudience.PersonalMicrosoftAccount, 

    RedirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient"
    // RedirectUri = "http://localhost" // for .net core
};

var pca = PublicClientApplicationBuilder
    .CreateWithApplicationOptions(pcaOptions)
    .Build();

var scopes = new string[] 
{
    "offline_access",
    "email",
    "https://outlook.office.com/IMAP.AccessAsUser.All",
    "https://outlook.office.com/POP.AccessAsUser.All",
    "https://outlook.office.com/SMTP.Send",
};

In addition, you can request for offline_access scope. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.

Now acquire the access token and user email address:

var authResult = pca.AcquireTokenInteractive(scopes).ExecuteAsync().Result;

string user = authResult.Account.Username;
string accessToken = authResult.AccessToken;

Finally you can connect to IMAP/POP3/SMTP server and authenticate:

using (Imap client = new Imap())
{
    client.ConnectSSL("outlook.office365.com");
    client.LoginOAUTH2(user, accessToken);
 
    client.SelectInbox();

    // ...

    client.Close();
}

As this is fairly new feature for Exchange/Office365, here are some useful links:

https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

https://stackoverflow.com/questions/29747477/imap-auth-in-office-365-using-oauth2

https://stackoverflow.com/questions/43473858/connect-to-outlook-office-365-imap-using-oauth2

https://stackoverflow.com/questions/61597263/office-365-xoauth2-for-imap-and-smtp-authentication-fails

Tags: , , , ,

Questions?

Consider using our Q&A forum for asking any questions.