OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential. In authentication parlance, this is known as secure, third-party, user-agent, delegated authorization.
You can use the OAuth authentication service provided by Azure Active Directory to enable your application to connect with IMAP, POP or SMTP protocols to access Exchange Online in Office 365. To use OAuth with your application you need to:
- Register your application with Azure Active Directory.
- Configure your application in Azure Active Directory.
- Get an access token from a token server.
- Authenticate connection requests with an access token.
Register your application
To use OAuth, an application must be registered with Azure Active Directory.
Configure your application
Follow the instructions listed in Configure a client application to access web APIs
Make sure to add one or more of the following permission scopes that correspond to the protocols you would like to integrate with. In the Add a permission wizard, select Microsoft Graph and then Delegated permissions to find the following permission scopes listed.
CONFIGURE YOUR APPLICATION
Protocol Permission scope
IMAP IMAP.AccessAsUser.All
POP POP.AccessAsUser.All
SMTP AUTH SMTP.Send
Get an access token
You can use one of our MSAL client libraries to fetch an access token from your client application.
Alternatively, you can select an appropriate flow from the following list and follow the corresponding steps to call the underlying identity platform REST APIs and retrieve an access token.
OAuth access to IMAP, POP, SMTP AUTH protocols via OAuth2 client credentials grant flow is not supported. If your application needs persistent access to all mailboxes in a Microsoft 365 organization, we recommend that you use the Microsoft Graph APIs which allow access without a user, enable granular permissions and let administrators scope such access to a specific set of mailboxes.
Authenticate connection requests
You can initiate a connection to Office 365 mail servers using the IMAP and POP email settings for Office 365.
IMAP PROTOCOL EXCHANGE
To authenticate a IMAP server connection, the client will have to respond with an AUTHENTICATE
command in the following format:
AUTHENTICATE XOAUTH2 <base64 string in XOAUTH2 format>
POP PROTOCOL EXCHANGE
AUTH XOAUTH2 <base64 string in XOAUTH2 format>
SMTP PROTOCOL EXCHANGE
AUTH XOAUTH2 <base64 string in XOAUTH2 format>