O365 IMAP Authentication: OAuth and MFA Solution

There is much confusion and worry about Microsoft’s plans to disable standard password authentication for the IMAP, and POP3  protocols. Here is the announcement posted on 20-Sept-2019 on the Office 365 blog: https://developer.microsoft.com/en-us/office/blogs/end-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers/

Chilkat already supports OAuth2 for the IMAP, POP3, and SMTP protocols. (Microsoft will continue to support basic auth for SMTP)  In all three protocols, an application can provide an access token and use the “XOAUTH2” authentication method in Chilkat.  The questions to be answered are:

  1. How to get an O365 OAuth2 token with the correct scope to successfully authenticate within the IMAP, POP3, or SMTP protocols?
  2. Does your Microsoft mail server support the XOAUTH2 authentication method?

MFA (Multi-Factor Authentication, or “Modern Authentication”) is another issue altogether, and at this point in time I don’t know how it fits with the email protocols.  You can also interact with O365 via the REST/HTTP protocol.  For example, see https://docs.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/mail-rest-operations    Modifying your application to use REST would be a complete rewrite of the email functionality.

How to Get an OAuth2 Token for O365 for IMAP?

The general procedure and flow is the same for all OAuth2 implementations whether you’re authenticating with Google, Microsoft, Quickbooks, a government service, etc.   There are many possible minor differences that can make it difficult, but Chilkat has the features to accommodate everything encountered so far.    In general, you’ll get an access token for an account once, and then use the access token to authenticate until it expires.  Getting the initial access token requires interactive authorization in a web browser from the O365 account owner.   When the access token expires, it can be refreshed non-interactively.  (Your application can automatically fetch a new access token when the server responds with the error that indicates the token expired.)

Some services also allow for an “OAuth2 Client Credentials Grant Type”.  This is for when an application is accessing its own account rather than a user’s account. This flow type does not require interactive authorization because the application is accessing its own data.   (I do not know if O365 offers the Client Credentials grant type.)

The general procedure for getting an OAuth2 access token is for the case where your application is accessing a user’s account (not  your own) and the O365 account owner will need to interactively authorize the access.  If your application is a desktop application, then you’ll use the Chilkat.OAuth2 class.  If  your application is a web application running on your web server, then you don’t use Chilkat.OAuth2.  Instead, you just implement OAuth2 directly.

Here is a C# example for getting a Microsoft Graph OAuth2 access token in a desktop application:   https://www.example-code.com/csharp/microsoft_graph_oauth2_access_token.asp

The following inputs need to be provided:

Also see:  https://docs.microsoft.com/en-us/graph/auth/

Unfortunately, the Microsoft documentation is a bit confusing and at this point there are no simple straightforward and clear answers to the above questions.   However, if these questions can be answered, it SHOULD be possible to get an OAuth2 access token for O365 IMAP.   Once accomplished, the OAuth2 access token can be used in the same way as with GMail, as shown here:  https://www.example-code.com/csharp/gmail_imap_login_oauth2.asp


Note: To obtain an OAuth2 access token in a web app (not a desktop app), you wouldn’t use Chilkat.OAuth2.
Chilkat provides ASP.NET and Classic ASP examples here:  https://tools.chilkat.io/oauth2.cshtml
and here: https://tools.chilkat.io/oauth2.asp