OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential. In authentication parlance, this is known as secure, third-party, user-agent, delegated authorization.

You can use the OAuth authentication service provided by Azure Active Directory to enable your application to connect with IMAP, POP or SMTP protocols to access Exchange Online in Office 365. To use OAuth with your application you need to:

  1. Register your application with Azure Active Directory.
  2. Configure your application in Azure Active Directory.
  3. Get an access token from a token server.
  4. Authenticate connection requests with an access token.

Register your application

To use OAuth, an application must be registered with Azure Active Directory.

Configure your application

Follow the instructions listed in Configure a client application to access web APIs

Make sure to add one or more of the following permission scopes that correspond to the protocols you would like to integrate with. In the Add a permission wizard, select Microsoft Graph and then Delegated permissions to find the following permission scopes listed.


Protocol                           Permission  scope

IMAP                              IMAP.AccessAsUser.All

POP                                 POP.AccessAsUser.All

SMTP AUTH                 SMTP.Send

Get an access token

You can use one of our MSAL client libraries to fetch an access token from your client application.

Alternatively, you can select an appropriate flow from the following list and follow the corresponding steps to call the underlying identity platform REST APIs and retrieve an access token.

  1. OAuth2 authorization code flow
  2. OAuth2 Device authorization grant flow

OAuth access to IMAP, POP, SMTP AUTH protocols via OAuth2 client credentials grant flow is not supported. If your application needs persistent access to all mailboxes in a Microsoft 365 organization, we recommend that you use the Microsoft Graph APIs which allow access without a user, enable granular permissions and let administrators scope such access to a specific set of mailboxes.

Authenticate connection requests

You can initiate a connection to Office 365 mail servers using the IMAP and POP email settings for Office 365.


To authenticate a IMAP server connection, the client will have to respond with an AUTHENTICATE command in the following format:

AUTHENTICATE XOAUTH2 <base64 string in XOAUTH2 format>


AUTH XOAUTH2 <base64 string in XOAUTH2 format>


AUTH XOAUTH2 <base64 string in XOAUTH2 format>