[Update]
Client credential flow is now supported:
https://www.limilabs.com/blog/oauth2-client-credential-flow-office365-exchange-imap-pop3-smtp
Microsoft is working on bringing OAuth Client Credential Flow support for POP/IMAP for Office365/Exchange. It’s planned to be released in June 2022:
https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=70577
Check out currently supported OAuth 2.0 flows
This article shows how to implement OAuth 2.0 device flow to access Office365 via IMAP, POP3 or SMTP using Mail.dll .net email client.
Device flow allows operator/administrator to authenticate your application on a different machine than your application is installed.
Make sure IMAP/POP3/SMTP is enabled for your organization and mailbox:
Enable IMAP/POP3/SMTP in Office 365
Register your application in Azure Portal, here’s a detailed guide how to do that:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Then you need to apply correct API permissions and grant the admin consent for your domain.
In the API permissions / Add a permission wizard, select Microsoft Graph and then Delegated permissions to find the following permission scopes listed:
Remember to Grant admin consent:
Use Microsoft Authentication Library for .NET (MSAL.NET) nuget package to obtain an access token:
https://www.nuget.org/packages/Microsoft.Identity.Client/
string clientId = "Application (client) ID";
string tenantId = "Directory (tenant) ID";
IPublicClientApplication app = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.Build();
// This allows saving access/refresh tokens to some storage
TokenCacheHelper.EnableSerialization(app.UserTokenCache);
var scopes = new string[]
{
"offline_access",
"email",
"https://outlook.office.com/IMAP.AccessAsUser.All",
"https://outlook.office.com/POP.AccessAsUser.All",
"https://outlook.office.com/SMTP.Send",
};
Now acquire an access token and a user name:
string userName;
string accessToken;
var account = (await app.GetAccountsAsync()).FirstOrDefault();
try
{
AuthenticationResult refresh = await app
.AcquireTokenSilent(scopes, account)
.ExecuteAsync();
userName = refresh.Account.Username;
accessToken = refresh.AccessToken;
}
catch (MsalUiRequiredException e)
{
var acquire = await app.AcquireTokenWithDeviceCode(
scopes,
callback=>
{
// Write url and code to logs so the operator can react:
Console.WriteLine(callback.VerificationUrl);
Console.WriteLine(callback.UserCode);
// This happens on the first run, manually,
// on the operator machine.
// The code below code is only to illustrate
// the operator opening browser on his machine,
// opening the url and using the code
// (extracted from the application logs)
// to authenticate the app.
System.Diagnostics.Process.Start(
new ProcessStartInfo(result.VerificationUrl)
{ UseShellExecute = true }
);
return Task.CompletedTask;
}).ExecuteAsync();
userName = acquire.Account.Username;
accessToken = acquire.AccessToken;
}
AcquireTokenWithDeviceCode call waits until operator/administrator gives consent by going to VerificationUrl, entering UserCode and authenticating – this usually happens on a different machine than the application is installed.
Finally your app will exit AcquireTokenWithDeviceCode method and connect using IMAP/POP3/SMTP, authenticate and download emails:
using (Imap client = new Imap())
{
client.ConnectSSL("outlook.office365.com");
client.LoginOAUTH2(userName, accessToken);
client.SelectInbox();
// ...
client.Close();
}
You can find more details on this flow here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
Below is a simple implementation that saves MSAL token cache to file. Please note that most likely you should store this cache in an encrypted form:
static class TokenCacheHelper
{
public static void EnableSerialization(ITokenCache tokenCache)
{
tokenCache.SetBeforeAccess(BeforeAccessNotification);
tokenCache.SetAfterAccess(AfterAccessNotification);
}
private static readonly string _fileName = "msalcache.bin3";
private static readonly object _fileLock = new object();
private static void BeforeAccessNotification(TokenCacheNotificationArgs args)
{
lock (_fileLock)
{
byte[] data = null;
if (File.Exists(_fileName))
data = File.ReadAllBytes(_fileName);
args.TokenCache.DeserializeMsalV3(data);
}
}
private static void AfterAccessNotification(TokenCacheNotificationArgs args)
{
if (args.HasStateChanged)
{
lock (_fileLock)
{
byte[] data = args.TokenCache.SerializeMsalV3();
File.WriteAllBytes(_fileName, data);
}
}
}
};
More details on MSAL token serialization are available here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization
You can extend how often operator needs to re-authenticate the application up to 1 year:
Side note: Have in mind that similarly a client credential flow requires a client secret which is valid for 2 years maximum.
First log in to Microsoft 365 admin portal at https://admin.microsoft.com/ as an administrator, go to Org settings screen and find Modern authentication entry:
Check ‘Turn on modern authentication…‘ for OAuth flows.
Check IMAP, POP3 and SMTP for App passwords flows.
Then go to Users screen:
Select an user and on the Mail tab click Manage email apps
Check IMAP, Pop and Authenticated SMTP to turn on the protocols for this account
Have in mind it takes 20-30 minutes for the changes to take effect.
In your Active Directory, make sure Enable Security defaults is set to No:
Make sure there are no Conditional Access | Policies defined in your AD:
It is no longer possible to re-enable Basic Auth or use App passwords.
To use basic authentication (username/password) you’ll need to
Re-enable Basic Auth for your tenant
For MFA enabled/enforced accounts you must
Create and use App passwords
using (Imap imap = new Imap())
{
imap.ConnectSSL("outlook.office365.com");
imap.UseBestLogin(
"AdeleV@limilabs.onmicrosoft.com",
"password");
imap.SelectInbox();
List<long> uids = imap.Search(Flag.Unseen);
foreach (long uid in uids)
{
IMail email = new MailBuilder()
.CreateFromEml(imap.GetMessageByUID(uid));
string subject = email.Subject;
}
imap.Close();
}
Daemons/Services: Password grant (MFA/2FA must be turned off for this account):
https://www.limilabs.com/blog/oauth2-password-grant-office365-exchange-imap-pop3-smtp
Daemons/Services: Client credential flow:
https://www.limilabs.com/blog/oauth2-client-credential-flow-office365-exchange-imap-pop3-smtp
Web apps (requires user interaction):
https://www.limilabs.com/blog/oauth2-web-flow-office365-exchange-imap-pop3-smtp
Standalone devices (requires very little interaction):
https://www.limilabs.com/blog/oauth2-device-flow-office365-exchange-imap-pop3-smtp
Desktop apps (requires user interaction):
https://www.limilabs.com/blog/oauth2-office365-exchange-imap-pop3-smtp
using (Imap imap = new Imap())
{
imap.ConnectSSL("outlook.office365.com");
imap.UseBestLogin(
"AdeleV@limilabs.onmicrosoft.com",
"access-token");
imap.SelectInbox();
List<long> uids = imap.Search(Flag.Unseen);
foreach (long uid in uids)
{
IMail email = new MailBuilder()
.CreateFromEml(imap.GetMessageByUID(uid));
string subject = email.Subject;
}
imap.Close();
}
You can find the same mailbox/user settings through Exchange administration screens:
It is no longer possible to re-enable Basic Auth or use App passwords.
First make sure IMAP/POP3/SMTP are turned on properly: enable IMAP / POP3 and SMTP in Office 365
To use App passwords, Multi-factor Authentication (MFA) must be turned on for the account.
On the other had, if you have MFA turned on for your account, App passwords are the simplest way to receive your emails – your primary password won’t work.
First log in to Microsoft 365 admin portal at https://admin.microsoft.com/ as an administrator. Go to Users screen and click Mulit-factor authentication:
Select a user and change Mulit-factor Auth Status to Enforced:
Log in as this user to his My Account at https://myaccount.microsoft.com/, then go My sign-ins and create a new App password on the Security info screen:
Write down the created password (you won’t be able to see it again).
Have in mind it takes 20-30 minutes for the changes to take effect.
Remember to turn IMAP on for those Office 365 accounts as well, now you can now use it as a standard password:
using (Imap imap = new Imap())
{
imap.ConnectSSL("outlook.office365.com");
imap.UseBestLogin(
"AlexW@limilabs.onmicrosoft.com",
"qfhnlzsdaqew");
imap.SelectInbox();
List<long> uids = imap.Search(Flag.Unseen);
foreach (long uid in uids)
{
IMail email = new MailBuilder()
.CreateFromEml(imap.GetMessageByUID(uid));
string subject = email.Subject;
}
imap.Close();
}
You can find more details here as well:
https://support.microsoft.com/en-us/account-billing/using-app-passwords-with-apps-that-don-t-support-two-step-verification-5896ed9b-4263-e681-128a-a6f2979a7944
We will be conducting planned maintenance to ordering system on Tuesday, Feb 8th, 2022
Time:
4 AM to 8 AM CST (Minnesota, US)
11 AM to 3 PM CET (Berlin, Germany)
6 PM CST to 10 PM CST (Beijing, China)
7 PM JST to 11 PM JST (Tokyo, Japan)
During the planned maintenance, the system will continue to take orders. However customers may see temporary delays in fulfillment and order confirmation emails.
Once the maintenance is finished, we expect all functionality to resume; orders will be processed, and order confirmation emails will be sent to customers.