Azure - Office 365 Exchange Online - Client credentials - IMAP No Authentication

PsyChonek
February 6, 2023
258 views
1 vote
2 Answers

I am having an issue with Office 365 Exchange Online IMAP authentication in C#. I follow multiple guides and videos, but sadly nothing helps.

In Azure I add Office 365 Exchange Online – IMAP.AccessAsApp, POP.AccessAsApp
And granted admin consent.

Email which I am trying to access with IMAP is not in Azure.

I used these commands to add mail permissions.

Set-PSRepository
PSGallery

Install-Module -Name ExchangeOnlineManagement
Install-Module -Name AzureAD
Install-Module -Name Microsoft.Graph

Import-Module AzureAD
Import-module ExchangeOnlineManagement 

Connect-AzureAD -Tenant <Directory (tenant) ID>
$MyApp = Get-AzureADServicePrincipal -SearchString AzureExchange-EmailServiceConnection

Connect-ExchangeOnline -Organization <Directory (tenant) ID>
New-ServicePrincipal $MyApp.AppId -ServiceId $MyApp.ObjectId -DisplayName "Service Principal for IMAP APP"

Add-MailboxPermission -Identity "[email protected]" -User $MyApp.ObjectId -AccessRights FullAccess

I am trying to connect my Application with MailKit. Also with https://github.com/DanijelkMSFT/ThisandThat/blob/main/Get-IMAPAccessToken.ps1 this test.

In both ways, I am able to obtain AccessToken with IMAP.AccessAsApp role.

I also multiple-check all secrets, ids, and scopes. Wait more than an hour.

IMAP is not authenticated.

ERROR during authentication A01 NO AUTHENTICATE failed.

I already followed multiple guides and youtube video.

1.Update 07.02.2023

I tried to use different commands from answer.

Connect-AzureAD
Connect-ExchangeOnline
$app = Get-AzureADApplication -SearchString 'testimap'
$sp = Get-AzureADServicePrincipal -SearchString $app.DisplayName
$sp1 = New-ServicePrincipal -AppId $app.AppId -ServiceId $sp.ObjectId -DisplayName "Exchange Service Principal for $($app.DisplayName)"

Sadly issue persists.

More Info

I am using two accounts one is Azure Admin and I need to specific -Tenant in Connect-AzureAD command.

The second account is an Office Exchange account NOT IN AZURE with Admin rights to use New-ServicePrincipal | Add-MailboxPermission

2.Update 08.02.2023

I am still unable to resolve the issue, so I tried using Graph API to access emails via the client credentials flow.

But I am also having issues there, maybe it is related.

I am able to obtain access tokens via OAuth2 with all scopes added in Azure portal API permissions.
I added permission "User.ReadWrite.All" to read information about all users, and it works.

Then I add "Mail.ReadWrite" and tried:

https://graph.microsoft.com/v1.0/users/66.......d88d/messages

Response:

{
    "error": {
        "code": "ResourceNotFound",
        "message": "Resource could not be discovered.",
        "innerError": {
            "date": "2023-02-08T06:08:44",
            "request-id": "87a638f2-9ff0-4168-aebe-5597c7da3ac8",
            "client-request-id": "87a638f2-9ff0-4168-aebe-5597c7da3ac8"
        }
    }
}

I opened Graph Explorer log in with my User account and tried calling:

https://graph.microsoft.com/v1.0/me/messages

And that works.

Then I tried:

https://graph.microsoft.com/v1.0/users/6651...d88d/messages

Response:

{
    "error": {
        "code": "ResourceNotFound",
        "message": "Resource could not be discovered.",
        "innerError": {
            "date": "2023-02-08T06:27:36",
            "request-id": "70d919c2-52cc-4f14-86f3-77dbad0b48aa",
            "client-request-id": "46e9d490-2b96-5f65-5d5f-5f2e2996f98d"
        }
    }
}

Tried the user ID of someone else, the same ID of the user used in me/messages.

The last what I tried was:

https://graph.microsoft.com/v1.0/users/c18c7......43c9137/

And that also works.

Tags: azure c#imap office365 powershell

Answers

Chosen as BEST ANSWER
- PsyChonek
- February 8, 2023 at 11:05 am
- 0 votes
0
Well, I found the solution.

The issue was in our Azure setup. We have separate tenants for each product with corresponding email addresses.

Product A - [email protected]

Product B - [email protected]

And then we have Azure account C with all services.

C -> A, B.

I was trying to access email A -> C, and that is not sadly possible.

Access MS Graph data across tenants and ext principals

https://techcommunity.microsoft.com/t5/office-365/shared-mailbox-access-from-another-o365-tenant/m-p/1350347/highlight/true#M28132

https://techcommunity.microsoft.com/t5/office-365/shared-mailbox-between-2-tenants/m-p/97268

The solution was to register the app in the same tenant A -> A.

Thanks, @Rukmini for your help.

(Edit)

- Rukmini
- February 7, 2023 at 8:25 am
- 0 votes
0
I tried to reproduce the same in my environment and got the similar error like below:

The error usually occurs if mailbox access is not granted to the service principal ObjectID.

To resolve the error, try the below:

I created the New Service Principal using below commands:
```
Connect-AzureAD
Connect-ExchangeOnline
$app = Get-AzureADApplication -SearchString 'testimap'
$sp = Get-AzureADServicePrincipal -SearchString $app.DisplayName
$sp1 = New-ServicePrincipal -AppId $app.AppId -ServiceId $sp.ObjectId -DisplayName "Exchange Service Principal for $($app.DisplayName)"
```
Added API permissions to the Application like below:

And granted the Mailbox permissions to the user like below:
```
Add-MailboxPermission -Identity "[email protected]" -User $sp1.ServiceId -AccessRights FullAccess
```
After doing the above steps, you can execute Get-IMAPAccessToken.ps1 and will be authenticated successfully.

If still issue persists, refer the below links:

Exchange Online POP and IMAP OAuth 2.0 Client Credentials Flow by Andres Bohren

Exchange Online – Test IMAP OAuth2 Client Credential Flow by Andres Bohren
Login or Signup to reply.